├── LICENSE
└── etl-to-evtx.ps1


/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2017 acalarch
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/etl-to-evtx.ps1:
--------------------------------------------------------------------------------
  1 | write-host "`n...........................................`n"
  2 | write-host "@ACALARCH Convert .ETL to WEF subscribable log"
  3 | write-host '    Requires CSV in "C:\Windows\Temp\pathstopull.txt"' 
  4 | write-host '    ......CSV Format Example......' 
  5 | write-host "        C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Trace.etl, CUST_WMITRACE"
  6 | write-host '    ......END EXAMPLE......'
  7 | write-host "...........................................`n"
  8 | start-sleep -s 1
  9 | 
 10 | $logz = ""
 11 | 
 12 | function load-etl {
 13 |     try{
 14 |     write-host "Attempting to read CSV at "C:\Windows\Temp\pathstopull.txt"" 
 15 |     $filehash = get-filehash "C:\Windows\Temp\pathstopull.txt" -ErrorAction Stop
 16 |     $filehash = $filehash.Hash
 17 |     $b = import-csv "C:\Windows\Temp\pathstopull.txt" -header Path,Name -ErrorAction Stop 
 18 |     }
 19 |     catch 
 20 |     {
 21 |     write-host -foregroundcolor RED "Unable to load CSV at "C:\Windows\Temp\pathstopull.txt"" 
 22 |     write-host -foregroundcolor RED "EXITING"
 23 |     exit 
 24 |     }
 25 | 
 26 |     $logz = @()
 27 | 
 28 | 
 29 |     write-host -foregroundcolor cyan "Attempting to load etl sources and preparing destination logs"
 30 |     foreach($source in $b){
 31 |         $alive = "ALIVE"
 32 |         Try{
 33 |              get-winevent -Oldest -Path $source.Path -ErrorAction Stop | out-null
 34 |              Get-WinEvent -ListLog $source.Name -ErrorAction Stop | out-null
 35 |         }
 36 |         Catch
 37 |         {
 38 |         $pathexists = test-path $source.path
 39 |         write-host checking if path to log exists
 40 |             if(-Not $pathexists)
 41 |             {
 42 |                 write-host -foregroundcolor RED "Following Log Does Not Exist or is Inaccessible, Logs Will Not Be Converted, Maybe Ensure The Log Is Enabled?:" $source.path
 43 |                 $alive = "DEAD"
 44 |             }
 45 |             else{
 46 |             $exceptional = $_.Exception.Message.ToString()
 47 |             if($exceptional -like 'There is not an event log on the localhost computer that matches*')
 48 |             {
 49 |              try{
 50 |              new-eventlog -source $source.Name -logname $source.Name -erroraction Stop | out-null
 51 |              write-host "created event:" $source.Name
 52 |              }
 53 |              catch
 54 |              {
 55 |              write-host unable to create log $source.Name, windows looks at only the first 8 chars for custom logs, so please ensure name does not conflict
 56 |              write-host Logs Will Not Be Converted for: $source.Name
 57 |              $alive = "DEAD"
 58 |              }
 59 |             }
 60 |         }
 61 |         }
 62 | 
 63 |         $log = New-Object -TypeName PSObject
 64 |         $log | Add-Member -Type NoteProperty -Name Path -Value $source.Path
 65 |         $log | Add-Member -Type NoteProperty -Name Name -Value $source.Name
 66 |         if($alive -eq "DEAD"){
 67 |         $log | Add-Member -Type NoteProperty -Name Enabled -Value "false"
 68 |         }
 69 |         else{
 70 |         $log | Add-Member -Type NoteProperty -Name Enabled -Value "true"
 71 |         }
 72 |         $log | Add-Member -Type NoteProperty -Name LastUpdate -Value "No new logs"
 73 | 
 74 |         if($alive -eq "ALIVE"){
 75 |         $logz += $log
 76 |         }
 77 |     }
 78 |     $returns += $logz
 79 |     $returns += $filehash
 80 |     return $returns
 81 | }
 82 | 
 83 | $return = load-etl
 84 | $logz = @()
 85 | for($i=0; $i -lt ($return.Length - 1); $i++)
 86 | {
 87 | $logz += $return[$i]
 88 | }
 89 | $filehash = $return[$return.Length -1]
 90 | 
 91 | 
 92 | foreach($log in $logz){
 93 |     if($log.Enabled = "true"){
 94 |     write-host "Loaded Source:" $log.Path
 95 |     }
 96 | }
 97 | 
 98 | write-host "`n"
 99 | 
100 | $lastlogtime = "No new logs"
101 | 
102 | 
103 | $count = 0
104 | 
105 | while($true){
106 |     if($count -eq 6){
107 |       $count = 0
108 |       write-host -foregroundcolor Gray "Checking for updates"
109 |       try{
110 |       $filehashnow = get-filehash "C:\Windows\Temp\pathstopull.txt" -erroraction STOP
111 |       $filehashnow = $filehashnow.Hash
112 |       }
113 |       catch{
114 |       $filehashnow = "NOPE"
115 |       }
116 |       if(($filehashnow -ne $filehash) -and ($filehashnow -ne "NOPE")){
117 |                 $return = load-etl
118 |                 $logz = @()
119 |                 for($i=0; $i -lt ($return.Length - 1); $i++)
120 |                 {
121 |                     $logz += $return[$i]
122 |                 }
123 |                 $filehash = $return[$return.Length -1]
124 |             }
125 |     }
126 |     $count = $count + 1
127 |     $a = get-date
128 |     write-host -foregroundcolor "cyan" "Checking Logs"
129 |     foreach($log in $logz){
130 |         write-host -foregroundcolor "green" "    Checking logs for:" $log.Path 
131 |         $mylogs = $null
132 |         if($log.LastUpdate -eq "No new logs")
133 |         {
134 |             $mylogs = get-winevent -Oldest -Path $log.Path | where-object {$_.TimeCreated -gt $a.AddMinutes(-1)}
135 |         }
136 |         else{
137 |             $mylogs = get-winevent -Oldest -Path $log.Path | where-object {$_.TimeCreated -gt $log.LastUpdate}
138 |         }
139 | 
140 |         if($mylogs -is [system.array]){
141 |             $log.LastUpdate = $mylogs[$mylogs.Length - 1].TimeCreated
142 |             write-host "    ...Converted" $mylogs.Length "logs"
143 |             write-host "    ...Latest log was at:" $log.LastUpdate
144 |             $mylogs | foreach-object {$message = $_.Message + ";`n`nTime = " + $_.TimeCreated + "`nLevel = " + $_.Level + "`nMachineName = " + $_.MachineName + "`nProcessId = " + $_.ProcessId + "`nThreadId = " + $_.ThreadId + "`nUserId = " + $_.UserId + "`nCount = " + $count; Write-EventLog -LogName $log.Name -Source $log.Name -EventId $_.Id -Message $message}; $count = $count + 1; Start-Sleep -m 5
145 |         }
146 |         else{
147 |             write-host "    ...No new logs to convert"
148 |             write-host "    ...Latest log was at:" $log.LastUpdate
149 |         }
150 |     }
151 |     write-host -foregroundcolor "cyan" "Sleeping for 15 seconds`n"
152 |     start-sleep -s 15
153 | }
154 | 


--------------------------------------------------------------------------------