SE Articles From the Field
Recently a customer asked if it was possible to gather event logs via a script on a regular basis. The customer already had the script and was using it with the User Defined Scripts module to capture at log off. Here is how to use Trigger Points to capture at an interval. |
First, it must be said that if Stratusphere is deployed you can gather event logs within Stratusphere and target specific events. Event logs captured via Stratusphere are easily searchable. Now onto how to do it with Trigger Points.
Configuration Summary
It is highly suggested to do this with two configurations. The first configuration is the main configuration you already use, the second will be simply for the script. If you utilize the same configuration, then the User Defined Script portion will also be called, and I want to avoid that.
Script (Application Launcher) Configuration
Create a new configuration in your ProfileUnity Console, in this example, the configuration is called "SaveEventLogs". In the configuration, I have added a single entry into the Application Launcher module.
Filter: None Description: Save Application Event Log Filespec: C:\windows\system32\cmd.exe Arguments: /c powershell.exe -executionpolicy bypass -windowstyle hidden -noninteractive -nologo -NoProfile "\\FQDN\netlogon\ProfileUnity\Scripts\SaveAppEventLog.ps1" Note: Update the arguments to the path to your script file.
Save the configuration, and publish the configuration to a folder UNDER your current configuration location. This subfolder is important because ProfileUnity will run all configurations in a path. I only want this one configuration to be ran. |
The publishing of this configuration can be forced to a subfolder by setting the Deployment Path Override in the Main module in the SaveEventLogs configuration. In this example, it is being deployed to the Trigger-EventLog folder under the User Prod folder structure.
Main Configuration
In the main configuration, let's add a Trigger Point to the configuration. The Trigger Point module is second to last and has an icon like the one above. Add a Trigger Point Rule. In this example, I've chosen to keep it simple and apply it to all, but you can apply it to filters as well.
Filter: None Description: Save Application Event Log Type: INTERVAL Module: Application Launcher Interval in Minutes: 60 INI Path: The path to your subfolder where the configuration above was saved. By adding a path here, it ensures that only one INI is executed. |
Notes
This may not be the best way to collect the event logs. It can also be achived at log off and grab all events for that session before a machine might get destroyed. As it is with this script, the script does not clear the event log so it collects lots of duplicate data. There is a cleanup operation on the script so that there is not a lot off old stale data on the network share. The script was created by a customer request on how to run something as an interval and the script is less important than the Trigger Point setup.
Script
This is the tested script. It simply copies the evtx files from the System folders and renamed the files as they are copied them off to the network share. This script is also configured to grab any log in the EventLogs array.
# Config
# Add Name of the Logfile (System, Application, etc)
$logFileName = "Application"
# Add Path, needs to end with a backsplash
$DestinationPath = "\\192.168.1.218\Everyone"
# Append the Following Text to each Event Log
$Append = "_" + $env:USERNAME + "_" + $env:COMPUTERNAME + "_" + (get-date -f yyyyMMddHHmm) + ".evtx"
# Event Log Source
$SourcePath = "C:\Windows\System32\winevt\Logs"
# Event Logs to Capture
$EventLogs = @("Application","System","Security")
# do not edit
# Copy the Event Logs
ForEach ($EventLog in $EventLogs) {
$Path = $SourcePath + "\$($EventLog).evtx"
$Destination = $DestinationPath + "\" + $EventLog + $Append
Copy-Item -Path $Path -Destination $Destination
}
# Deletes all .evtx logfiles in $path
# Be careful, this script removes all files with the extension .evtx not just the selfcreated logfiles
$Daysback = "-7"
$CurrentDate = Get-Date
$DatetoDelete = $CurrentDate.AddDays($Daysback)
Get-ChildItem $Path | Where-Object { ($_.LastWriteTime -lt $DatetoDelete) -and ($_.Extension -eq ".evtx") } | Remove-Item