CyberPolice

An epic windows securing and hardening script
Log | Files | Refs | README

SaveEventLogs.ps1 (2672B)

      1 Write-Host "CYBER POLICE [Covert Ops] are now going to attempt to backup event logs (last 7 days)..." -ForegroundColor Magenta
      2 $thispath = Split-Path -parent $MyInvocation.MyCommand.Definition
      3 $path = Split-Path -parent $thispath
      4 $output = Get-content $path/CyberPoliceOutput/path.txt
      5 New-Item -ItemType Directory -Force -Path $output/logs/eventLogsBackup | Out-Null
      6 
      7 Set-Variable -Name EventAgeDays -Value 7
      8 Set-Variable -Name LogNames -Value @("Application", "System", "Security")
      9 Set-Variable -Name ExportFolder -Value $output\logs\eventLogsBackup\
     10 
     11 Set-Variable -Name ServerNames -Value $env:computername
     12  
     13 $now=get-date
     14 $startdate=$now.adddays(-$EventAgeDays)
     15 
     16 $quick=0
     17 
     18 Write-host "Are you on an AD (Default is No)" -ForegroundColor Yellow
     19 $Readhost = Read-Host "[Y/N]" 
     20 Switch ($ReadHost) { 
     21   Y {
     22     $ServerNames = Get-ADComputer -Filter * | Format-List name | Out-String
     23     $ServerNames = $ServerNames.split(':')[1] 
     24     $ServerNames = $ServerNames -replace '\s',''
     25     $LogNames += "DNS Server"
     26     $LogNames += "Directory Service"
     27     Write-Host "Ok." -ForegroundColor Green
     28   } 
     29   N { Write-Host "Ok." -ForegroundColor Gray } 
     30   Default { Write-Host "Ok." -ForegroundColor Gray } 
     31 } 
     32 Write-host "Do you want to save message information... its slower (Default is No)" -ForegroundColor Yellow
     33 $doQuick = Read-Host "[Y/N]" 
     34 Switch ($doQuick) { 
     35   Y {
     36    $quick=1
     37    Write-Host "Ok." -ForegroundColor Green
     38   } 
     39   N { 
     40     $quick=0
     41     Write-Host "Ok." -ForegroundColor Gray } 
     42   Default { 
     43     $quick=0
     44     Write-Host "Ok." -ForegroundColor Gray } 
     45 } 
     46 Write-host "Found computers:" -ForegroundColor Yellow
     47 Write-Host $ServerNames -ForegroundColor Cyan
     48 
     49 Write-host "Please enter the name of the computer you want to back up the logs of (Case sensitive)" -ForegroundColor Yellow
     50 $comp = Read-Host "Server Name" 
     51 
     52 foreach($log in $LogNames)
     53 {
     54     Write-Host Processing $comp\$log -ForegroundColor Yellow
     55     $el = get-eventlog -ComputerName $comp -log $log -After $startdate
     56     $el_c = $el | Sort-Object TimeGenerated 
     57     $ExportFile=$ExportFolder + $comp + "-" + $log + "-Log-" + $now.ToString("yyyy-MM-dd---hh-mm-ss") + ".csv"
     58     Write-Host Exporting $log Log to $ExportFile
     59     if ($quick -eq 1) {
     60       $el_c | Select EntryType, TimeGenerated, Source, EventID, MachineName, Message | Export-CSV $ExportFile -NoTypeInfo
     61     }
     62     else {
     63       $el_c | Select EntryType, TimeGenerated, Source, EventID, MachineName | Export-CSV $ExportFile -NoTypeInfo
     64     }
     65     Write-Host Complete!
     66     Write-Host Done exporting $log on $comp! -ForegroundColor Green
     67 }
     68 Write-Host "The CYBER POLICE [Covert Ops]: done backing up event logs for" + $comp -ForegroundColor Magenta