Merge pull request #3 from russelltomkins/Development

Updates for 1.2

Create-CustomViews.ps1

@@ -281,12 +281,12 @@ Write-Host "`nLaunch Event Viwer (eventvwr.exe) and expand Custom Views to use t
 # AgEBMHYwYjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcG
 # A1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEhMB8GA1UEAxMYRGlnaUNlcnQgQXNzdXJl
 # ZCBJRCBDQS0xAhADAZoCOv9YsWvW1ermF/BmMAkGBSsOAwIaBQCgXTAYBgkqhkiG
-# 9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNzA0MDYxMjAwNTBa
+# 9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNzA0MjcxMzI2NTJa
 # MCMGCSqGSIb3DQEJBDEWBBQjjsKnRRahp8E/oxtMOCizmT6raDANBgkqhkiG9w0B
-# AQEFAASCAQAevhz5h1IaLpwLxoy4lKJ9KbOCHYS5afAlHms7cOSyTBF6wPtErp1+
-# dlKQePXSPQjEnVuunbACbjZ1M1sCRdECPXTxZJN/c6OVE6PzgMLqXukzttdAeF0I
-# JMAv5LTt9mPBb0/Ix4t4YxpZahuIXAj1fp7Kbv+v6//+NidRNs0VPbhgIuBv9CVB
-# 94ugKQWHu3fVPmRMTY7k5Grx/XsXBjQxQbVD7tAAizOAaCFioavYMfR9EsDu+lWA
-# NbBe7BwayCqvyM/TMlKtvh+DIhDortznbJiUT04FKcWSDhn22xUflmt0UTvm5Z0b
-# zStCeO2xNPsL24raX38FXEAanBBlVkx0
+# AQEFAASCAQCclzjqREwCjRhgLSXNCnTn3ginsyBRX5199V5lTHM1km5/G7NCSMeK
+# TEgc0r+1leh1IRJ1N4XDSQRDK3uustzVzetZk49z2iDDNnA3D2l5wwIowEnTzEmi
+# LO4YtQ0WtHNF7WLx73isutQyf2Id7bUy41pKmgWMnnUF11sf64BG6ZGsKIv2kYXE
+# D24Pf8EbVL9prmBRPrSWILRtA8xXoyFtlFPH4zweglJPQ6m5uouXRHTgvnr6d5UY
+# mC9USr4L1p+PZEk6S5RAy0QoPctT2KjvZzq3emIsvpY/qJZrT0wkBHJVpijR7Gpn
+# aHqUWhSNU2a8MuoKR7ajwlCh8fVfv40c
 # SIG # End signature block

