Fixed Get-LogWinEvent, updated README.MD #200
Conversation
| .EXAMPLE | ||
| Get-LogWinEvent.ps1 Security | ||
| Multiple logs, over the past 7 days, with specified Event IDs | ||
| Get-LogWinEvent.ps1 Security|System-7-4625|4634|4798|267|507 |
There was a problem hiding this comment.
Not trying to nitpick, but it looks like the event ids here are mostly from the security event log. I know they are just examples, but examples would be better if they were correct. If I'm wrong, my apologies.
I have not tested this syntax yet. Have you? How does the code determine that the pipe separated values are event logs v event ids?
There was a problem hiding this comment.
...it looks like the event ids here are mostly from the security event log...
No - you're correct. Those event IDs are mostly from the security log - I was pulling IDs from memory when writing the example, and those are just happen to be ones I query for the most.
I have not tested this syntax yet. Have you?
I have tested the syntax and it works as expected. I specify in the comments that the "params" parameter follows an exacting format: "The format for this parameter follows this syntax: log name(s) [separated by a pipe if you want to specify more than one]-days ago-event IDs [separated by a pipe if you want to specify more than one]."
How does the code determine that the pipe separated values are event logs v event ids?
There are no explicit checks to ensure proper ordering of data passed to the "params" parameter. Params is explicitly cast as a string in its declaration statement and then immediately split in the appropriately type cast variables. Beyond that, there is no checking that a given log name is valid (that, I think would be rather un do-able given the number of event log collections available), or that the data passed in is entered in the correct order.
There was a problem hiding this comment.
So if a user passes in multiple logs (e.g. Security, System, etc.) and a string of event IDs, does the code look in each log for all the given event IDs?
|
Functionally speaking, yes. There’s a check to see if the user specified any event IDs. If so, the function will iterate through each specified log for the requested IDs. If there’s no specified event IDs, the function will query each specified event log and return all log entries. |
Fixed issue with Get-LogWinEvent to deal with issue #199. Also updated README.MD to provide guidance on some of the newer features integrated in to Kansa.