-Added a prompt to prompt the user to hit enter to exit only if the session is interactive.
-Added clean-up routine to collect only
-Added Excel output option (requires PS 5.1+)
-Added event ID 4756 per AD STIG V-43712
-Added event ID to message output for powershell commands (event ID 800)
-Added event status success/fail to output
-Added schTask parameter to add script to scheduled task automatically
-Added a report opener function to ask the user which report to open
-Change the way log files are backed up. Using wevtutil vs wmi object
-Changed how events are stored. Events are now stored in objects for easier importing into Excel (requires PS 3+)
-Fixed issue with script not copying files (Start-BitsTransfer was the problem) by reverting back to the old way of copying files (copy-item).
-Fixed issue with restart events reporting the wrong user
- No known issues as of this release on 2020-11-20.
-Added Unclassified headers and footers in the report output as well as a "(U)" in the log file and report file names.
-Added Event ID 800, 4688
-Filtered out 4625 network logon events generated by SYSTEM
-Filtered out DWM-1, DWM-2, DWM-3, UMFD0, UMFD1, UMFD2, UMFD3, from 4624, 4634, and 4648
-Updated 1074 filter to include support for windows 10, server 2016 and newer
Updates Done by Sophie Pokorney:
- Added Event ID's: 307, 4670, 4707, 4713, 4727, 4730, 4731, 4732, 4733, 4734, 4744, 4748, 4749, 4753, 4754, 4758, 4759, 4763, 5024, 5025,6416
- Cleaned up and sorted "if" statements in the parsing function
-Changed the collection portion of the script more verbose to show filenames and filepaths
-Changed username to SYSTEM as the user for event IDs 1100, 4608, 4719, 4739, 4906, 5024, 5025 as there is no user associated with the events.
-Changed over to start-bitstransfer instead of copy-item to show progress for large files
- Changed Event ID 800 to specify if it were Powershell, as well as what command was used
-Removed check for specific versions of Windows and now just check for "Windows"
- No known issues as of this release
-Added Help Content (To see type Get-Help .\WLCAPx.x.ps1)
-Added a check to report if the EventLog was not cleared
-Added a list of Event IDs captured to the README
-Added the parsing of the System log (Event ID 1074) for Shutdowns. The Security log does not provide a shutdown event.
-Added logic to parse event IDs 1100, 4739, and 4906. The Event IDs were being pulled but not parsed.
-Updated list of Event IDs to more accurately show what is being parsed. Some Event IDs were removed because the events would never be generated in a DSS compliant setting.
-Separated the successful/failed screen unlock events from the successful/failed logon sections of the report. Successful/Failed screen unlock events will have their own section in the report. This helps clean up the successful/failed logon section of the report for large environments.
-Removed Type 7 (Screen Unlock) 4634 (Logoff) events from the report. These events are generated simultaneous to and as a result of a Type 7 (Screen Unlock) 4624 (Logon). Therefore, the events have no value.
-Fixed issue with running the script from a remote system and saving the logs on a system that is being processed.
-Fixed issue with auto rotated application and system logs being put in the parsing folder and not directly in their respective folder.
- No known issues as of this release
-Added feature to check the accuracy of the host file against a domain computer query and vice-versa
-Added a path check in addition to the ping check for system availability
-Changed Active Directory computer query to only search for active computers
-Fixed issue with reading a list of hosts from a file
-Fixed issue with processing/saving logs on the same system the script is ran from
- No known issues as of this release
-Added some conditional statements to handle when a backup server is not defined
-Added in functionality to run on local (standalone) system if a domain is not found
-Fixed issue with script creating a secondary backup of the logs on the root of C:
- No known issues as of this release
-Added a query for all logon types on 4624, 4625, 4634 event IDs
-Added to suppress query to filter out SYSTEM, Local Service, and Network Service from 4624, 4634, 4616, 4656 event IDs
-Added to suppress query to filter out SYSTEM from 4720, 4722, 4723, 4724, 4725, 4726, 4781, 4767, and 4732 event IDs
-Added screen output to show each log being parsed
-Added script configuration file so that users would be able to easily modify the config file without editing the script.
-Changed naming convention of saved audit log files to [email protected]
-Removed the color-write function and used write-host instead
-Removed -quiet parameter (Not Used)
-Fixed formatting for screen output and the report
- No known issues as of this release
-Added new function, post-clean, to handle left-over files from the clean-up function.
-Added capability of hashing logfiles after copying to verify integrity before removing
-Added filter to query the end of each log file for the system name to filter out the events that contain the system name in the username field.
-Updated Active Directory filter to only list Windows Vista,7,8 and Server 2008 (R2), 2012 (R2)
-Updated $dateTime to reflect 24-hr clock opposed to standard time to distiguish time of day (AM vs PM)
-Changed the name of the script to not include special characters as this makes problems with running it as a scheduled task. New name is WindowsLogCollectorAndParserX.X.ps1
-Fixed window size error; Changed width from 150 to 128 (128 is max width)
-Fixed issue with system names containing underscores; Reformatted naming scheme for audit log files
-Fixed issue with clean-up function not cleaning all of the audit log files. Adding sleep time to the clean-up function seemed to partially fix the issue.
- No known issues as of this release
-Added the computer name to all the error messages that get written to the report
-Filtered out Local Service and computers from event ID 4616
-Added statement to indicate end of script
-Fixed archived logs issue (backing up but not cleaning up)
-Fixed issue with Clean-Up function putting logs in random folders
- No known issues as of this release
-Separated Successful and Failed Logons in the report
-Added logon type 11 (cached logons) to the 4624 filter
-Separated Successful and Failed Password Changes in the report
-Added conditional statement in the 4656 filter to ignore usernames ending in "$"
-Added logon types in the report
-Added an event count to each event category in the report
-Fixed spacing in the report
- No known issues as of this release
-Added "-quiet" parameter (does not print status to the screen)
- No known issues as of this release
-Filtered out Local Service, IUSR, and computers from event ID 4656
-Added "-parseOnly" paramter (only parses logs stored in $LogsArchive)
-Added "-collectOnly" parameter (only collects the logs and does not parse them)
-Added "-computerName" parameter (can specify one computer to run against)
- No known issues as of this release
-Decreased parsing time and increased proficiency by using xml queries
- No known issues as of this release
-Fixed issue with $pathDir matching $LogsArchive
-Fixed issue with "Access Denied" when backing up on certain systems by adding "-EnableAllPrivileges" to the WMI object
- No known issues as of this release
- No known issues as of this release