Get Detail Eventlogs 2 Textfile

param(
[Parameter(Mandatory=$true)][int]$ShowLast_X_Days,
[string]$LogPath,
[switch]$ALLLogsWithoutSecurity,
[switch]$ALLPossibleLogs,
[string]$Searchvalue,
[switch]$GetLogonEvent,
[switch]$GetLogOFFEvent,
[switch]$GetLogFailEvent,
[switch]$APPSYSALLInfo,
[switch]$SetLocalSECAuditPolicy,
[switch]$DisableLocalSECAuditPolicy,
[string]$Computer,
[switch]$ExpandLogSize
)


#Example:
#.\GetDetailEventlogs.ps1 -ShowLast_X_Days 2 -LogPath C:\___Eventlogs\02122020 -ALLLogsWithoutSecurity -ALLPossibleLogs



if (-not (Test-Path -Path $LogPath))
{ 
            
    write-host "Create Path"$LogPath -ForegroundColor Green
    $ResultCreatePath = New-Item -ItemType "directory" -Path $LogPath
}

write-host "Please wait..." -ForegroundColor Yellow
if(-not ($Computer.Length -gt 0)) {$Computer = $env:COMPUTERNAME}

$LogPreffix = "___MLI_" + $Computer + "_"


if($ShowLast_X_Days -gt 0){$ShowLast_X_Days = $ShowLast_X_Days * (-1)}
if ([string]::IsNullOrEmpty($Searchvalue)) {$Searchvalue = ""}
if ($LogPath -gt 0)
{
    if (-not ($LogPath.Substring($LogPath.Length-1) -eq "\")) {$LogPath = $LogPath + "\"}
}
$Entrytype = "Error,Warning"
if ($ALLLogsWithoutSecurity) {$ALLPossibleLogs = $true}


if($ExpandLogSize)
{
    write-host "Change Logfile Size" -ForegroundColor Yellow
    $b = Get-EventLog -list |?{$_.Entries -ne 0}
    
    foreach ($Logview in $b)
    {  

        Limit-Eventlog -Logname $Logview.log -MaximumSize 500MB -OverflowAction OverwriteAsNeeded
        write-host "Set"$Logview.log"to 500MB" -ForegroundColor Yellow
    }
}

if ($ALLPossibleLogs)
{

    $a = Get-EventLog -list |?{$_.Entries -ne 0}

    foreach ($Logview in $a)
    {  
        if($ExpandLogSize)
        {
            Limit-Eventlog -Logname $Logview.log -MaximumSize 500MB -OverflowAction OverwriteAsNeeded
        }

        if(($Logview.log -eq "System" -or $Logview.log -eq "Application") -and $APPSYSALLInfo -eq $false)
        {
            $log = $LogPath + $LogPreffix + "ALLEventlog_EW_" + $Logview.log + "_" + $Searchvalue + ".txt"
            if ($LogPath.Length -gt 0)
            {
                Get-Eventlog -LogName $Logview.log -EntryType Error,Warning -After (get-date).AddDays($ShowLast_X_Days) -ComputerName $Computer | ?{$_.Message -like "*" + $Searchvalue + "*"} |fl > $log
            }
            else
            {
                Get-Eventlog -LogName $Logview.log -EntryType Error,Warning -After (get-date).AddDays($ShowLast_X_Days) -ComputerName $Computer  | ?{$_.Message -like "*" + $Searchvalue + "*"} |fl 
            }

        }
        else
        {
            if ($ALLLogsWithoutSecurity -eq $true -and $Logview.log -eq "Security")
            {
            
            }
            else
            {

                $log = $LogPath + $LogPreffix + "ALLEventlog_IEW_" + $Logview.log + "_" + $Searchvalue + ".txt"
                if ($LogPath.Length -gt 0)
                {
                    Get-Eventlog -LogName $Logview.log -After (get-date).AddDays($ShowLast_X_Days) -ComputerName $Computer  | ?{$_.Message -like "*" + $Searchvalue + "*"} |fl > $log
                }
                else
                {
                    Get-Eventlog -LogName $Logview.log -After (get-date).AddDays($ShowLast_X_Days) -ComputerName $Computer  | ?{$_.Message -like "*" + $Searchvalue + "*"} |fl 
                }
            }
        }