Create-Manifest.ps1

@@ -1,4 +1,4 @@
-<#
+<#
   .SYNOPSIS
   Name: Create-Manifest.ps1
   Version: 1.1
@@ -119,10 +119,10 @@ $xmlWriter.WriteStartElement("instrumentation")
 	$xmlWriter.WriteEndElement() # Closing events
 $xmlWriter.WriteEndElement() # Closing Instrumentation
 $xmlWriter.WriteEndElement()   # Closing instrumentationManifest
- 
+
 # End the XML Document
 $xmlWriter.WriteEndDocument()
- 
+
 # Finish The Document
 $xmlWriter.Finalize
 $xmlWriter.Flush()
@@ -147,8 +147,8 @@ Write-Host "`t `"c:\windows\system32\wevtutil.exe`" im `"$DLLPath\$BaseName.man`
 # SIG # Begin signature block
 # MIIgVAYJKoZIhvcNAQcCoIIgRTCCIEECAQExDzANBglghkgBZQMEAgEFADB5Bgor
 # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG
-# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCClCmr0opDAE+lP
-# 3KmO1Yo/zh3Uyu3u6vT24xFcxuNZ9aCCG14wggO3MIICn6ADAgECAhAM5+DlF9hG
+# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCCAz875ReOXG/tv
+# zTHsBCsL3pUtOzV1o4CS9g/FpRzpnaCCG14wggO3MIICn6ADAgECAhAM5+DlF9hG
 # /o/lYPwb8DA5MA0GCSqGSIb3DQEBBQUAMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQK
 # EwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAiBgNV
 # BAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTAeFw0wNjExMTAwMDAwMDBa
@@ -300,22 +300,22 @@ Write-Host "`t `"c:\windows\system32\wevtutil.exe`" im `"$DLLPath\$BaseName.man`
 # U2lnbmluZyBDQQIQDhlON30mOhkOirPIWrUoYzANBglghkgBZQMEAgEFAKCBhDAY
 # BgorBgEEAYI3AgEMMQowCKACgAChAoAAMBkGCSqGSIb3DQEJAzEMBgorBgEEAYI3
 # AgEEMBwGCisGAQQBgjcCAQsxDjAMBgorBgEEAYI3AgEVMC8GCSqGSIb3DQEJBDEi
-# BCAgSxj3/sCjD2c91lGljGzSQSzSR6JpgbNciSzyWDcFwjANBgkqhkiG9w0BAQEF
-# AASCAQBOZx7FjhF/9BDJADEUgdaXB3tRpnCT9wLLby/LsBNI3Zcq2//ujc4ltmbt
-# i1+fg2IT7nt/IWYS0s/XSMi4DQ0rdT3a/WeMIaQBa7zxytlqUFOmBdMoDc3AB/Nh
-# l4sYYFwSHwWRDhNeNXZ+cb5+GjSBPn9Yy1sRxgC/Uap0VW9e1zRWDJtxpxG9ppWN
-# pEZa8EMdS5s0TNV8bOI3XGu4uUnX5gUSyia1ISc9vls8Lb0wZFqk2wUz1sU2mTep
-# 9n01bXJa0w+N2hunlVWXQUVLWwdU+9BkbS9gprUV4/5zZwqdgzT7aSonEn9U3HDw
-# lM5ZkozbE15nP+qTDQ1wTzUvHELvoYICDzCCAgsGCSqGSIb3DQEJBjGCAfwwggH4
+# BCCBZH5LnhW1onlsB9QZnEUfx9z3/zhBvlSwPjQtkT5OeDANBgkqhkiG9w0BAQEF
+# AASCAQAbStzdKqUtm/4bowcmeKfHPkBjBs/Hv0iT+ah9xnK9jgSfG6gs3sHYY0ec
+# 2dAmYXfKHcbwtrmuIL3Chyzzo9kyBuKzsslSbjMFU87icX4t04IbORIsv7EH4mml
+# KX6pPMSfz2S5VHf1YoIBH7UXsH3lb1WMA/rqJ8yrcZKg1WST9LYUqv4fsH7BHBYE
+# LJcqbbVds0I9OsMSDy7UGXVM/Jzw5rH/1O0x/H3NLbPkBSZZ6f5jsJaeaOTS5M5f
+# zQDGKb+zjyNMFYQHaWxuAky1kzqRuWlYe1csKoXbBvxfeXP68DxnoeGnsbJ9epyC
+# hyBjzo99p8mXQAUJ2z9venmvHqV7oYICDzCCAgsGCSqGSIb3DQEJBjGCAfwwggH4
 # AgEBMHYwYjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcG
 # A1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEhMB8GA1UEAxMYRGlnaUNlcnQgQXNzdXJl
 # ZCBJRCBDQS0xAhADAZoCOv9YsWvW1ermF/BmMAkGBSsOAwIaBQCgXTAYBgkqhkiG
-# 9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNzA0MDYxMjAwNTFa
-# MCMGCSqGSIb3DQEJBDEWBBQFcCtVgUTgayMN3C3fDrfJxF1SLDANBgkqhkiG9w0B
-# AQEFAASCAQChXxUj0qqDiQZlu0wRdPa/3YLpxT5gORcPNBKkUt7oUTIOzZGytfxN
-# RJFjm40NAPqgEGcdEkDH6WMzZ7eEpE2T96l9d8d5nn3hbyr+OfWGvSJ81WRQ6P0W
-# Gzx9448EEkWa7vTHXSCwVcLFWtYIXGP1o/Ijo94tplLrAR4tYWIrql+ECuy0AEVZ
-# uAfZWdKsZTO43yzAvj/7sODAp2ZrTSnuL7tcGZW9i+7vGuAKOVNPQx6kUd+DsI7+
-# Kz7rchZdZjmcgfmhWnH3RMDxTxTDC8E8waHELEfmpJCEEMhcmE5EiJhUaVcnfQj6
-# Lxy7VK+G+/tXwAaOXcWA2YaQ21HShPW8
+# 9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNzA0MjcxMzI4NTZa
+# MCMGCSqGSIb3DQEJBDEWBBQYe1EBmfCyrVtJc5bOQ7EEe1tR+zANBgkqhkiG9w0B
+# AQEFAASCAQA1O0ow+OyJeUFbdHvCQRJ5jKrxYWmglJvKZN2SSa/DHvvcffnmqRO/
+# b7CjwJrZKULDf7r+QTmba2QeRff0VdybnFIZqv+0vUR7TEKhiU1Db7Ekjhwh/mIP
+# G00wgFyfr+aim8oSrWVIoQ3j2YQketG/GfF+r7zYL2TN9q81z9Sk3cCeVm+e5iS9
+# FqtirVu2yNK85F/4gCTfbHi1bz7dVrSwoXfiZZ/gTKPajA6biQQXOZGV684YwqiD
+# Cz8re1vhtD5dOB4QJsgbnx95iioVbkDn7Yfe80IWghECA487xAtnlVb8RN+uC9m0
+# qessUvZkWtTKQUz1xmX6HP/DfNfWPmvG
 # SIG # End signature block

