├── .gitignore ├── Create-CustomViews.ps1 ├── Create-Manifest.ps1 ├── Create-Subscriptions.ps1 ├── DCEvents.csv ├── Prepare-EventChannels.ps1 └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | Pre-Built\ -------------------------------------------------------------------------------- /Create-CustomViews.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Name: Create-CustomViews.ps1 4 | Version: 1.1 5 | Author: Russell Tomkins - Microsoft Premier Field Engineer 6 | Blog: https://aka.ms/russellt 7 | 8 | Creates Event Viewer custom views from an input CSV 9 | Source: https://www.github.com/russelltomkins/ProjectSauron 10 | 11 | .DESCRIPTION 12 | Leverages an input CSV file to create custom event views using the xPath 13 | filters provided. Can be used to validate xPath filters prior to creating 14 | input file before creating dedicated custom event channels or for creating 15 | a friendly customised tree view of events. 16 | 17 | Refer to this blog series for more details 18 | http://blogs.technet.microsoft.com/russellt/2017/03/23/project-sauron-part-1 19 | 20 | .EXAMPLE 21 | Create the custom views 22 | Create-CustomViews.ps1 -InputFile DCEvents.csv 23 | 24 | .PARAMETER InputFile 25 | A CSV file which must include a ChannelName, ChannelSymbol, QueryPath and the xPath Query itself 26 | 27 | LEGAL DISCLAIMER 28 | This Sample Code is provided for the purpose of illustration only and is not 29 | intended to be used in a production environment. THIS SAMPLE CODE AND ANY 30 | RELATED INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER 31 | EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF 32 | MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. We grant You a 33 | nonexclusive, royalty-free right to use and modify the Sample Code and to 34 | reproduce and distribute the object code form of the Sample Code, provided 35 | that You agree: (i) to not use Our name, logo, or trademarks to market Your 36 | software product in which the Sample Code is embedded; (ii) to include a valid 37 | copyright notice on Your software product in which the Sample Code is embedded; 38 | and (iii) to indemnify, hold harmless, and defend Us and Our suppliers from and 39 | against any claims or lawsuits, including attorneys fees, that arise or result 40 | from the use or distribution of the Sample Code. 41 | 42 | This posting is provided "AS IS" with no warranties, and confers no rights. Use 43 | of included script samples are subject to the terms specified 44 | at http://www.microsoft.com/info/cpyright.htm. 45 | #> 46 | # ----------------------------------------------------------------------------------- 47 | # Main Script 48 | # ----------------------------------------------------------------------------------- 49 | [CmdletBinding()] 50 | Param ( 51 | [Parameter(Mandatory=$true)][ValidateNotNullOrEmpty()][String]$InputFile) 52 | 53 | # Import our Custom Events 54 | $CustomEvents = Import-CSV $InputFile 55 | 56 | # We don't care about the providers, just loop through each entry to create the view 57 | ForEach($Channel in $CustomEvents){ 58 | 59 | # Prepare the Channel Details 60 | $CustomViewName = $Channel.ChannelName.Split("/")[1] 61 | 62 | # Convert our ChannelName to create the Subfolder Structure 63 | $CustomViewNamePath = (($Channel.ChannelName.Split("/"))[0]).replace("-","\") 64 | 65 | # Pre-pend the current Folder path and create the SubFolders 66 | $ProgramDataPath = [System.Environment]::ExpandEnvironmentVariables("%Programdata%") 67 | $CustomViewNamePath = "$ProgramDataPath\Microsoft\Event Viewer\Views\" + $CustomViewNamePath 68 | New-Item -Type Directory $CustomViewNamePath -Force | out-null 69 | 70 | # Create our new XML File 71 | $xmlFilePath = $CustomViewNamePath + "\" + $Channel.ChannelSymbol + ".xml" 72 | $XmlWriter = New-Object System.XMl.XmlTextWriter($xmlFilePath,$null) 73 | 74 | # Set The Formatting 75 | $xmlWriter.Formatting = "Indented" 76 | $xmlWriter.Indentation = "4" 77 | 78 | # Write the XML Decleration 79 | $xmlWriter.WriteStartDocument() 80 | 81 | # Create Instrumentation Manifest 82 | $xmlWriter.WriteStartElement("ViewerConfig") 83 | $xmlWriter.WriteStartElement("QueryConfig") 84 | $xmlWriter.WriteStartElement("QueryParams") 85 | $xmlWriter.WriteStartElement("UserQuery") 86 | $xmlWriter.WriteEndElement() # Closing UserQuery 87 | $xmlWriter.WriteEndElement() # Closing QueryParams 88 | $xmlWriter.WriteStartElement("QueryNode") 89 | $xmlWriter.WriteStartElement("Name") 90 | $xmlWriter.WriteAttributeString("LanguageNeutralValue",$CustomViewName) 91 | $xmlWriter.WriteEndElement() # Closing Name 92 | $xmlWriter.WriteStartElement("QueryList") 93 | $xmlWriter.WriteStartElement("Query") 94 | $xmlWriter.WriteAttributeString("Id","0") 95 | $xmlWriter.WriteAttributeString("Path",$Channel.QueryPath) 96 | $xmlWriter.WriteRaw($Channel.Query) 97 | $xmlWriter.WriteEndElement() # Closing Query 98 | $xmlWriter.WriteEndElement() # Closing QueryList 99 | $xmlWriter.WriteEndElement() # Closing QueryNode 100 | $xmlWriter.WriteEndElement() # Closing QueryConfig 101 | $xmlWriter.WriteEndElement() # Closing ViewerConfig 102 | 103 | # Close the XML portion of the document 104 | $xmlWriter.WriteEndDocument() 105 | 106 | # Save and close the .XML file 107 | $xmlWriter.Finalize 108 | $xmlWriter.Flush() 109 | $xmlWriter.Close() 110 | } 111 | 112 | Write-Host "`nCustom views stored at `"$ProgramDataPath\Microsoft\Event Viewer\Views`"" 113 | Write-Host "`nLaunch Event Viwer (eventvwr.exe) and expand Custom Views to use them`n" 114 | # ----------------------------------------------------------------------------------- 115 | # End of Script 116 | # ----------------------------------------------------------------------------------- 117 | 118 | # SIG # Begin signature block 119 | # MIIgVAYJKoZIhvcNAQcCoIIgRTCCIEECAQExDzANBglghkgBZQMEAgEFADB5Bgor 120 | # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG 121 | # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCAXDgdxm3aFzoVL 122 | # hgb3gu8EfY2H+SedmACMawllGvu/iaCCG14wggO3MIICn6ADAgECAhAM5+DlF9hG 123 | # /o/lYPwb8DA5MA0GCSqGSIb3DQEBBQUAMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQK 124 | # EwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAiBgNV 125 | # BAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTAeFw0wNjExMTAwMDAwMDBa 126 | # Fw0zMTExMTAwMDAwMDBaMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2Vy 127 | # dCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMTG0RpZ2lD 128 | # ZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC 129 | # AQoCggEBAK0OFc7kQ4BcsYfzt2D5cRKlrtwmlIiq9M71IDkoWGAM+IDaqRWVMmE8 130 | # tbEohIqK3J8KDIMXeo+QrIrneVNcMYQq9g+YMjZ2zN7dPKii72r7IfJSYd+fINcf 131 | # 4rHZ/hhk0hJbX/lYGDW8R82hNvlrf9SwOD7BG8OMM9nYLxj+KA+zp4PWw25EwGE1 132 | # lhb+WZyLdm3X8aJLDSv/C3LanmDQjpA1xnhVhyChz+VtCshJfDGYM2wi6YfQMlqi 133 | # uhOCEe05F52ZOnKh5vqk2dUXMXWuhX0irj8BRob2KHnIsdrkVxfEfhwOsLSSplaz 134 | # vbKX7aqn8LfFqD+VFtD/oZbrCF8Yd08CAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGG 135 | # MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEXroq/0ksuCMS1Ri6enIZ3zbcgP 136 | # MB8GA1UdIwQYMBaAFEXroq/0ksuCMS1Ri6enIZ3zbcgPMA0GCSqGSIb3DQEBBQUA 137 | # A4IBAQCiDrzf4u3w43JzemSUv/dyZtgy5EJ1Yq6H6/LV2d5Ws5/MzhQouQ2XYFwS 138 | # TFjk0z2DSUVYlzVpGqhH6lbGeasS2GeBhN9/CTyU5rgmLCC9PbMoifdf/yLil4Qf 139 | # 6WXvh+DfwWdJs13rsgkq6ybteL59PyvztyY1bV+JAbZJW58BBZurPSXBzLZ/wvFv 140 | # hsb6ZGjrgS2U60K3+owe3WLxvlBnt2y98/Efaww2BxZ/N3ypW2168RJGYIPXJwS+ 141 | # S86XvsNnKmgR34DnDDNmvxMNFG7zfx9jEB76jRslbWyPpbdhAbHSoyahEHGdreLD 142 | # +cOZUbcrBwjOLuZQsqf6CkUvovDyMIIFLDCCBBSgAwIBAgIQDhlON30mOhkOirPI 143 | # WrUoYzANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGln 144 | # aUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMTEwLwYDVQQDEyhE 145 | # aWdpQ2VydCBTSEEyIEFzc3VyZWQgSUQgQ29kZSBTaWduaW5nIENBMB4XDTE3MDMy 146 | # NzAwMDAwMFoXDTE4MDQwNDEyMDAwMFowaTELMAkGA1UEBhMCQVUxEzARBgNVBAgT 147 | # ClF1ZWVuc2xhbmQxETAPBgNVBAcTCEJyaXNiYW5lMRgwFgYDVQQKEw9SdXNzZWxs 148 | # IFRvbWtpbnMxGDAWBgNVBAMTD1J1c3NlbGwgVG9ta2luczCCASIwDQYJKoZIhvcN 149 | # AQEBBQADggEPADCCAQoCggEBAL9yEH4Y+mOkq5qq1yIMMQxZks06om9d6ifoWnQZ 150 | # LwleCoIohbxLcc9RsAsY3b0E0alY/WGBbvxrAXDsfNtV2oRBwq4I1wRbrazuYdec 151 | # V/ON+0cOKvSN3df9AJmbw53MBqlOLJr+f3IyLan40iY2PCt/N12zKVvPnFtoP+Lr 152 | # QwLkUTMT+5LdmGl0UfaLkgno7EG+7CXKL1QDIw1NLiYkw1fxlcu8+MOslqV6ZFVm 153 | # rhrM+Q0tzvVtq4DWSyn63U8j8Ij9cjnPpG3mABFN1dpu31yFBYogcPvFfQzx013f 154 | # s4GI4mu70CDCy1vbi3oSa3jjiqExysDXcOHhZ4RVZ3xKUAsCAwEAAaOCAcUwggHB 155 | # MB8GA1UdIwQYMBaAFFrEuXsqCqOl6nEDwGD5LfZldQ5YMB0GA1UdDgQWBBSiIVol 156 | # K54Mdi8hZEbQ+ZcbWmjObTAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYB 157 | # BQUHAwMwdwYDVR0fBHAwbjA1oDOgMYYvaHR0cDovL2NybDMuZGlnaWNlcnQuY29t 158 | # L3NoYTItYXNzdXJlZC1jcy1nMS5jcmwwNaAzoDGGL2h0dHA6Ly9jcmw0LmRpZ2lj 159 | # ZXJ0LmNvbS9zaGEyLWFzc3VyZWQtY3MtZzEuY3JsMEwGA1UdIARFMEMwNwYJYIZI 160 | # AYb9bAMBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9D 161 | # UFMwCAYGZ4EMAQQBMIGEBggrBgEFBQcBAQR4MHYwJAYIKwYBBQUHMAGGGGh0dHA6 162 | # Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBOBggrBgEFBQcwAoZCaHR0cDovL2NhY2VydHMu 163 | # ZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFzc3VyZWRJRENvZGVTaWduaW5nQ0Eu 164 | # Y3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggEBAPLir+VRKD+MIfvl 165 | # S7s8KtE6sBOx2JCNewUh4JVtmQECTTpvKvx25TYO23MrApApfhc8qa2mkHNpyjMX 166 | # U7SZog3mNSIJlQrhiF1Y6xNafqbDz31qGU/booX2AHV1yfJbXNWw2tTnbukdhFO/ 167 | # 2vSKdUqJZbYp2A+dx5zemxvtf46CTy4PxrcKmn+Umd+Cil3O3TlDTy0LGfzPTL1f 168 | # IOAqtc4bbge6pMn5BwV0dxOZ4JTIsXlFzzIKjjOUNX/+0/iGoYAXvkyOA0wdEiDN 169 | # qug5CTbskpE/ltGa0XCSkglk2j4431JgUC+ew2YgSsEq0dukmdUjz3HpdvrMEYfg 170 | # T5PcXa4wggUwMIIEGKADAgECAhAECRgbX9W7ZnVTQ7VvlVAIMA0GCSqGSIb3DQEB 171 | # CwUAMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNV 172 | # BAsTEHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQg 173 | # SUQgUm9vdCBDQTAeFw0xMzEwMjIxMjAwMDBaFw0yODEwMjIxMjAwMDBaMHIxCzAJ 174 | # BgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5k 175 | # aWdpY2VydC5jb20xMTAvBgNVBAMTKERpZ2lDZXJ0IFNIQTIgQXNzdXJlZCBJRCBD 176 | # b2RlIFNpZ25pbmcgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD4 177 | # 07Mcfw4Rr2d3B9MLMUkZz9D7RZmxOttE9X/lqJ3bMtdx6nadBS63j/qSQ8Cl+YnU 178 | # NxnXtqrwnIal2CWsDnkoOn7p0WfTxvspJ8fTeyOU5JEjlpB3gvmhhCNmElQzUHSx 179 | # KCa7JGnCwlLyFGeKiUXULaGj6YgsIJWuHEqHCN8M9eJNYBi+qsSyrnAxZjNxPqxw 180 | # oqvOf+l8y5Kh5TsxHM/q8grkV7tKtel05iv+bMt+dDk2DZDv5LVOpKnqagqrhPOs 181 | # Z061xPeM0SAlI+sIZD5SlsHyDxL0xY4PwaLoLFH3c7y9hbFig3NBggfkOItqcyDQ 182 | # D2RzPJ6fpjOp/RnfJZPRAgMBAAGjggHNMIIByTASBgNVHRMBAf8ECDAGAQH/AgEA 183 | # MA4GA1UdDwEB/wQEAwIBhjATBgNVHSUEDDAKBggrBgEFBQcDAzB5BggrBgEFBQcB 184 | # AQRtMGswJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBDBggr 185 | # BgEFBQcwAoY3aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0QXNz 186 | # dXJlZElEUm9vdENBLmNydDCBgQYDVR0fBHoweDA6oDigNoY0aHR0cDovL2NybDQu 187 | # ZGlnaWNlcnQuY29tL0RpZ2lDZXJ0QXNzdXJlZElEUm9vdENBLmNybDA6oDigNoY0 188 | # aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0QXNzdXJlZElEUm9vdENB 189 | # LmNybDBPBgNVHSAESDBGMDgGCmCGSAGG/WwAAgQwKjAoBggrBgEFBQcCARYcaHR0 190 | # cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAKBghghkgBhv1sAzAdBgNVHQ4EFgQU 191 | # WsS5eyoKo6XqcQPAYPkt9mV1DlgwHwYDVR0jBBgwFoAUReuir/SSy4IxLVGLp6ch 192 | # nfNtyA8wDQYJKoZIhvcNAQELBQADggEBAD7sDVoks/Mi0RXILHwlKXaoHV0cLToa 193 | # xO8wYdd+C2D9wz0PxK+L/e8q3yBVN7Dh9tGSdQ9RtG6ljlriXiSBThCk7j9xjmMO 194 | # E0ut119EefM2FAaK95xGTlz/kLEbBw6RFfu6r7VRwo0kriTGxycqoSkoGjpxKAI8 195 | # LpGjwCUR4pwUR6F6aGivm6dcIFzZcbEMj7uo+MUSaJ/PQMtARKUT8OZkDCUIQjKy 196 | # NookAv4vcn4c10lFluhZHen6dGRrsutmQ9qzsIzV6Q3d9gEgzpkxYz0IGhizgZtP 197 | # xpMQBvwHgfqL2vmCSfdibqFT+hKUGIUukpHqaGxEMrJmoecYpJpkUe8wggZqMIIF 198 | # UqADAgECAhADAZoCOv9YsWvW1ermF/BmMA0GCSqGSIb3DQEBBQUAMGIxCzAJBgNV 199 | # BAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdp 200 | # Y2VydC5jb20xITAfBgNVBAMTGERpZ2lDZXJ0IEFzc3VyZWQgSUQgQ0EtMTAeFw0x 201 | # NDEwMjIwMDAwMDBaFw0yNDEwMjIwMDAwMDBaMEcxCzAJBgNVBAYTAlVTMREwDwYD 202 | # VQQKEwhEaWdpQ2VydDElMCMGA1UEAxMcRGlnaUNlcnQgVGltZXN0YW1wIFJlc3Bv 203 | # bmRlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKNkXfx8s+CCNeDg 204 | # 9sYq5kl1O8xu4FOpnx9kWeZ8a39rjJ1V+JLjntVaY1sCSVDZg85vZu7dy4XpX6X5 205 | # 1Id0iEQ7Gcnl9ZGfxhQ5rCTqqEsskYnMXij0ZLZQt/USs3OWCmejvmGfrvP9Enh1 206 | # DqZbFP1FI46GRFV9GIYFjFWHeUhG98oOjafeTl/iqLYtWQJhiGFyGGi5uHzu5uc0 207 | # LzF3gTAfuzYBje8n4/ea8EwxZI3j6/oZh6h+z+yMDDZbesF6uHjHyQYuRhDIjegE 208 | # YNu8c3T6Ttj+qkDxss5wRoPp2kChWTrZFQlXmVYwk/PJYczQCMxr7GJCkawCwO+k 209 | # 8IkRj3cCAwEAAaOCAzUwggMxMA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAA 210 | # MBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMIMIIBvwYDVR0gBIIBtjCCAbIwggGhBglg 211 | # hkgBhv1sBwEwggGSMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5j 212 | # b20vQ1BTMIIBZAYIKwYBBQUHAgIwggFWHoIBUgBBAG4AeQAgAHUAcwBlACAAbwBm 213 | # ACAAdABoAGkAcwAgAEMAZQByAHQAaQBmAGkAYwBhAHQAZQAgAGMAbwBuAHMAdABp 214 | # AHQAdQB0AGUAcwAgAGEAYwBjAGUAcAB0AGEAbgBjAGUAIABvAGYAIAB0AGgAZQAg 215 | # AEQAaQBnAGkAQwBlAHIAdAAgAEMAUAAvAEMAUABTACAAYQBuAGQAIAB0AGgAZQAg 216 | # AFIAZQBsAHkAaQBuAGcAIABQAGEAcgB0AHkAIABBAGcAcgBlAGUAbQBlAG4AdAAg 217 | # AHcAaABpAGMAaAAgAGwAaQBtAGkAdAAgAGwAaQBhAGIAaQBsAGkAdAB5ACAAYQBu 218 | # AGQAIABhAHIAZQAgAGkAbgBjAG8AcgBwAG8AcgBhAHQAZQBkACAAaABlAHIAZQBp 219 | # AG4AIABiAHkAIAByAGUAZgBlAHIAZQBuAGMAZQAuMAsGCWCGSAGG/WwDFTAfBgNV 220 | # HSMEGDAWgBQVABIrE5iymQftHt+ivlcNK2cCzTAdBgNVHQ4EFgQUYVpNJLZJMp1K 221 | # Knkag0v0HonByn0wfQYDVR0fBHYwdDA4oDagNIYyaHR0cDovL2NybDMuZGlnaWNl 222 | # cnQuY29tL0RpZ2lDZXJ0QXNzdXJlZElEQ0EtMS5jcmwwOKA2oDSGMmh0dHA6Ly9j 223 | # cmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRENBLTEuY3JsMHcGCCsG 224 | # AQUFBwEBBGswaTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29t 225 | # MEEGCCsGAQUFBzAChjVodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNl 226 | # cnRBc3N1cmVkSURDQS0xLmNydDANBgkqhkiG9w0BAQUFAAOCAQEAnSV+GzNNsiaB 227 | # XJuGziMgD4CH5Yj//7HUaiwx7ToXGXEXzakbvFoWOQCd42yE5FpA+94GAYw3+pux 228 | # nSR+/iCkV61bt5qwYCbqaVchXTQvH3Gwg5QZBWs1kBCge5fH9j/n4hFBpr1i2fAn 