    }

}

if ($GetLogonEvent)
{
    if ($LogPath.Length -gt 0)
    {
        $log = $LogPath + $LogPreffix + "LogonReport_" + $Searchvalue + ".txt"
        Get-EventLog -LogName Security -InstanceId 4624 -After (get-date).AddDays($ShowLast_X_Days) -ComputerName $Computer -ErrorAction SilentlyContinue | ?{$_.Message -like "*" + $Searchvalue + "*"} |fl > $log #| Where-Object Message -Match "Logon Type:            2" 
    }
    else
    {
        Get-EventLog -LogName Security -InstanceId 4624 -After (get-date).AddDays($ShowLast_X_Days) -ComputerName $Computer -ErrorAction SilentlyContinue | ?{$_.Message -like "*" + $Searchvalue + "*"} |fl # Where-Object Message -Match "Logon Type:            2" |fl        
    }
}

if ($GetLogOFFEvent)
{
    if ($LogPath.Length -gt 0)
    {
        $log = $LogPath + $LogPreffix + "LogOFFReport_" + $Searchvalue + ".txt"
        Get-EventLog -LogName Security -InstanceId 4634 -After (get-date).AddDays($ShowLast_X_Days) -ComputerName $Computer -ErrorAction SilentlyContinue | ?{$_.Message -like "*" + $Searchvalue + "*"} |fl > $log #| Where-Object Message -Match "Logon Type:                   3" |fl > $log
    }
    else
    {
        Get-EventLog -LogName Security -InstanceId 4634 -After (get-date).AddDays($ShowLast_X_Days) -ComputerName $Computer -ErrorAction SilentlyContinue | ?{$_.Message -like "*" + $Searchvalue + "*"} |fl # Where-Object Message -Match "Logon Type:                  3" |fl        
    }
}
if ($GetLogFailEvent)
{
    if ($LogPath.Length -gt 0)
    {
        $log = $LogPath + $LogPreffix + "LogFailEvent" + $Searchvalue + ".txt"
        Get-EventLog -LogName Security -InstanceId 4625 -After (get-date).AddDays($ShowLast_X_Days) -ComputerName $Computer -ErrorAction SilentlyContinue | ?{$_.Message -like "*" + $Searchvalue + "*"} |fl > $log #| Where-Object Message -Match "Logon Type:                   2" |fl > $log
    }
    else
    {
        Get-EventLog -LogName Security -InstanceId 4625 -After (get-date).AddDays($ShowLast_X_Days) -ComputerName $Computer -ErrorAction SilentlyContinue | ?{$_.Message -like "*" + $Searchvalue + "*"} |fl # Where-Object Message -Match "Logon Type:                  2" |fl        
    }
}

if($SetLocalSECAuditPolicy)
{
    write-host "Before:" -ForegroundColor Yellow
    auditpol /get /Category:*

    auditpol /set /category:"System","Account Management","Account Logon","Logon/Logoff","Policy Change" /failure:enable /success:enable     

    auditpol /set /category:"DS Access","Object Access" /failure:enable

    write-host "After:" -ForegroundColor Yellow
    auditpol /get /Category:*

}

if($DisableLocalSECAuditPolicy)
{
    write-host "Before:" -ForegroundColor Yellow
    auditpol /get /Category:*

    auditpol /set /category:"System","Account Management","Account Logon","Logon/Logoff","Policy Change" /failure:disable /success:disable     

    auditpol /set /category:"DS Access","Object Access" /failure:disable

    write-host "After:" -ForegroundColor Yellow
    auditpol /get /Category:*

}

write-host "...done." -ForegroundColor Green

#  4624 -> erfolgreich angemeldet
#  4625 -> fehlerhafte Anmeldung
#  4771 -> nicht erfolgreiche Anmeldungen

#Event ID     Bedeutung
#4624   An account was successfully logged on
#4625   An account failed to login.
#4634   An account was logged off
#4719    Audit Policy Change
#4740   A User account was locked outa
#4767   A User account was unlocked
#4768   A Kerberos authentication ticket (TGT) was requested
#4769   A Kerberos service ticket was requested.
#4776   The domain controller attempted to validate the credentials für an account.
#4672   Special privileges assigned to new logon

