Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/piesecurity/windowseventstocsvtimeline

Simple Powershell scripts to collect all Windows Event Logs from a host and parse them into one CSV timeline.
https://github.com/piesecurity/windowseventstocsvtimeline

csv-export eventlog forensic-analysis parsing powershell-script timeline windows windows-eventlog

Last synced: 4 months ago
JSON representation

Simple Powershell scripts to collect all Windows Event Logs from a host and parse them into one CSV timeline.

Host: GitHub
URL: https://github.com/piesecurity/windowseventstocsvtimeline
Owner: piesecurity
Created: 2017-11-19T17:35:42.000Z (about 7 years ago)
Default Branch: master
Last Pushed: 2018-10-13T22:35:03.000Z (over 6 years ago)
Last Synced: 2024-09-29T04:20:40.637Z (4 months ago)
Topics: csv-export, eventlog, forensic-analysis, parsing, powershell-script, timeline, windows, windows-eventlog
Language: PowerShell
Homepage:
Size: 29.3 KB
Stars: 33
Watchers: 3
Forks: 3
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

# WindowsEventsToCSVTimeline

A couple of simple Powershell scripts to collect all Windows Event Logs from a host and parse them into one CSV Timeline.

## But Why This Script?
This script uses Windows Powershell to parse event logs following 5 goals.

1. **Be Quick** - We play to the strong suits of Get-WinEvent and Get-EventLog and use the quickest one in the right situations

2. **Avoid Missing Event Viewer Descriptors** - We collect metadata from Event Logs during collection. If your parsing box doesn't have all the same roles we avoid this dreaded error.

```
# Example of Missing Descriptors
The description for Event ID 100 from source XXXX cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
```

To accomplish goal #1, we only use the metadata when it is required.

3. **Conform the Timestamp and Convert Everything to UTC**

4. **Timeline Logs from Multiple Systems at Once**

5. **Be Multi-Threaded** - We use this great project to multi-thread our parsing and push Get-WinEvent (and your CPU) as fast as possible. https://github.com/RamblingCookieMonster/Invoke-Parallel

### System Requirements

**Gather-LogsToTimeLine.ps1** only supports PowerShell versions 2.0 thru 5.1

*1.0 and 6.0+ (PSCore) are not supported*

**Parse-LogsToTimeLine.ps1** only supports Powershell versions 3.0+

*PowerShell v6 (PSCore) is supported on Windows Only*

### Getting Started

Collect All of the Logs!
```
.\Gather-LogsToTimeLine.ps1 -output "c:\Logs"

#Now copy your log files back to your analysis system
```

Parse All of the Logs!
```
.\Parse-LogsToTimeLine.ps1 -LogFolder "C:\Logs" -outputfile MyTimeline.csv
```

### Additional Options
```
Get-Help .\Gather-LogsToTimeLine.ps1 -Full
Get-Help .\Parse-LogsToTimeLine.ps1 -Full
```