Create-Subscriptions.ps1

@@ -1,7 +1,7 @@
 <#
   .SYNOPSIS
   Name: Create-Subscriptions.ps1
-  Version: 1.1
+  Version: 1.2
   Author: Russell Tomkins - Microsoft Premier Field Engineer
   Blog: https://aka.ms/russellt
 
@@ -19,11 +19,16 @@
   .EXAMPLE
   Create and Import the WEC subscriptions (disabled by default)
   Create-Subscriptions.ps1 -InputFile DCEvents.csv 
-  
+
   .EXAMPLE
   Create, Import and force enable the WEC subscriptions
   Create-Subscriptions.ps1 -InputFile <inputfile.csv> -CreateEnabled
 
+   .EXAMPLE
+  Create and Import the WEC subscriptions (disabled by default). Tell the server to
+  send existing and new events that that match the subscription
+  Create-Subscriptions.ps1 -InputFile DCEvents.csv -ReadExistingEvents
+  
   .EXAMPLE
   Only create the WEC subscription files, do not import them.
   Create-Subscriptions.ps1 -InputFile <inputfile.csv> -NoImport
@@ -40,6 +45,10 @@
   .PARAMETER NoImport
   Creates the subscriptions files, but does not import them
 
+  .PARAMETER ReadExistingEvents
+  Creates the subscriptions files and instructs the servers to send existing events that match the criteria
+  through to the collector.
+
   LEGAL DISCLAIMER
   This Sample Code is provided for the purpose of illustration only and is not
   intended to be used in a production environment.  THIS SAMPLE CODE AND ANY
@@ -69,7 +78,8 @@
     [Parameter(Mandatory=$true)][ValidateNotNullOrEmpty()][String]$InputFile,
     [Parameter(Mandatory=$false)][string]$OutputFolder=$PWD,
     [Parameter(Mandatory=$false)][Switch]$CreateEnabled,
-    [Parameter(Mandatory=$false)][Switch]$NoImport)
+    [Parameter(Mandatory=$false)][Switch]$NoImport,
+    [Parameter(Mandatory=$false)][Switch]$ReadExistingEvents)
 
 # Configure and Start the Windows Event Collector Services except if we are not importing.
 If (!($NoImport)){
@@ -145,7 +155,10 @@ ForEach($Channel in $CustomChannels){
 	        	$xmlWriter.WriteCData('<QueryList><Query Id="0" Path="' + $Channel.QueryPath + '">' + $Channel.Query + '</Query></QueryList>')
 		$xmlWriter.WriteEndElement() # Closing Query
 