#Logon Events Description  
#528    A user successfully logged on to a computer. For information about the type of logon, see the Logon Types table below.     
#529    Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password.   
#530    Logon failure. A logon attempt was made user account tried to log on outside of the allowed time.     
#531    Logon failure. A logon attempt was made using a disabled account. 
#532    Logon failure. A logon attempt was made using an expired account. 
#533    Logon failure. A logon attempt was made by a user who is not allowed to log on at this computer.      
#534    Logon failure. The user attempted to log on with a type that is not allowed.     
#535    Logon failure. The password for the specified account has expired.       
#536    Logon failure. The Net Logon service is not active. 
#537    Logon failure. The logon attempt failed for other reasons. 
             
#       Note   
             
#       In some cases, the reason for the logon failure may not be known. 
             
#538    The logoff process was completed for a user.  
#539    Logon failure. The account was locked out at the time the logon attempt was made.   
#540    A user successfully logged on to a network.   
#541    Main mode Internet Key Exchange (IKE) authentication was completed between the local computer and the listed peer identity (establishing a security association), or quick mode has established a data channel.    
#542    A data channel was terminated.   
#543    Main mode was terminated. 
             
#       Note   
             
#       This might occur as a result of the time limit on the security association expiring (the default is eight hours), policy changes, or peer termination. 
             
#544    Main mode authentication failed because the peer did not provide a valid certificate or the signature was not validated.      
#545    Main mode authentication failed because of a Kerberos failure or a password that is not valid.      
#546    IKE security association establishment failed because the peer sent a proposal that is not valid. A packet was received that contained data that is not valid.   
#547    A failure occurred during an IKE handshake.   
#548    Logon failure. The security ID (SID) from a trusted domain does not match the account domain SID of the client.   
#549    Logon failure. All SIDs corresponding to untrusted namespaces were filtered out during an authentication across forests.      
#550    Notification message that could indicate a possible denial-of-service attack.      
#551    A user initiated the logoff process.   
#552    A user successfully logged on to a computer using explicit credentials while already logged on as a different user.  
#682    A user has reconnected to a disconnected terminal server session. 
#683    A user disconnected a terminal server session without logging off.       
             
#       Note   
             
#       This event is generated when a user is connected to a terminal server session over the network. It appears on the terminal server.      
             
#Logon type   Logon title  Description
#2      Interactive  A user logged on to this computer.
#3      Network      A user or computer logged on to this computer from the network.
#4      Batch  Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.
#5      Service      A service was started by the Service Control Manager.
#7      Unlock This workstation was unlocked.
#8      NetworkCleartext    A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext).
#9      NewCredentials      A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.
#10     RemoteInteractive   A user logged on to this computer remotely using Terminal Services or Remote Desktop.
#11     CachedInteractive   A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

param(

[Parameter(Mandatory=$true)][int]$ShowLast_X_Days,

[string]$LogPath,

[switch]$ALLLogsWithoutSecurity,

[switch]$ALLPossibleLogs,

[string]$Searchvalue,

[switch]$GetLogonEvent,

[switch]$GetLogOFFEvent,

[switch]$GetLogFailEvent,

[switch]$APPSYSALLInfo,

[switch]$SetLocalSECAuditPolicy,

[switch]$DisableLocalSECAuditPolicy,

[string]$Computer,

[switch]$ExpandLogSize

)

#Example:

#.\GetDetailEventlogs.ps1 -ShowLast_X_Days 2 -LogPath C:\___Eventlogs\02122020 -ALLLogsWithoutSecurity -ALLPossibleLogs

if (-not (Test-Path -Path $LogPath))

{

write-host "Create Path"$LogPath -ForegroundColor Green

$ResultCreatePath = New-Item -ItemType "directory" -Path $LogPath

}

write-host "Please wait..." -ForegroundColor Yellow

if(-not ($Computer.Length -gt 0)) {$Computer = $env:COMPUTERNAME}

$LogPreffix = "___MLI_" + $Computer + "_"

if($ShowLast_X_Days -gt 0){$ShowLast_X_Days = $ShowLast_X_Days * (-1)}

if ([string]::IsNullOrEmpty($Searchvalue)) {$Searchvalue = ""}

if ($LogPath -gt 0)