229 | # PTgdKG86Ugnw7HBi02JLsOBzppLA044x2C/jbRcTBu7kA7YUq/OPQ6dxnSHdFMoV 230 | # XZJB2vkPgdGZdA0mxA5/G7X1oPHGdwYoFenYk+VVFvC7Cqsc21xIJ2bIo4sKHOWV 231 | # 2q7ELlmgYd3a822iYemKC23sEhi991VUQAOSK2vCUcIKSK+w1G7g9BQKOhvjjz3K 232 | # r2qNe9zYRDCCBs0wggW1oAMCAQICEAb9+QOWA63qAArrPye7uhswDQYJKoZIhvcN 233 | # AQEFBQAwZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcG 234 | # A1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgQXNzdXJl 235 | # ZCBJRCBSb290IENBMB4XDTA2MTExMDAwMDAwMFoXDTIxMTExMDAwMDAwMFowYjEL 236 | # MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3 237 | # LmRpZ2ljZXJ0LmNvbTEhMB8GA1UEAxMYRGlnaUNlcnQgQXNzdXJlZCBJRCBDQS0x 238 | # MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6IItmfnKwkKVpYBzQHDS 239 | # nlZUXKnE0kEGj8kz/E1FkVyBn+0snPgWWd+etSQVwpi5tHdJ3InECtqvy15r7a2w 240 | # cTHrzzpADEZNk+yLejYIA6sMNP4YSYL+x8cxSIB8HqIPkg5QycaH6zY/2DDD/6b3 241 | # +6LNb3Mj/qxWBZDwMiEWicZwiPkFl32jx0PdAug7Pe2xQaPtP77blUjE7h6z8rwM 242 | # K5nQxl0SQoHhg26Ccz8mSxSQrllmCsSNvtLOBq6thG9IhJtPQLnxTPKvmPv2zkBd 243 | # XPao8S+v7Iki8msYZbHBc63X8djPHgp0XEK4aH631XcKJ1Z8D2KkPzIUYJX9BwSi 244 | # CQIDAQABo4IDejCCA3YwDgYDVR0PAQH/BAQDAgGGMDsGA1UdJQQ0MDIGCCsGAQUF 245 | # BwMBBggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwMEBggrBgEFBQcDCDCCAdIG 246 | # A1UdIASCAckwggHFMIIBtAYKYIZIAYb9bAABBDCCAaQwOgYIKwYBBQUHAgEWLmh0 247 | # dHA6Ly93d3cuZGlnaWNlcnQuY29tL3NzbC1jcHMtcmVwb3NpdG9yeS5odG0wggFk 248 | # BggrBgEFBQcCAjCCAVYeggFSAEEAbgB5ACAAdQBzAGUAIABvAGYAIAB0AGgAaQBz 249 | # ACAAQwBlAHIAdABpAGYAaQBjAGEAdABlACAAYwBvAG4AcwB0AGkAdAB1AHQAZQBz 250 | # ACAAYQBjAGMAZQBwAHQAYQBuAGMAZQAgAG8AZgAgAHQAaABlACAARABpAGcAaQBD 251 | # AGUAcgB0ACAAQwBQAC8AQwBQAFMAIABhAG4AZAAgAHQAaABlACAAUgBlAGwAeQBp 252 | # AG4AZwAgAFAAYQByAHQAeQAgAEEAZwByAGUAZQBtAGUAbgB0ACAAdwBoAGkAYwBo 253 | # ACAAbABpAG0AaQB0ACAAbABpAGEAYgBpAGwAaQB0AHkAIABhAG4AZAAgAGEAcgBl 254 | # ACAAaQBuAGMAbwByAHAAbwByAGEAdABlAGQAIABoAGUAcgBlAGkAbgAgAGIAeQAg 255 | # AHIAZQBmAGUAcgBlAG4AYwBlAC4wCwYJYIZIAYb9bAMVMBIGA1UdEwEB/wQIMAYB 256 | # Af8CAQAweQYIKwYBBQUHAQEEbTBrMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5k 257 | # aWdpY2VydC5jb20wQwYIKwYBBQUHMAKGN2h0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0 258 | # LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcnQwgYEGA1UdHwR6MHgwOqA4 259 | # oDaGNGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJv 260 | # b3RDQS5jcmwwOqA4oDaGNGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2Vy 261 | # dEFzc3VyZWRJRFJvb3RDQS5jcmwwHQYDVR0OBBYEFBUAEisTmLKZB+0e36K+Vw0r 262 | # ZwLNMB8GA1UdIwQYMBaAFEXroq/0ksuCMS1Ri6enIZ3zbcgPMA0GCSqGSIb3DQEB 263 | # BQUAA4IBAQBGUD7Jtygkpzgdtlspr1LPUukxR6tWXHvVDQtBs+/sdR90OPKyXGGi 264 | # nJXDUOSCuSPRujqGcq04eKx1XRcXNHJHhZRW0eu7NoR3zCSl8wQZVann4+erYs37 265 | # iy2QwsDStZS9Xk+xBdIOPRqpFFumhjFiqKgz5Js5p8T1zh14dpQlc+Qqq8+cdkvt 266 | # X8JLFuRLcEwAiR78xXm8TBJX/l/hHrwCXaj++wc4Tw3GXZG5D2dFzdaD7eeSDY2x 267 | # aYxP+1ngIw/Sqq4AfO6cQg7PkdcntxbuD8O9fAqg7iwIVYUiuOsYGk38KiGtSTGD 268 | # R5V3cdyxG0tLHBCcdxTBnU8vWpUIKRAmMYIETDCCBEgCAQEwgYYwcjELMAkGA1UE 269 | # BhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2lj 270 | # ZXJ0LmNvbTExMC8GA1UEAxMoRGlnaUNlcnQgU0hBMiBBc3N1cmVkIElEIENvZGUg 271 | # U2lnbmluZyBDQQIQDhlON30mOhkOirPIWrUoYzANBglghkgBZQMEAgEFAKCBhDAY 272 | # BgorBgEEAYI3AgEMMQowCKACgAChAoAAMBkGCSqGSIb3DQEJAzEMBgorBgEEAYI3 273 | # AgEEMBwGCisGAQQBgjcCAQsxDjAMBgorBgEEAYI3AgEVMC8GCSqGSIb3DQEJBDEi 274 | # BCBex67HxE1Hfg/oybQqp3u7NxWsYfPmbeyDFdmp9QLb6jANBgkqhkiG9w0BAQEF 275 | # AASCAQAo9pkmzqtbDItB2kwOAfqA2Gh22Y4QoukhtrERJpiOaCsE4aNhO4eMu6pJ 276 | # Vcig5cVIiSdkMucGhsWJsvWgMNGnr3VFvwRvfwGI0PKb/XPbQANVzBrdFN1aoPTq 277 | # +b/FEaAMtMM6bQ792VHY2EhzMA8ISk1p0IdSCZ4RhaNPOFMXywOqnpeoQkaUO4dR 278 | # pRJN1CTPwwbI7QrGtWK9k4powpPQJ5EzD2L2HuxVPenBYM2ZlX8sT8B2hqfBbD0z 279 | # Z3o2i/a08w4mgXwShsFuk1Yc1Xb28HZ2ENTyVZ6Hv96mKWwuFnyUpTkIG6LMLNrx 280 | # R4HUEd63GKYyufFltxTcQhR2x7lZoYICDzCCAgsGCSqGSIb3DQEJBjGCAfwwggH4 281 | # AgEBMHYwYjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcG 282 | # A1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEhMB8GA1UEAxMYRGlnaUNlcnQgQXNzdXJl 283 | # ZCBJRCBDQS0xAhADAZoCOv9YsWvW1ermF/BmMAkGBSsOAwIaBQCgXTAYBgkqhkiG 284 | # 9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNzA0MjcxMzI2NTJa 285 | # MCMGCSqGSIb3DQEJBDEWBBQjjsKnRRahp8E/oxtMOCizmT6raDANBgkqhkiG9w0B 286 | # AQEFAASCAQCclzjqREwCjRhgLSXNCnTn3ginsyBRX5199V5lTHM1km5/G7NCSMeK 287 | # TEgc0r+1leh1IRJ1N4XDSQRDK3uustzVzetZk49z2iDDNnA3D2l5wwIowEnTzEmi 288 | # LO4YtQ0WtHNF7WLx73isutQyf2Id7bUy41pKmgWMnnUF11sf64BG6ZGsKIv2kYXE 289 | # D24Pf8EbVL9prmBRPrSWILRtA8xXoyFtlFPH4zweglJPQ6m5uouXRHTgvnr6d5UY 290 | # mC9USr4L1p+PZEk6S5RAy0QoPctT2KjvZzq3emIsvpY/qJZrT0wkBHJVpijR7Gpn 291 | # aHqUWhSNU2a8MuoKR7ajwlCh8fVfv40c 292 | # SIG # End signature block 293 | -------------------------------------------------------------------------------- /Create-Manifest.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Name: Create-Manifest.ps1 4 | Version: 1.1 5 | Author: Russell Tomkins - Microsoft Premier Field Engineer 6 | Blog: https://aka.ms/russellt 7 | 8 | Creates a custom event channel manifest file from input CSV 9 | Source: https://www.github.com/russelltomkins/ProjectSauron 10 | 11 | .DESCRIPTION 12 | Leverages an input CSV file to create the required Manifest file for .dll compilation 13 | Once compiled, can be loaded into a Windows Event Collector to allow custom forwarding 14 | and long term storage of events. 15 | 16 | Refer to this blog series for more details 17 | http://blogs.technet.microsoft.com/russellt/2017/03/23/project-sauron-part-1 18 | 19 | .EXAMPLE 20 | Creates the Manfifest file to compile 21 | Create-Manifest.ps1 -InputFile DCEvents.csv 22 | 23 | .EXAMPLE 24 | Creates the Manfifest file to compile along with where the DLL will be located on the WEC server 25 | Create-Manifest.ps1 -InputFile DCEvents.csv -DLLPath "C:\CustomDLLPath" 26 | 27 | .PARAMETER InputFile 28 | A CSV file which must include a ProviderSymbol,ProviderName and ProviderGuid 29 | 30 | .PARAMETER DLLPath 31 | The folder path where the .dll containing the custom event channels that Windows will load 32 | 33 | LEGAL DISCLAIMER 34 | This Sample Code is provided for the purpose of illustration only and is not 35 | intended to be used in a production environment. THIS SAMPLE CODE AND ANY 36 | RELATED INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER 37 | EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF 38 | MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. We grant You a 39 | nonexclusive, royalty-free right to use and modify the Sample Code and to 40 | reproduce and distribute the object code form of the Sample Code, provided 41 | that You agree: (i) to not use Our name, logo, or trademarks to market Your 42 | software product in which the Sample Code is embedded; (ii) to include a valid 43 | copyright notice on Your software product in which the Sample Code is embedded; 44 | and (iii) to indemnify, hold harmless, and defend Us and Our suppliers from and 45 | against any claims or lawsuits, including attorneys fees, that arise or result 46 | from the use or distribution of the Sample Code. 47 | 48 | This posting is provided "AS IS" with no warranties, and confers no rights. Use 49 | of included script samples are subject to the terms specified 50 | at http://www.microsoft.com/info/cpyright.htm. 51 | #> 52 | # ----------------------------------------------------------------------------------- 53 | # Main Script 54 | # ----------------------------------------------------------------------------------- 55 | # Prepare the Input Paremeters 56 | [CmdletBinding()] 57 | Param ( 58 | [Parameter(Mandatory=$true)][ValidateNotNullOrEmpty()][String]$InputFile, 59 | [Parameter(Mandatory=$false)][String]$DLLPath="C:\Windows\System32") 60 | 61 | # Preparation 62 | $BaseName = (Get-Item $InputFile).BaseName 63 | $BasePathName = "$PWD\$BaseName" 64 | 65 | $CustomEventsDLL = $DLLPath + "\" + $BaseName + ".dll" # The Resource and Message DLL that will be referenced in the manifest. 