Skip to content

Instantly share code, notes, and snippets.

@secabstraction

secabstraction/StashableObjects.ps1

Created February 16, 2016 19:10
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save secabstraction/7560c5de18a743f2be36 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save secabstraction/7560c5de18a743f2be36 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. secabstraction created this gist Feb 16, 2016.
    48 changes: 48 additions & 0 deletions StashableObjects.ps1
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,48 @@
    $Parameters = @{
    CimSession = $CimSession
    ClassName = 'Win32_NTLogEvent'
    Filter = $Filter
    ErrorAction = 'Continue'
    ErrorVariable = 'Errors'
    }

    Get-CimInstance @Parameters | foreach {

    # Convert the TimeGenerated property to an elastic compatible format
    $TimeCreated = $_.TimeGenerated.ToString("yyyy-MM-ddTHH:mm:ss.fffffff00K")

    # DateCreated property used for elastic indexing
    $DateCreated = $_.TimeGenerated.ToString("yyyy-MM-dd")

    # Enumerate event type from value
    $EventType = switch ($_.EventType) {
    5 { 'FailureAudit' }
    4 { 'SuccessAudit' }
    3 { 'Information' }
    2 { 'Warning' }
    1 { 'Error' }
    default { 'None' }
    }

    # Create a custom object
    $EventLogEntry = [pscustomobject]@{
    Id = $_.ComputerName + '-' + $_.RecordNumber # or [Guid]::NewGuid().Guid
    TimeCreated = $TimeCreated
    DateCreated = $DateCreated
    EventId = $_.EventCode
    ComputerName = $_.ComputerName
    Level = $EventType
    Provider = $_.SourceName
    LogName = $_.LogFile
    Category = $_.CategoryString
    Type = $_.Type
    InsertionStrings = $_.InsertionStrings
    Message = $_.Message
    User = $_.User
    }

    # Give object a TypeName for indexing into elastic
    $EventLogEntry.PSObject.TypeNames.Insert(0, 'eventlogentry')

    Write-Output $EventLogEntry
    }