-		$xmlWriter.WriteElementString("ReadExistingEvents","True")
+		If (ReadExistingEvents){
+			$xmlWriter.WriteElementString("ReadExistingEvents","True")}
+		Else{
+			$xmlWriter.WriteElementString("ReadExistingEvents","False")}
 		$xmlWriter.WriteElementString("TransportName","HTTP")
 		$xmlWriter.WriteElementString("ContentFormat","events")
 		$xmlWriter.WriteStartElement("locale")	
@@ -194,8 +207,8 @@ Else{
 # SIG # Begin signature block
 # MIIgVAYJKoZIhvcNAQcCoIIgRTCCIEECAQExDzANBglghkgBZQMEAgEFADB5Bgor
 # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG
-# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCDmRTCSV+qfcL+6
-# pOqLspQirwP7zaAf9qnDaQCuzmm48qCCG14wggO3MIICn6ADAgECAhAM5+DlF9hG
+# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCDtJ3gGV/S5Sv6I
+# 35iCLqR59MWvViYEW9NIcfmEPSC/L6CCG14wggO3MIICn6ADAgECAhAM5+DlF9hG
 # /o/lYPwb8DA5MA0GCSqGSIb3DQEBBQUAMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQK
 # EwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAiBgNV
 # BAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTAeFw0wNjExMTAwMDAwMDBa
@@ -347,22 +360,22 @@ Else{
 # U2lnbmluZyBDQQIQDhlON30mOhkOirPIWrUoYzANBglghkgBZQMEAgEFAKCBhDAY
 # BgorBgEEAYI3AgEMMQowCKACgAChAoAAMBkGCSqGSIb3DQEJAzEMBgorBgEEAYI3
 # AgEEMBwGCisGAQQBgjcCAQsxDjAMBgorBgEEAYI3AgEVMC8GCSqGSIb3DQEJBDEi
-# BCBdRdQcl3uoARDQBCqg/cwdZleMA9onGTt8ho1IDiiCqDANBgkqhkiG9w0BAQEF
-# AASCAQB82JthTsuUn9nAfJm4u94njOdCcya64ThMcwTw6gjtOMmW8lys7gnoxCvB
-# hOBF+DVlOcBp0LUMN4yYZM8M9HxSjZTdQ0efzcEQZRfnhF5MvRyWSwnfG+dhaC2U
-# 26WTx3F9CPiJhZlbbC13jcZmlkGmP+5tY7kXnn+QTIqO9KO4Se9BYkRR8u4lH5JS
-# 3NwEzvyWauHblG5jpAY6gGGb63xl/bC1lc2NEkcRwE+bkPjPyp8k4P4CjGsseouJ
-# VuLqLv8PP2nk1SAoYzTPj3qPLPhi9UuLV9rk4AWTLPbro1qbrGim0LAS9ccKknBG
-# 9NCZa6tmIVjcW5Lql7UKsjmn6wlnoYICDzCCAgsGCSqGSIb3DQEJBjGCAfwwggH4
+# BCBLWOBo2UAxFjk14XSFqoGTOrn/xQNGTzWSap7ffGIgNTANBgkqhkiG9w0BAQEF
+# AASCAQCprQAn7ja7gwPPepxbzj2x91vB6E8qWAiJPd/FoCUbLgW3fPBd/YVcPVR+
+# ZFXwrepAa47oy7ClBq4ZT4ZZqZ1SxkZtyECsrsVSJNLgPkxp5Sfb2p/M7bLyp9Hf
+# cwH2L80JYg/v6u1YgqEWjRluwB9KGl2IYD40krgPcc7vg/lKvB4pSfr4ny62kTnY
+# OwnHCWTIm0B8m04TYF7/Pr0FkU2TO1hZJjIJiSi3ttDK/zO3L2VszDw5y6V4WUi9
+# T2F7+BGZn6Yq4rn7E7gXMg5XOZbIXRIvtZxigQRC/BqPca2RCc/2EHc3R9l8sKHN
+# O7oYSrvYwo48fHkkukthOXVnweVpoYICDzCCAgsGCSqGSIb3DQEJBjGCAfwwggH4
 # AgEBMHYwYjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcG
 # A1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEhMB8GA1UEAxMYRGlnaUNlcnQgQXNzdXJl
 # ZCBJRCBDQS0xAhADAZoCOv9YsWvW1ermF/BmMAkGBSsOAwIaBQCgXTAYBgkqhkiG
-# 9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNzA0MDYxMjAwNTNa
-# MCMGCSqGSIb3DQEJBDEWBBQUSafeu49EHQNcvAKNKKEXcURbrjANBgkqhkiG9w0B
-# AQEFAASCAQBt8bsMZ+lx7gSEFFX1I3cRmEsv7JmDxsE8z/SJDd/l9Ua2Tf6hnTnl
-# U6hhIV7VQAEDLq9CaATkug3QjykqDYRWOWHAKZz3ngSulxfN/AQLrZP1tLByxfxW
-# 8pCinR0sIO+jggioo1EcMJeajEEtUrWJU/280MWcEgs8ghlQedfoDPMxxoWwBZv9
-# 2ovdiXp4qTkvq0bMEt/p19doeYeQJC68cFUob2l3MN4bvkFW1AmrmhuRvr3VckY+
-# GglJxeANfnFKHHwjsi6WEWzNY2m7SJUwuaF7PrcAi2eNq9t2rMUpQrBts6xlfrbw
-# 9lOStks/uV58iNSRQfFxEqX1lSHbkO5O
+# 9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNzA0MjcxMzIyNTJa
+# MCMGCSqGSIb3DQEJBDEWBBQRkXykh7mEdzFeGqVMG4nSp7CClzANBgkqhkiG9w0B
+# AQEFAASCAQBu6NzSTk5g3J60pRhjstfyvGYMNr9Hm19H2DsrWJr6o+5TZbIvZAGD
+# IemInFkHdjVEbx08zMGr7TfpydlZ0hIrRQ4xb2DR6Xfo/krdEmXtySh4M3cviyKE
+# NFGrxiPdms3nV7jp9hV3S5CN85hiIPqNJjjIiBudG7bj+5QZXeaUnoJSjLxdvHAw
+# LTthTS006wAuq1Bu+7CMTt/eAfGNouL77c7yFTdaP2BELssFzPgo4M4n9wZJvsYT
+# Wgvw+ucWWwe70y2bg0TBgPUf+2oCvfFoa0qEwo1Df9EbLDsZP2AWGlBsxY27ECS3
+# jpOOPycPph0sudEF6unyrHsLX7uGP6Eh
 # SIG # End signature block