66 | $CustomEventsMAN = "$BasePathName.man" # The Manifest file 67 | 68 | # Import the events from the input file and extract the Provider details. 69 | $CustomEvents = Import-CSV $InputFile 70 | $Providers = $CustomEvents | Select-Object -Property ProviderSymbol,ProviderName,ProviderGuid -Unique # Extract the provider information from input 71 | 72 | # Create The Manifest XML Document 73 | $XmlWriter = New-Object System.XMl.XmlTextWriter($CustomEventsMAN,$null) 74 | 75 | # Set The Formatting 76 | $xmlWriter.Formatting = "Indented" 77 | $xmlWriter.Indentation = "4" 78 | 79 | # Write the XML Decleration 80 | $xmlWriter.WriteStartDocument() 81 | 82 | # Create Instrumentation Manifest 83 | $xmlWriter.WriteStartElement("instrumentationManifest") 84 | $xmlWriter.WriteAttributeString("xsi:schemaLocation","http://schemas.microsoft.com/win/2004/08/events eventman.xsd") 85 | $xmlWriter.WriteAttributeString("xmlns","http://schemas.microsoft.com/win/2004/08/events") 86 | $xmlWriter.WriteAttributeString("xmlns:win","http://manifests.microsoft.com/win/2004/08/windows/events") 87 | $xmlWriter.WriteAttributeString("xmlns:xsi","http://www.w3.org/2001/XMLSchema-instance") 88 | $xmlWriter.WriteAttributeString("xmlns:xs","http://www.w3.org/2001/XMLSchema") 89 | $xmlWriter.WriteAttributeString("xmlns:trace","http://schemas.microsoft.com/win/2004/08/events/trace") 90 | 91 | # Create Instrumentation, Events and Provider Elements 92 | $xmlWriter.WriteStartElement("instrumentation") 93 | $xmlWriter.WriteStartElement("events") 94 | 95 | $Providers = $CustomEvents | Select-Object -Property ProviderSymbol,ProviderName,ProviderGuid -Unique 96 | ForEach($Provider in $Providers){ 97 | $xmlWriter.WriteStartElement("provider") 98 | $xmlWriter.WriteAttributeString("name",($Provider.ProviderName)) 99 | $xmlWriter.WriteAttributeString("guid",$Provider.ProviderGUID) 100 | $xmlWriter.WriteAttributeString("symbol",$Provider.ProviderSymbol) 101 | $xmlWriter.WriteAttributeString("resourceFileName",$CustomEventsDLL) 102 | $xmlWriter.WriteAttributeString("messageFileName",$CustomEventsDLL) 103 | $xmlWriter.WriteAttributeString("parameterFileName",$CustomEventsDLL) 104 | $xmlWriter.WriteStartElement("channels") 105 | 106 | $Channels = $CustomEvents | Where-Object{$_.ProviderSymbol -eq $Provider.ProviderSymbol} 107 | ForEach($Channel in $Channels){ 108 | $xmlWriter.WriteStartElement("channel") 109 | $xmlWriter.WriteAttributeString("name",$Channel.ChannelName) 110 | $xmlWriter.WriteAttributeString("chid",($Channel.ChannelName).Replace(' ','')) 111 | $xmlWriter.WriteAttributeString("symbol",$Channel.ChannelSymbol) 112 | $xmlWriter.WriteAttributeString("type","Admin") 113 | $xmlWriter.WriteAttributeString("enabled","false") 114 | $xmlWriter.WriteEndElement() # Closing channel 115 | } 116 | $xmlWriter.WriteEndElement() # Closing channels 117 | $xmlWriter.WriteEndElement() # Closing provider 118 | } 119 | $xmlWriter.WriteEndElement() # Closing events 120 | $xmlWriter.WriteEndElement() # Closing Instrumentation 121 | $xmlWriter.WriteEndElement() # Closing instrumentationManifest 122 | 123 | # End the XML Document 124 | $xmlWriter.WriteEndDocument() 125 | 126 | # Finish The Document 127 | $xmlWriter.Finalize 128 | $xmlWriter.Flush() 129 | $xmlWriter.Close() 130 | 131 | # Output the usage instructions 132 | Write-Host "`nThe manifest file has been generated at `"$CustomEventsMAN`"`n" 133 | Write-Host "Step 1: With the Windows 10 SDK installed, open a Command Prompt and change directory to the folder with the .man file (This will not work in PowerShell!) `n" 134 | 135 | Write-Host "`t `"C:\Program Files (x86)\Windows Kits\10\bin\x64\mc.exe`" `"$CustomEventsMAN`"" 136 | Write-Host "`t `"C:\Program Files (x86)\Windows Kits\10\bin\x64\mc.exe`" -css `"NameSpace`" `"$CustomEventsMAN`"" 137 | Write-Host "`t `"C:\Program Files (x86)\Windows Kits\10\bin\x64\rc.exe`" `"$BasePathName.rc`"" 138 | Write-Host "`t `"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe`" /win32res:`"$BasePathName.res`" /unsafe /target:library /out:`"$BasePathName.dll`" `"$BasePathName.cs`"`n" 139 | 140 | Write-Host "Step 2: On the WEC server, copy both the .man and .dll file to $DLLPath" 141 | Write-Host "Step 3: Load the custom event channels by executing:`n" 142 | Write-Host "`t `"c:\windows\system32\wevtutil.exe`" im `"$DLLPath\$BaseName.man`"`n" 143 | 144 | # ----------------------------------------------------------------------------------- 145 | # Main Script 146 | # ----------------------------------------------------------------------------------- 147 | # SIG # Begin signature block 148 | # MIIgVAYJKoZIhvcNAQcCoIIgRTCCIEECAQExDzANBglghkgBZQMEAgEFADB5Bgor 149 | # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG 150 | # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCCAz875ReOXG/tv 151 | # zTHsBCsL3pUtOzV1o4CS9g/FpRzpnaCCG14wggO3MIICn6ADAgECAhAM5+DlF9hG 152 | # /o/lYPwb8DA5MA0GCSqGSIb3DQEBBQUAMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQK 153 | # EwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAiBgNV 154 | # BAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTAeFw0wNjExMTAwMDAwMDBa 155 | # Fw0zMTExMTAwMDAwMDBaMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2Vy 156 | # dCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMTG0RpZ2lD 157 | # ZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC 158 | # AQoCggEBAK0OFc7kQ4BcsYfzt2D5cRKlrtwmlIiq9M71IDkoWGAM+IDaqRWVMmE8 159 | # tbEohIqK3J8KDIMXeo+QrIrneVNcMYQq9g+YMjZ2zN7dPKii72r7IfJSYd+fINcf 160 | # 4rHZ/hhk0hJbX/lYGDW8R82hNvlrf9SwOD7BG8OMM9nYLxj+KA+zp4PWw25EwGE1 161 | # lhb+WZyLdm3X8aJLDSv/C3LanmDQjpA1xnhVhyChz+VtCshJfDGYM2wi6YfQMlqi 162 | # uhOCEe05F52ZOnKh5vqk2dUXMXWuhX0irj8BRob2KHnIsdrkVxfEfhwOsLSSplaz 163 | # vbKX7aqn8LfFqD+VFtD/oZbrCF8Yd08CAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGG 164 | # MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEXroq/0ksuCMS1Ri6enIZ3zbcgP 165 | # MB8GA1UdIwQYMBaAFEXroq/0ksuCMS1Ri6enIZ3zbcgPMA0GCSqGSIb3DQEBBQUA 166 | # A4IBAQCiDrzf4u3w43JzemSUv/dyZtgy5EJ1Yq6H6/LV2d5Ws5/MzhQouQ2XYFwS 167 | # TFjk0z2DSUVYlzVpGqhH6lbGeasS2GeBhN9/CTyU5rgmLCC9PbMoifdf/yLil4Qf 168 | # 6WXvh+DfwWdJs13rsgkq6ybteL59PyvztyY1bV+JAbZJW58BBZurPSXBzLZ/wvFv 169 | # hsb6ZGjrgS2U60K3+owe3WLxvlBnt2y98/Efaww2BxZ/N3ypW2168RJGYIPXJwS+ 170 | # S86XvsNnKmgR34DnDDNmvxMNFG7zfx9jEB76jRslbWyPpbdhAbHSoyahEHGdreLD 171 | # +cOZUbcrBwjOLuZQsqf6CkUvovDyMIIFLDCCBBSgAwIBAgIQDhlON30mOhkOirPI 172 | # WrUoYzANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGln 173 | # aUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMTEwLwYDVQQDEyhE 174 | # aWdpQ2VydCBTSEEyIEFzc3VyZWQgSUQgQ29kZSBTaWduaW5nIENBMB4XDTE3MDMy 175 | # NzAwMDAwMFoXDTE4MDQwNDEyMDAwMFowaTELMAkGA1UEBhMCQVUxEzARBgNVBAgT 176 | # ClF1ZWVuc2xhbmQxETAPBgNVBAcTCEJyaXNiYW5lMRgwFgYDVQQKEw9SdXNzZWxs 177 | # IFRvbWtpbnMxGDAWBgNVBAMTD1J1c3NlbGwgVG9ta2luczCCASIwDQYJKoZIhvcN 178 | # AQEBBQADggEPADCCAQoCggEBAL9yEH4Y+mOkq5qq1yIMMQxZks06om9d6ifoWnQZ 179 | # LwleCoIohbxLcc9RsAsY3b0E0alY/WGBbvxrAXDsfNtV2oRBwq4I1wRbrazuYdec 180 | # V/ON+0cOKvSN3df9AJmbw53MBqlOLJr+f3IyLan40iY2PCt/N12zKVvPnFtoP+Lr 181 | # QwLkUTMT+5LdmGl0UfaLkgno7EG+7CXKL1QDIw1NLiYkw1fxlcu8+MOslqV6ZFVm 182 | # rhrM+Q0tzvVtq4DWSyn63U8j8Ij9cjnPpG3mABFN1dpu31yFBYogcPvFfQzx013f 183 | # s4GI4mu70CDCy1vbi3oSa3jjiqExysDXcOHhZ4RVZ3xKUAsCAwEAAaOCAcUwggHB 184 | # MB8GA1UdIwQYMBaAFFrEuXsqCqOl6nEDwGD5LfZldQ5YMB0GA1UdDgQWBBSiIVol 185 | # K54Mdi8hZEbQ+ZcbWmjObTAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYB 186 | # BQUHAwMwdwYDVR0fBHAwbjA1oDOgMYYvaHR0cDovL2NybDMuZGlnaWNlcnQuY29t 187 | # L3NoYTItYXNzdXJlZC1jcy1nMS5jcmwwNaAzoDGGL2h0dHA6Ly9jcmw0LmRpZ2lj 188 | # ZXJ0LmNvbS9zaGEyLWFzc3VyZWQtY3MtZzEuY3JsMEwGA1UdIARFMEMwNwYJYIZI 189 | # AYb9bAMBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9D 190 | # UFMwCAYGZ4EMAQQBMIGEBggrBgEFBQcBAQR4MHYwJAYIKwYBBQUHMAGGGGh0dHA6 191 | # Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBOBggrBgEFBQcwAoZCaHR0cDovL2NhY2VydHMu 192 | # ZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFzc3VyZWRJRENvZGVTaWduaW5nQ0Eu 193 | # Y3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggEBAPLir+VRKD+MIfvl 194 | # S7s8KtE6sBOx2JCNewUh4JVtmQECTTpvKvx25TYO23MrApApfhc8qa2mkHNpyjMX 195 | # U7SZog3mNSIJlQrhiF1Y6xNafqbDz31qGU/booX2AHV1yfJbXNWw2tTnbukdhFO/ 196 | # 2vSKdUqJZbYp2A+dx5zemxvtf46CTy4PxrcKmn+Umd+Cil3O3TlDTy0LGfzPTL1f 197 | # IOAqtc4bbge6pMn5BwV0dxOZ4JTIsXlFzzIKjjOUNX/+0/iGoYAXvkyOA0wdEiDN 198 | # qug5CTbskpE/ltGa0XCSkglk2j4431JgUC+ew2YgSsEq0dukmdUjz3HpdvrMEYfg 199 | # T5PcXa4wggUwMIIEGKADAgECAhAECRgbX9W7ZnVTQ7VvlVAIMA0GCSqGSIb3DQEB 200 | # CwUAMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNV 201 | # BAsTEHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQg 202 | # SUQgUm9vdCBDQTAeFw0xMzEwMjIxMjAwMDBaFw0yODEwMjIxMjAwMDBaMHIxCzAJ 203 | # BgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5k 204 | # aWdpY2VydC5jb20xMTAvBgNVBAMTKERpZ2lDZXJ0IFNIQTIgQXNzdXJlZCBJRCBD 205 | # b2RlIFNpZ25pbmcgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD4 206 | # 07Mcfw4Rr2d3B9MLMUkZz9D7RZmxOttE9X/lqJ3bMtdx6nadBS63j/qSQ8Cl+YnU 207 | # NxnXtqrwnIal2CWsDnkoOn7p0WfTxvspJ8fTeyOU5JEjlpB3gvmhhCNmElQzUHSx 208 | # KCa7JGnCwlLyFGeKiUXULaGj6YgsIJWuHEqHCN8M9eJNYBi+qsSyrnAxZjNxPqxw 209 | # oqvOf+l8y5Kh5TsxHM/q8grkV7tKtel05iv+bMt+dDk2DZDv5LVOpKnqagqrhPOs 210 | # Z061xPeM0SAlI+sIZD5SlsHyDxL0xY4PwaLoLFH3c7y9hbFig3NBggfkOItqcyDQ 211 | # D2RzPJ6fpjOp/RnfJZPRAgMBAAGjggHNMIIByTASBgNVHRMBAf8ECDAGAQH/AgEA 212 | # MA4GA1UdDwEB/wQEAwIBhjATBgNVHSUEDDAKBggrBgEFBQcDAzB5BggrBgEFBQcB 213 | # AQRtMGswJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBDBggr 214 | # BgEFBQcwAoY3aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0QXNz 215 | # dXJlZElEUm9vdENBLmNydDCBgQYDVR0fBHoweDA6oDigNoY0aHR0cDovL2NybDQu 216 | # ZGlnaWNlcnQuY29tL0RpZ2lDZXJ0QXNzdXJlZElEUm9vdENBLmNybDA6oDigNoY0 217 | # aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0QXNzdXJlZElEUm9vdENB 218 | # LmNybDBPBgNVHSAESDBGMDgGCmCGSAGG/WwAAgQwKjAoBggrBgEFBQcCARYcaHR0 219 | # cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAKBghghkgBhv1sAzAdBgNVHQ4EFgQU 220 | # WsS5eyoKo6XqcQPAYPkt9mV1DlgwHwYDVR0jBBgwFoAUReuir/SSy4IxLVGLp6ch 221 | # nfNtyA8wDQYJKoZIhvcNAQELBQADggEBAD7sDVoks/Mi0RXILHwlKXaoHV0cLToa 222 | # xO8wYdd+C2D9wz0PxK+L/e8q3yBVN7Dh9tGSdQ9RtG6ljlriXiSBThCk7j9xjmMO 223 | # E0ut119EefM2FAaK95xGTlz/kLEbBw6RFfu6r7VRwo0kriTGxycqoSkoGjpxKAI8 224 | # LpGjwCUR4pwUR6F6aGivm6dcIFzZcbEMj7uo+MUSaJ/PQMtARKUT8OZkDCUIQjKy 225 | # NookAv4vcn4c10lFluhZHen6dGRrsutmQ9qzsIzV6Q3d9gEgzpkxYz0IGhizgZtP 226 | # xpMQBvwHgfqL2vmCSfdibqFT+hKUGIUukpHqaGxEMrJmoecYpJpkUe8wggZqMIIF 227 | # UqADAgECAhADAZoCOv9YsWvW1ermF/BmMA0GCSqGSIb3DQEBBQUAMGIxCzAJBgNV 228 | # BAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdp 229 | # Y2VydC5jb20xITAfBgNVBAMTGERpZ2lDZXJ0IEFzc3VyZWQgSUQgQ0EtMTAeFw0x 230 | # NDEwMjIwMDAwMDBaFw0yNDEwMjIwMDAwMDBaMEcxCzAJBgNVBAYTAlVTMREwDwYD 231 | # VQQKEwhEaWdpQ2VydDElMCMGA1UEAxMcRGlnaUNlcnQgVGltZXN0YW1wIFJlc3Bv 232 | # bmRlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKNkXfx8s+CCNeDg 233 | # 9sYq5kl1O8xu4FOpnx9kWeZ8a39rjJ1V+JLjntVaY1sCSVDZg85vZu7dy4XpX6X5 234 | # 1Id0iEQ7Gcnl9ZGfxhQ5rCTqqEsskYnMXij0ZLZQt/USs3OWCmejvmGfrvP9Enh1 235 | # DqZbFP1FI46GRFV9GIYFjFWHeUhG98oOjafeTl/iqLYtWQJhiGFyGGi5uHzu5uc0 236 | # LzF3gTAfuzYBje8n4/ea8EwxZI3j6/oZh6h+z+yMDDZbesF6uHjHyQYuRhDIjegE 237 | # YNu8c3T6Ttj+qkDxss5wRoPp2kChWTrZFQlXmVYwk/PJYczQCMxr7GJCkawCwO+k 238 | # 8IkRj3cCAwEAAaOCAzUwggMxMA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAA 239 | # MBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMIMIIBvwYDVR0gBIIBtjCCAbIwggGhBglg 240 | # hkgBhv1sBwEwggGSMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5j 241 | # b20vQ1BTMIIBZAYIKwYBBQUHAgIwggFWHoIBUgBBAG4AeQAgAHUAcwBlACAAbwBm 242 | # ACAAdABoAGkAcwAgAEMAZQByAHQAaQBmAGkAYwBhAHQAZQAgAGMAbwBuAHMAdABp 243 | # AHQAdQB0AGUAcwAgAGEAYwBjAGUAcAB0AGEAbgBjAGUAIABvAGYAIAB0AGgAZQAg 244 | # AEQAaQBnAGkAQwBlAHIAdAAgAEMAUAAvAEMAUABTACAAYQBuAGQAIAB0AGgAZQAg 245 | # AFIAZQBsAHkAaQBuAGcAIABQAGEAcgB0AHkAIABBAGcAcgBlAGUAbQBlAG4AdAAg 246 | # AHcAaABpAGMAaAAgAGwAaQBtAGkAdAAgAGwAaQBhAGIAaQBsAGkAdAB5ACAAYQBu 247 | # AGQAIABhAHIAZQAgAGkAbgBjAG8AcgBwAG8AcgBhAHQAZQBkACAAaABlAHIAZQBp 248 | # AG4AIABiAHkAIAByAGUAZgBlAHIAZQBuAGMAZQAuMAsGCWCGSAGG/WwDFTAfBgNV 249 | # HSMEGDAWgBQVABIrE5iymQftHt+ivlcNK2cCzTAdBgNVHQ4EFgQUYVpNJLZJMp1K 250 | # Knkag0v0HonByn0wfQYDVR0fBHYwdDA4oDagNIYyaHR0cDovL2NybDMuZGlnaWNl 251 | # cnQuY29tL0RpZ2lDZXJ0QXNzdXJlZElEQ0EtMS5jcmwwOKA2oDSGMmh0dHA6Ly9j 252 | # cmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRENBLTEuY3JsMHcGCCsG 253 | # AQUFBwEBBGswaTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29t 254 | # MEEGCCsGAQUFBzAChjVodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNl 255 | # cnRBc3N1cmVkSURDQS0xLmNydDANBgkqhkiG9w0BAQUFAAOCAQEAnSV+GzNNsiaB 256 | # XJuGziMgD4CH5Yj//7HUaiwx7ToXGXEXzakbvFoWOQCd42yE5FpA+94GAYw3+pux 257 | # nSR+/iCkV61bt5qwYCbqaVchXTQvH3Gwg5QZBWs1kBCge5fH9j/n4hFBpr1i2fAn 258 | # PTgdKG86Ugnw7HBi02JLsOBzppLA044x2C/jbRcTBu7kA7YUq/OPQ6dxnSHdFMoV 259 | # XZJB2vkPgdGZdA0mxA5/G7X1oPHGdwYoFenYk+VVFvC7Cqsc21xIJ2bIo4sKHOWV 260 | # 2q7ELlmgYd3a822iYemKC23sEhi991VUQAOSK2vCUcIKSK+w1G7g9BQKOhvjjz3K 