This repository has been archived by the owner on Jan 29, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 12
/
infra-windows-logs.ps1
110 lines (89 loc) · 3.08 KB
/
infra-windows-logs.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
###
# The following command is required for testing:
#
# [System.Diagnostics.EventLog]::CreateEventSource("New Relic","Application")
###
###
# Parameters (a.k.a. Command Line Arguments)
# Usage: -LogName "LogName" -EventIds 4608:4609:4946
# -LogName The name of the event log to gather events from. Ex: System, Appication, etc. (Required)
# -EventIds An optional, colon delimited, list of event ids to gather.
###
param (
[string]$LogName=$(throw "-LogName is mandatory"),
[string]$EventIds
)
###
# Logic to handle getting new log entries by saving current date to file
# to use as -After argument of Get-Date in next pull. On first run we use current date.
# On subsequent runs it will use last date written to file.
#
# Uses LogName param to create timestamp for each LogName
###
$LAST_PULL_TIMESTAMP_FILE = "./last-pull-timestamp-$LogName.txt"
###
# If timestamp file exists, use it; otherwise,
# set timestamp to 15 minutes ago to pull some data on
# first run.
###
if (Test-Path $LAST_PULL_TIMESTAMP_FILE -PathType Leaf) {
$timestamp = Get-Content -Path $LAST_PULL_TIMESTAMP_FILE -Encoding String | Out-String
$timestamp = [DateTime] $timestamp.ToString()
} else{
$timestamp = (Get-Date).AddMinutes(-240)
}
###
# Write timestamp to file to pull on next run.
###
Set-Content -Path $LAST_PULL_TIMESTAMP_FILE -Value (Get-Date -Format o)
###
# Pull events using -After param with timestamp
###
$events = Get-EventLog -LogName $LogName -After $timestamp
###
# If event ids were given, filter to keep only the events having an id in our event id list.
###
if ($EventIds) {
$eventIdStrings = $EventIds.Split(":")
$eventIdNums = @()
foreach ($eventId in $eventIdStrings) {
$eventIdNums += [convert]::ToInt32($eventId)
}
# Iterate over the events and copy only those we want to keep into the filteredEvents.
$filteredEvents = @()
foreach ($event in $events) {
if (-Not ($eventIdNums -Contains $event.EventID)) {
continue
}
$filteredEvents += $event
}
$events = $filteredEvents
}
###
# Add required 'event_type' to objects from Get-EventLog.
# Add optional 'log_name' value to object.
###
$events.ForEach({
Add-Member -NotePropertyName 'event_type' -NotePropertyValue 'Windows Event Logs' -InputObject $_
Add-Member -NotePropertyName 'log_name' -NotePropertyValue $LogName -InputObject $_
});
###
# Create hash table in required format for Infrastructure, populated
# with event object log data and pipe to ConvertTo-Json with
# -Compress argument required in order for Infrastructure to consume.
###
$payload = @{
name = "com.newrelic.windows.eventlog"
integration_version = "0.1.0"
protocol_version = 1
metrics = @($events)
inventory = @{}
events = @()
} | ConvertTo-Json -Compress
###
# Output json string created above with regex to normalize date strings
# post json string conversion. Alternatively, you could create a
# new -NotePropertyName with the proper date string and remove
# the original object property.
###
Write-Output ($payload -replace '"\\\/Date\((\d+)\)\\\/\"' ,'$1')