{

if (-not ($LogPath.Substring($LogPath.Length-1) -eq "\")) {$LogPath = $LogPath + "\"}

}

$Entrytype = "Error,Warning"

if ($ALLLogsWithoutSecurity) {$ALLPossibleLogs = $true}

if($ExpandLogSize)

{

write-host "Change Logfile Size" -ForegroundColor Yellow

$b = Get-EventLog -list |?{$_.Entries -ne 0}

foreach ($Logview in $b)

{

Limit-Eventlog -Logname $Logview.log -MaximumSize 500MB -OverflowAction OverwriteAsNeeded

write-host "Set"$Logview.log"to 500MB" -ForegroundColor Yellow

}

if ($ALLPossibleLogs)

{

$a = Get-EventLog -list |?{$_.Entries -ne 0}

foreach ($Logview in $a)

{

if($ExpandLogSize)

{

Limit-Eventlog -Logname $Logview.log -MaximumSize 500MB -OverflowAction OverwriteAsNeeded

}

if(($Logview.log -eq "System" -or $Logview.log -eq "Application") -and $APPSYSALLInfo -eq $false)

{

$log = $LogPath + $LogPreffix + "ALLEventlog_EW_" + $Logview.log + "_" + $Searchvalue + ".txt"

if ($LogPath.Length -gt 0)

{

Get-Eventlog -LogName $Logview.log -EntryType Error,Warning -After (get-date).AddDays($ShowLast_X_Days) -ComputerName $Computer | ?{$_.Message -like "*" + $Searchvalue + "*"} |fl > $log

}

else

{

Get-Eventlog -LogName $Logview.log -EntryType Error,Warning -After (get-date).AddDays($ShowLast_X_Days) -ComputerName $Computer | ?{$_.Message -like "*" + $Searchvalue + "*"} |fl

}

else

{

if ($ALLLogsWithoutSecurity -eq $true -and $Logview.log -eq "Security")

{

}

else

{

$log = $LogPath + $LogPreffix + "ALLEventlog_IEW_" + $Logview.log + "_" + $Searchvalue + ".txt"

if ($LogPath.Length -gt 0)

{

Get-Eventlog -LogName $Logview.log -After (get-date).AddDays($ShowLast_X_Days) -ComputerName $Computer | ?{$_.Message -like "*" + $Searchvalue + "*"} |fl > $log

}

else

{

Get-Eventlog -LogName $Logview.log -After (get-date).AddDays($ShowLast_X_Days) -ComputerName $Computer | ?{$_.Message -like "*" + $Searchvalue + "*"} |fl

}

if ($GetLogonEvent)

{

if ($LogPath.Length -gt 0)

{

$log = $LogPath + $LogPreffix + "LogonReport_" + $Searchvalue + ".txt"

Get-EventLog -LogName Security -InstanceId 4624 -After (get-date).AddDays($ShowLast_X_Days) -ComputerName $Computer -ErrorAction SilentlyContinue | ?{$_.Message -like "*" + $Searchvalue + "*"} |fl > $log #| Where-Object Message -Match "Logon Type: 2"

}

else

{

}

if ($GetLogOFFEvent)

{

if ($LogPath.Length -gt 0)

{

$log = $LogPath + $LogPreffix + "LogOFFReport_" + $Searchvalue + ".txt"

Get-EventLog -LogName Security -InstanceId 4634 -After (get-date).AddDays($ShowLast_X_Days) -ComputerName $Computer -ErrorAction SilentlyContinue | ?{$_.Message -like "*" + $Searchvalue + "*"} |fl > $log #| Where-Object Message -Match "Logon Type: 3" |fl > $log

}

else

{

}

if ($GetLogFailEvent)

{

if ($LogPath.Length -gt 0)

{

$log = $LogPath + $LogPreffix + "LogFailEvent" + $Searchvalue + ".txt"

Get-EventLog -LogName Security -InstanceId 4625 -After (get-date).AddDays($ShowLast_X_Days) -ComputerName $Computer -ErrorAction SilentlyContinue | ?{$_.Message -like "*" + $Searchvalue + "*"} |fl > $log #| Where-Object Message -Match "Logon Type: 2" |fl > $log