261 | # r2qNe9zYRDCCBs0wggW1oAMCAQICEAb9+QOWA63qAArrPye7uhswDQYJKoZIhvcN 262 | # AQEFBQAwZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcG 263 | # A1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgQXNzdXJl 264 | # ZCBJRCBSb290IENBMB4XDTA2MTExMDAwMDAwMFoXDTIxMTExMDAwMDAwMFowYjEL 265 | # MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3 266 | # LmRpZ2ljZXJ0LmNvbTEhMB8GA1UEAxMYRGlnaUNlcnQgQXNzdXJlZCBJRCBDQS0x 267 | # MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6IItmfnKwkKVpYBzQHDS 268 | # nlZUXKnE0kEGj8kz/E1FkVyBn+0snPgWWd+etSQVwpi5tHdJ3InECtqvy15r7a2w 269 | # cTHrzzpADEZNk+yLejYIA6sMNP4YSYL+x8cxSIB8HqIPkg5QycaH6zY/2DDD/6b3 270 | # +6LNb3Mj/qxWBZDwMiEWicZwiPkFl32jx0PdAug7Pe2xQaPtP77blUjE7h6z8rwM 271 | # K5nQxl0SQoHhg26Ccz8mSxSQrllmCsSNvtLOBq6thG9IhJtPQLnxTPKvmPv2zkBd 272 | # XPao8S+v7Iki8msYZbHBc63X8djPHgp0XEK4aH631XcKJ1Z8D2KkPzIUYJX9BwSi 273 | # CQIDAQABo4IDejCCA3YwDgYDVR0PAQH/BAQDAgGGMDsGA1UdJQQ0MDIGCCsGAQUF 274 | # BwMBBggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwMEBggrBgEFBQcDCDCCAdIG 275 | # A1UdIASCAckwggHFMIIBtAYKYIZIAYb9bAABBDCCAaQwOgYIKwYBBQUHAgEWLmh0 276 | # dHA6Ly93d3cuZGlnaWNlcnQuY29tL3NzbC1jcHMtcmVwb3NpdG9yeS5odG0wggFk 277 | # BggrBgEFBQcCAjCCAVYeggFSAEEAbgB5ACAAdQBzAGUAIABvAGYAIAB0AGgAaQBz 278 | # ACAAQwBlAHIAdABpAGYAaQBjAGEAdABlACAAYwBvAG4AcwB0AGkAdAB1AHQAZQBz 279 | # ACAAYQBjAGMAZQBwAHQAYQBuAGMAZQAgAG8AZgAgAHQAaABlACAARABpAGcAaQBD 280 | # AGUAcgB0ACAAQwBQAC8AQwBQAFMAIABhAG4AZAAgAHQAaABlACAAUgBlAGwAeQBp 281 | # AG4AZwAgAFAAYQByAHQAeQAgAEEAZwByAGUAZQBtAGUAbgB0ACAAdwBoAGkAYwBo 282 | # ACAAbABpAG0AaQB0ACAAbABpAGEAYgBpAGwAaQB0AHkAIABhAG4AZAAgAGEAcgBl 283 | # ACAAaQBuAGMAbwByAHAAbwByAGEAdABlAGQAIABoAGUAcgBlAGkAbgAgAGIAeQAg 284 | # AHIAZQBmAGUAcgBlAG4AYwBlAC4wCwYJYIZIAYb9bAMVMBIGA1UdEwEB/wQIMAYB 285 | # Af8CAQAweQYIKwYBBQUHAQEEbTBrMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5k 286 | # aWdpY2VydC5jb20wQwYIKwYBBQUHMAKGN2h0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0 287 | # LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcnQwgYEGA1UdHwR6MHgwOqA4 288 | # oDaGNGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJv 289 | # b3RDQS5jcmwwOqA4oDaGNGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2Vy 290 | # dEFzc3VyZWRJRFJvb3RDQS5jcmwwHQYDVR0OBBYEFBUAEisTmLKZB+0e36K+Vw0r 291 | # ZwLNMB8GA1UdIwQYMBaAFEXroq/0ksuCMS1Ri6enIZ3zbcgPMA0GCSqGSIb3DQEB 292 | # BQUAA4IBAQBGUD7Jtygkpzgdtlspr1LPUukxR6tWXHvVDQtBs+/sdR90OPKyXGGi 293 | # nJXDUOSCuSPRujqGcq04eKx1XRcXNHJHhZRW0eu7NoR3zCSl8wQZVann4+erYs37 294 | # iy2QwsDStZS9Xk+xBdIOPRqpFFumhjFiqKgz5Js5p8T1zh14dpQlc+Qqq8+cdkvt 295 | # X8JLFuRLcEwAiR78xXm8TBJX/l/hHrwCXaj++wc4Tw3GXZG5D2dFzdaD7eeSDY2x 296 | # aYxP+1ngIw/Sqq4AfO6cQg7PkdcntxbuD8O9fAqg7iwIVYUiuOsYGk38KiGtSTGD 297 | # R5V3cdyxG0tLHBCcdxTBnU8vWpUIKRAmMYIETDCCBEgCAQEwgYYwcjELMAkGA1UE 298 | # BhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2lj 299 | # ZXJ0LmNvbTExMC8GA1UEAxMoRGlnaUNlcnQgU0hBMiBBc3N1cmVkIElEIENvZGUg 300 | # U2lnbmluZyBDQQIQDhlON30mOhkOirPIWrUoYzANBglghkgBZQMEAgEFAKCBhDAY 301 | # BgorBgEEAYI3AgEMMQowCKACgAChAoAAMBkGCSqGSIb3DQEJAzEMBgorBgEEAYI3 302 | # AgEEMBwGCisGAQQBgjcCAQsxDjAMBgorBgEEAYI3AgEVMC8GCSqGSIb3DQEJBDEi 303 | # BCCBZH5LnhW1onlsB9QZnEUfx9z3/zhBvlSwPjQtkT5OeDANBgkqhkiG9w0BAQEF 304 | # AASCAQAbStzdKqUtm/4bowcmeKfHPkBjBs/Hv0iT+ah9xnK9jgSfG6gs3sHYY0ec 305 | # 2dAmYXfKHcbwtrmuIL3Chyzzo9kyBuKzsslSbjMFU87icX4t04IbORIsv7EH4mml 306 | # KX6pPMSfz2S5VHf1YoIBH7UXsH3lb1WMA/rqJ8yrcZKg1WST9LYUqv4fsH7BHBYE 307 | # LJcqbbVds0I9OsMSDy7UGXVM/Jzw5rH/1O0x/H3NLbPkBSZZ6f5jsJaeaOTS5M5f 308 | # zQDGKb+zjyNMFYQHaWxuAky1kzqRuWlYe1csKoXbBvxfeXP68DxnoeGnsbJ9epyC 309 | # hyBjzo99p8mXQAUJ2z9venmvHqV7oYICDzCCAgsGCSqGSIb3DQEJBjGCAfwwggH4 310 | # AgEBMHYwYjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcG 311 | # A1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEhMB8GA1UEAxMYRGlnaUNlcnQgQXNzdXJl 312 | # ZCBJRCBDQS0xAhADAZoCOv9YsWvW1ermF/BmMAkGBSsOAwIaBQCgXTAYBgkqhkiG 313 | # 9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNzA0MjcxMzI4NTZa 314 | # MCMGCSqGSIb3DQEJBDEWBBQYe1EBmfCyrVtJc5bOQ7EEe1tR+zANBgkqhkiG9w0B 315 | # AQEFAASCAQA1O0ow+OyJeUFbdHvCQRJ5jKrxYWmglJvKZN2SSa/DHvvcffnmqRO/ 316 | # b7CjwJrZKULDf7r+QTmba2QeRff0VdybnFIZqv+0vUR7TEKhiU1Db7Ekjhwh/mIP 317 | # G00wgFyfr+aim8oSrWVIoQ3j2YQketG/GfF+r7zYL2TN9q81z9Sk3cCeVm+e5iS9 318 | # FqtirVu2yNK85F/4gCTfbHi1bz7dVrSwoXfiZZ/gTKPajA6biQQXOZGV684YwqiD 319 | # Cz8re1vhtD5dOB4QJsgbnx95iioVbkDn7Yfe80IWghECA487xAtnlVb8RN+uC9m0 320 | # qessUvZkWtTKQUz1xmX6HP/DfNfWPmvG 321 | # SIG # End signature block 322 | -------------------------------------------------------------------------------- /Create-Subscriptions.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Name: Create-Subscriptions.ps1 4 | Version: 1.2 5 | Author: Russell Tomkins - Microsoft Premier Field Engineer 6 | Blog: https://aka.ms/russellt 7 | 8 | Bulk creation of Windows Event Collection Subscriptions from an input CSV 9 | Source: https://www.github.com/russelltomkins/ProjectSauron 10 | 11 | .DESCRIPTION 12 | Leverages an input CSV file to bulk create WEC subscriptions for event delivery 13 | to dedicated custom event channels. Subscriptions are imported by disabled by default. 14 | Use the -NoImport and -CreateEnabled switches to override the behaviour. 15 | 16 | Refer to this blog series for more details 17 | http://blogs.technet.microsoft.com/russellt/2017/03/23/project-sauron-part-1 18 | 19 | .EXAMPLE 20 | Create and Import the WEC subscriptions (disabled by default) 21 | Create-Subscriptions.ps1 -InputFile DCEvents.csv 22 | 23 | .EXAMPLE 24 | Create, Import and force enable the WEC subscriptions 25 | Create-Subscriptions.ps1 -InputFile -CreateEnabled 26 | 27 | .EXAMPLE 28 | Create and Import the WEC subscriptions (disabled by default). Tell the server to 29 | send existing and new events that that match the subscription 30 | Create-Subscriptions.ps1 -InputFile DCEvents.csv -ReadExistingEvents 31 | 32 | .EXAMPLE 33 | Only create the WEC subscription files, do not import them. 34 | Create-Subscriptions.ps1 -InputFile -NoImport 35 | 36 | .PARAMETER InputFile 37 | A CSV file which must include a ChannelName, ChannelSymbol, QueryPath and the xPath Query itself 38 | 39 | .PARAMETER OutputFolder 40 | The location of the output subscription .xml files. Defaults to "\Subscriptions" under the current folder 41 | 42 | .PARAMETER CreateEnabled 43 | Creates and imports the subscriptions but enables them immediately. 44 | 45 | .PARAMETER NoImport 46 | Creates the subscriptions files, but does not import them 47 | 48 | .PARAMETER ReadExistingEvents 49 | Creates the subscriptions files and instructs the servers to send existing events that match the criteria 50 | through to the collector. 51 | 52 | LEGAL DISCLAIMER 53 | This Sample Code is provided for the purpose of illustration only and is not 54 | intended to be used in a production environment. THIS SAMPLE CODE AND ANY 55 | RELATED INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER 56 | EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF 57 | MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. We grant You a 58 | nonexclusive, royalty-free right to use and modify the Sample Code and to 59 | reproduce and distribute the object code form of the Sample Code, provided 60 | that You agree: (i) to not use Our name, logo, or trademarks to market Your 61 | software product in which the Sample Code is embedded; (ii) to include a valid 62 | copyright notice on Your software product in which the Sample Code is embedded; 63 | and (iii) to indemnify, hold harmless, and defend Us and Our suppliers from and 64 | against any claims or lawsuits, including attorneys fees, that arise or result 65 | from the use or distribution of the Sample Code. 66 | 67 | This posting is provided "AS IS" with no warranties, and confers no rights. Use 68 | of included script samples are subject to the terms specified 69 | at http://www.microsoft.com/info/cpyright.htm. 70 | #> 71 | # ----------------------------------------------------------------------------------- 72 | # Main Script 73 | # ----------------------------------------------------------------------------------- 74 | 75 | # Prepare the Input Paremeters 76 | [CmdletBinding()] 77 | Param ( 78 | [Parameter(Mandatory=$true)][ValidateNotNullOrEmpty()][String]$InputFile, 79 | [Parameter(Mandatory=$false)][string]$OutputFolder=$PWD, 80 | [Parameter(Mandatory=$false)][Switch]$CreateEnabled, 81 | [Parameter(Mandatory=$false)][Switch]$NoImport, 82 | [Parameter(Mandatory=$false)][Switch]$ReadExistingEvents) 83 | 84 | # Configure and Start the Windows Event Collector Services except if we are not importing. 85 | If (!($NoImport)){ 86 | # Prepare and Start the Windows Event Collector Service 87 | $WECService = Get-Service "Windows Event Collector" 88 | $WECService | Set-Service -StartupType "Automatic" 89 | $WECService | Start-Service 90 | } 91 | 92 | # Import our Custom Events 93 | $CustomChannels = Import-CSV $InputFile 94 | 95 | # Loop through Chanel in input events. 96 | ForEach($Channel in $CustomChannels){ 97 | 98 | # --- Setup the Event Channels --- 99 | # Bind to the Event Channel 100 | $EventChannel = Get-WinEvent -ListLog $Channel.ChannelName 101 | 102 | # Do not proceed if we are importing and the logs are still disabled. 103 | If(!($NoImport)) { 104 | If (!($EventChannel.IsEnabled)) { 105 | Write-Host "Error: Event Channel is not Enabled" -Foregroundcolor "Red" -BackGroundColor "Black" 106 | Write-host "Execute `"Prepare-EventChannels.ps1`" to configure them prior to creating event subscriptions"-Foregroundcolor "Red" -BackGroundColor "Black" 107 | Exit 108 | } 109 | } 110 | 111 | # --- Create the Subscription XML's 112 | # Pre-pend the current Folder path and create the SubFolders 113 | $SubscriptionNamePath = $OutputFolder + "\Subscriptions" 114 | If(!(Test-Path $SubscriptionNamePath)){New-Item -Type Directory $SubscriptionNamePath | Out-Null} 115 | 116 | # Create our new XML File 117 | $xmlFilePath = $SubscriptionNamePath + "\" + $Channel.ChannelSymbol + ".xml" 118 | $XmlWriter = New-Object System.XMl.XmlTextWriter($xmlFilePath,$null) 119 | 120 | # Set The Formatting 121 | $xmlWriter.Formatting = "Indented" 122 | $xmlWriter.Indentation = "4" 123 | 124 | # Write the XML Decleration 125 | $xmlWriter.WriteStartDocument() 126 | 127 | # Create Subscription 128 | $xmlWriter.WriteStartElement("Subscription") 129 | $xmlWriter.WriteAttributeString("xmlns","http://schemas.microsoft.com/2006/03/windows/events/subscription") 130 | 131 | $xmlWriter.WriteElementString("SubscriptionId",$Channel.ChannelSymbol) 132 | $xmlWriter.WriteElementString("SubscriptionType","SourceInitiated") 133 | $xmlWriter.WriteElementString("Description",$Channel.ChannelName) 134 | If($CreateEnabled){ 135 | $xmlWriter.WriteElementString("Enabled","true") 136 | } 137 | Else{ 138 | $xmlWriter.WriteElementString("Enabled","false") 139 | } 140 | $xmlWriter.WriteElementString("Uri","http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog") 141 | $xmlWriter.WriteElementString("ConfigurationMode","Custom") 142 | $xmlWriter.WriteStartElement("Delivery") 143 | $xmlWriter.WriteAttributeString("Mode","Push") 144 | $xmlWriter.WriteStartElement("Batching") 145 | $xmlWriter.WriteElementString("MaxLatencyTime","30000") 146 | $xmlWriter.WriteEndElement() # Close Batching 147 | $xmlWriter.WriteStartElement("PushSettings") 148 | $xmlWriter.WriteStartElement("Heartbeat") 149 | $xmlWriter.WriteAttributeString("Interval","3600000") 150 | $xmlWriter.WriteEndElement() # Closing Heartbeat 151 | $xmlWriter.WriteEndElement() # Closing PushSettings 152 | $xmlWriter.WriteEndElement() # Closing Delivery 153 | 154 | $xmlWriter.WriteStartElement("Query") 155 | $xmlWriter.WriteCData('' + $Channel.Query + '') 156 | $xmlWriter.WriteEndElement() # Closing Query 157 | 158 | If ($ReadExistingEvents){ 159 | $xmlWriter.WriteElementString("ReadExistingEvents","True")} 160 | Else{ 161 | $xmlWriter.WriteElementString("ReadExistingEvents","False")} 162 | $xmlWriter.WriteElementString("TransportName","HTTP") 163 | $xmlWriter.WriteElementString("ContentFormat","events") 164 | $xmlWriter.WriteStartElement("locale") 165 | $xmlWriter.WriteAttributeString("language","en-US") 166 | $xmlWriter.WriteEndElement() #Closing Locale 167 | 168 | $xmlWriter.WriteElementString("LogFile",$Channel.ChannelName) 169 | $xmlWriter.WriteElementString("PublisherName","") 170 | $xmlWriter.WriteElementString("AllowedSourceNonDomainComputers","") 171 | 172 | Switch ($Channel.TargetGroup){ 173 | "Domain Controllers" {$xmlWriter.WriteElementString("AllowedSourceDomainComputers","O:NSG:BAD:P(A;;GA;;;DD)S:")} 174 | "Domain Computers" {$xmlWriter.WriteElementString("AllowedSourceDomainComputers","O:NSG:BAD:P(A;;GA;;;DC)S:")} 175 | Default{$xmlWriter.WriteElementString("AllowedSourceDomainComputers","O:NSG:BAD:P(A;;GA;;;"+$Channel.TargetGroup+")S:")} 176 | } 177 | $xmlWriter.WriteEndElement() # Closing Subscription 178 | 179 | # End the XML Document 180 | $xmlWriter.WriteEndDocument() 181 | 182 | # Finish The Document 183 | $xmlWriter.Finalize 184 | $xmlWriter.Flush() 185 | $xmlWriter.Close() 186 | 187 | # Import the subscription to the server 188 | If(!($NoImport)){ 189 | 190 | # Import the subscription to the server 191 | $command = "C:\Windows\System32\wecutil.exe" 192 | $action = "create-subscription" 193 | & $command $action $xmlfilepath 194 | } 195 | } 196 | 197 | # If we didn't import, write out how to import manually 198 | If($NoImport){ 199 | write-Host "Subscription files located at $SubscriptionNamePath" 200 | write-host "Import with `"wecutil.exe create-subscription .xml`""} 201 | Else{ 202 | write-Host "Event Channels created and imported. Use Event Viewer to enable subscriptions." 