}

else

{

}

if($SetLocalSECAuditPolicy)

{

write-host "Before:" -ForegroundColor Yellow

auditpol /get /Category:*

auditpol /set /category:"System","Account Management","Account Logon","Logon/Logoff","Policy Change" /failure:enable /success:enable

auditpol /set /category:"DS Access","Object Access" /failure:enable

write-host "After:" -ForegroundColor Yellow

auditpol /get /Category:*

}

if($DisableLocalSECAuditPolicy)

{

write-host "Before:" -ForegroundColor Yellow

auditpol /get /Category:*

auditpol /set /category:"System","Account Management","Account Logon","Logon/Logoff","Policy Change" /failure:disable /success:disable

auditpol /set /category:"DS Access","Object Access" /failure:disable

write-host "After:" -ForegroundColor Yellow

auditpol /get /Category:*

}

write-host "...done." -ForegroundColor Green

# 4624 -> erfolgreich angemeldet

# 4625 -> fehlerhafte Anmeldung

# 4771 -> nicht erfolgreiche Anmeldungen

#Event ID Bedeutung

#4624 An account was successfully logged on

#4625 An account failed to login.

#4634 An account was logged off

#4719 Audit Policy Change

#4740 A User account was locked outa

#4767 A User account was unlocked

#4768 A Kerberos authentication ticket (TGT) was requested

#4769 A Kerberos service ticket was requested.

#4776 The domain controller attempted to validate the credentials für an account.

#4672 Special privileges assigned to new logon

#Logon Events Description

#528 A user successfully logged on to a computer. For information about the type of logon, see the Logon Types table below.

#529 Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password.

#530 Logon failure. A logon attempt was made user account tried to log on outside of the allowed time.

#531 Logon failure. A logon attempt was made using a disabled account.

#532 Logon failure. A logon attempt was made using an expired account.

#533 Logon failure. A logon attempt was made by a user who is not allowed to log on at this computer.

#534 Logon failure. The user attempted to log on with a type that is not allowed.

#535 Logon failure. The password for the specified account has expired.

#536 Logon failure. The Net Logon service is not active.

#537 Logon failure. The logon attempt failed for other reasons.

# Note

# In some cases, the reason for the logon failure may not be known.

#538 The logoff process was completed for a user.

#539 Logon failure. The account was locked out at the time the logon attempt was made.

#540 A user successfully logged on to a network.

#541 Main mode Internet Key Exchange (IKE) authentication was completed between the local computer and the listed peer identity (establishing a security association), or quick mode has established a data channel.

#542 A data channel was terminated.

#543 Main mode was terminated.

# Note

# This might occur as a result of the time limit on the security association expiring (the default is eight hours), policy changes, or peer termination.

#544 Main mode authentication failed because the peer did not provide a valid certificate or the signature was not validated.

#545 Main mode authentication failed because of a Kerberos failure or a password that is not valid.

#546 IKE security association establishment failed because the peer sent a proposal that is not valid. A packet was received that contained data that is not valid.

#547 A failure occurred during an IKE handshake.

#548 Logon failure. The security ID (SID) from a trusted domain does not match the account domain SID of the client.

#549 Logon failure. All SIDs corresponding to untrusted namespaces were filtered out during an authentication across forests.

#550 Notification message that could indicate a possible denial-of-service attack.

#551 A user initiated the logoff process.

#552 A user successfully logged on to a computer using explicit credentials while already logged on as a different user.

#682 A user has reconnected to a disconnected terminal server session.

#683 A user disconnected a terminal server session without logging off.

# Note

# This event is generated when a user is connected to a terminal server session over the network. It appears on the terminal server.

#Logon type Logon title Description

#2 Interactive A user logged on to this computer.

#3 Network A user or computer logged on to this computer from the network.

#4 Batch Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.

#5 Service A service was started by the Service Control Manager.

#7 Unlock This workstation was unlocked.

#8 NetworkCleartext A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext).

#9 NewCredentials A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.

#10 RemoteInteractive A user logged on to this computer remotely using Terminal Services or Remote Desktop.

#11 CachedInteractive A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.