203 | } 204 | # ----------------------------------------------------------------------------------- 205 | # End of Script 206 | # ----------------------------------------------------------------------------------- 207 | # SIG # Begin signature block 208 | # MIIgVAYJKoZIhvcNAQcCoIIgRTCCIEECAQExDzANBglghkgBZQMEAgEFADB5Bgor 209 | # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG 210 | # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCDOn+KCY+jIibk5 211 | # yxihjrxQTYqPwbc8olUALOThxWlZbKCCG14wggO3MIICn6ADAgECAhAM5+DlF9hG 212 | # /o/lYPwb8DA5MA0GCSqGSIb3DQEBBQUAMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQK 213 | # EwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAiBgNV 214 | # BAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTAeFw0wNjExMTAwMDAwMDBa 215 | # Fw0zMTExMTAwMDAwMDBaMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2Vy 216 | # dCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMTG0RpZ2lD 217 | # ZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC 218 | # AQoCggEBAK0OFc7kQ4BcsYfzt2D5cRKlrtwmlIiq9M71IDkoWGAM+IDaqRWVMmE8 219 | # tbEohIqK3J8KDIMXeo+QrIrneVNcMYQq9g+YMjZ2zN7dPKii72r7IfJSYd+fINcf 220 | # 4rHZ/hhk0hJbX/lYGDW8R82hNvlrf9SwOD7BG8OMM9nYLxj+KA+zp4PWw25EwGE1 221 | # lhb+WZyLdm3X8aJLDSv/C3LanmDQjpA1xnhVhyChz+VtCshJfDGYM2wi6YfQMlqi 222 | # uhOCEe05F52ZOnKh5vqk2dUXMXWuhX0irj8BRob2KHnIsdrkVxfEfhwOsLSSplaz 223 | # vbKX7aqn8LfFqD+VFtD/oZbrCF8Yd08CAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGG 224 | # MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEXroq/0ksuCMS1Ri6enIZ3zbcgP 225 | # MB8GA1UdIwQYMBaAFEXroq/0ksuCMS1Ri6enIZ3zbcgPMA0GCSqGSIb3DQEBBQUA 226 | # A4IBAQCiDrzf4u3w43JzemSUv/dyZtgy5EJ1Yq6H6/LV2d5Ws5/MzhQouQ2XYFwS 227 | # TFjk0z2DSUVYlzVpGqhH6lbGeasS2GeBhN9/CTyU5rgmLCC9PbMoifdf/yLil4Qf 228 | # 6WXvh+DfwWdJs13rsgkq6ybteL59PyvztyY1bV+JAbZJW58BBZurPSXBzLZ/wvFv 229 | # hsb6ZGjrgS2U60K3+owe3WLxvlBnt2y98/Efaww2BxZ/N3ypW2168RJGYIPXJwS+ 230 | # S86XvsNnKmgR34DnDDNmvxMNFG7zfx9jEB76jRslbWyPpbdhAbHSoyahEHGdreLD 231 | # +cOZUbcrBwjOLuZQsqf6CkUvovDyMIIFLDCCBBSgAwIBAgIQDhlON30mOhkOirPI 232 | # WrUoYzANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGln 233 | # aUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMTEwLwYDVQQDEyhE 234 | # aWdpQ2VydCBTSEEyIEFzc3VyZWQgSUQgQ29kZSBTaWduaW5nIENBMB4XDTE3MDMy 235 | # NzAwMDAwMFoXDTE4MDQwNDEyMDAwMFowaTELMAkGA1UEBhMCQVUxEzARBgNVBAgT 236 | # ClF1ZWVuc2xhbmQxETAPBgNVBAcTCEJyaXNiYW5lMRgwFgYDVQQKEw9SdXNzZWxs 237 | # IFRvbWtpbnMxGDAWBgNVBAMTD1J1c3NlbGwgVG9ta2luczCCASIwDQYJKoZIhvcN 238 | # AQEBBQADggEPADCCAQoCggEBAL9yEH4Y+mOkq5qq1yIMMQxZks06om9d6ifoWnQZ 239 | # LwleCoIohbxLcc9RsAsY3b0E0alY/WGBbvxrAXDsfNtV2oRBwq4I1wRbrazuYdec 240 | # V/ON+0cOKvSN3df9AJmbw53MBqlOLJr+f3IyLan40iY2PCt/N12zKVvPnFtoP+Lr 241 | # QwLkUTMT+5LdmGl0UfaLkgno7EG+7CXKL1QDIw1NLiYkw1fxlcu8+MOslqV6ZFVm 242 | # rhrM+Q0tzvVtq4DWSyn63U8j8Ij9cjnPpG3mABFN1dpu31yFBYogcPvFfQzx013f 243 | # s4GI4mu70CDCy1vbi3oSa3jjiqExysDXcOHhZ4RVZ3xKUAsCAwEAAaOCAcUwggHB 244 | # MB8GA1UdIwQYMBaAFFrEuXsqCqOl6nEDwGD5LfZldQ5YMB0GA1UdDgQWBBSiIVol 245 | # K54Mdi8hZEbQ+ZcbWmjObTAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYB 246 | # BQUHAwMwdwYDVR0fBHAwbjA1oDOgMYYvaHR0cDovL2NybDMuZGlnaWNlcnQuY29t 247 | # L3NoYTItYXNzdXJlZC1jcy1nMS5jcmwwNaAzoDGGL2h0dHA6Ly9jcmw0LmRpZ2lj 248 | # ZXJ0LmNvbS9zaGEyLWFzc3VyZWQtY3MtZzEuY3JsMEwGA1UdIARFMEMwNwYJYIZI 249 | # AYb9bAMBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9D 250 | # UFMwCAYGZ4EMAQQBMIGEBggrBgEFBQcBAQR4MHYwJAYIKwYBBQUHMAGGGGh0dHA6 251 | # Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBOBggrBgEFBQcwAoZCaHR0cDovL2NhY2VydHMu 252 | # ZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFzc3VyZWRJRENvZGVTaWduaW5nQ0Eu 253 | # Y3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggEBAPLir+VRKD+MIfvl 254 | # S7s8KtE6sBOx2JCNewUh4JVtmQECTTpvKvx25TYO23MrApApfhc8qa2mkHNpyjMX 255 | # U7SZog3mNSIJlQrhiF1Y6xNafqbDz31qGU/booX2AHV1yfJbXNWw2tTnbukdhFO/ 256 | # 2vSKdUqJZbYp2A+dx5zemxvtf46CTy4PxrcKmn+Umd+Cil3O3TlDTy0LGfzPTL1f 257 | # IOAqtc4bbge6pMn5BwV0dxOZ4JTIsXlFzzIKjjOUNX/+0/iGoYAXvkyOA0wdEiDN 258 | # qug5CTbskpE/ltGa0XCSkglk2j4431JgUC+ew2YgSsEq0dukmdUjz3HpdvrMEYfg 259 | # T5PcXa4wggUwMIIEGKADAgECAhAECRgbX9W7ZnVTQ7VvlVAIMA0GCSqGSIb3DQEB 260 | # CwUAMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNV 261 | # BAsTEHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQg 262 | # SUQgUm9vdCBDQTAeFw0xMzEwMjIxMjAwMDBaFw0yODEwMjIxMjAwMDBaMHIxCzAJ 263 | # BgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5k 264 | # aWdpY2VydC5jb20xMTAvBgNVBAMTKERpZ2lDZXJ0IFNIQTIgQXNzdXJlZCBJRCBD 265 | # b2RlIFNpZ25pbmcgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD4 266 | # 07Mcfw4Rr2d3B9MLMUkZz9D7RZmxOttE9X/lqJ3bMtdx6nadBS63j/qSQ8Cl+YnU 267 | # NxnXtqrwnIal2CWsDnkoOn7p0WfTxvspJ8fTeyOU5JEjlpB3gvmhhCNmElQzUHSx 268 | # KCa7JGnCwlLyFGeKiUXULaGj6YgsIJWuHEqHCN8M9eJNYBi+qsSyrnAxZjNxPqxw 269 | # oqvOf+l8y5Kh5TsxHM/q8grkV7tKtel05iv+bMt+dDk2DZDv5LVOpKnqagqrhPOs 270 | # Z061xPeM0SAlI+sIZD5SlsHyDxL0xY4PwaLoLFH3c7y9hbFig3NBggfkOItqcyDQ 271 | # D2RzPJ6fpjOp/RnfJZPRAgMBAAGjggHNMIIByTASBgNVHRMBAf8ECDAGAQH/AgEA 272 | # MA4GA1UdDwEB/wQEAwIBhjATBgNVHSUEDDAKBggrBgEFBQcDAzB5BggrBgEFBQcB 273 | # AQRtMGswJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBDBggr 274 | # BgEFBQcwAoY3aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0QXNz 275 | # dXJlZElEUm9vdENBLmNydDCBgQYDVR0fBHoweDA6oDigNoY0aHR0cDovL2NybDQu 276 | # ZGlnaWNlcnQuY29tL0RpZ2lDZXJ0QXNzdXJlZElEUm9vdENBLmNybDA6oDigNoY0 277 | # aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0QXNzdXJlZElEUm9vdENB 278 | # LmNybDBPBgNVHSAESDBGMDgGCmCGSAGG/WwAAgQwKjAoBggrBgEFBQcCARYcaHR0 279 | # cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAKBghghkgBhv1sAzAdBgNVHQ4EFgQU 280 | # WsS5eyoKo6XqcQPAYPkt9mV1DlgwHwYDVR0jBBgwFoAUReuir/SSy4IxLVGLp6ch 281 | # nfNtyA8wDQYJKoZIhvcNAQELBQADggEBAD7sDVoks/Mi0RXILHwlKXaoHV0cLToa 282 | # xO8wYdd+C2D9wz0PxK+L/e8q3yBVN7Dh9tGSdQ9RtG6ljlriXiSBThCk7j9xjmMO 283 | # E0ut119EefM2FAaK95xGTlz/kLEbBw6RFfu6r7VRwo0kriTGxycqoSkoGjpxKAI8 284 | # LpGjwCUR4pwUR6F6aGivm6dcIFzZcbEMj7uo+MUSaJ/PQMtARKUT8OZkDCUIQjKy 285 | # NookAv4vcn4c10lFluhZHen6dGRrsutmQ9qzsIzV6Q3d9gEgzpkxYz0IGhizgZtP 286 | # xpMQBvwHgfqL2vmCSfdibqFT+hKUGIUukpHqaGxEMrJmoecYpJpkUe8wggZqMIIF 287 | # UqADAgECAhADAZoCOv9YsWvW1ermF/BmMA0GCSqGSIb3DQEBBQUAMGIxCzAJBgNV 288 | # BAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdp 289 | # Y2VydC5jb20xITAfBgNVBAMTGERpZ2lDZXJ0IEFzc3VyZWQgSUQgQ0EtMTAeFw0x 290 | # NDEwMjIwMDAwMDBaFw0yNDEwMjIwMDAwMDBaMEcxCzAJBgNVBAYTAlVTMREwDwYD 291 | # VQQKEwhEaWdpQ2VydDElMCMGA1UEAxMcRGlnaUNlcnQgVGltZXN0YW1wIFJlc3Bv 292 | # bmRlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKNkXfx8s+CCNeDg 293 | # 9sYq5kl1O8xu4FOpnx9kWeZ8a39rjJ1V+JLjntVaY1sCSVDZg85vZu7dy4XpX6X5 294 | # 1Id0iEQ7Gcnl9ZGfxhQ5rCTqqEsskYnMXij0ZLZQt/USs3OWCmejvmGfrvP9Enh1 295 | # DqZbFP1FI46GRFV9GIYFjFWHeUhG98oOjafeTl/iqLYtWQJhiGFyGGi5uHzu5uc0 296 | # LzF3gTAfuzYBje8n4/ea8EwxZI3j6/oZh6h+z+yMDDZbesF6uHjHyQYuRhDIjegE 297 | # YNu8c3T6Ttj+qkDxss5wRoPp2kChWTrZFQlXmVYwk/PJYczQCMxr7GJCkawCwO+k 298 | # 8IkRj3cCAwEAAaOCAzUwggMxMA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAA 299 | # MBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMIMIIBvwYDVR0gBIIBtjCCAbIwggGhBglg 300 | # hkgBhv1sBwEwggGSMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5j 301 | # b20vQ1BTMIIBZAYIKwYBBQUHAgIwggFWHoIBUgBBAG4AeQAgAHUAcwBlACAAbwBm 302 | # ACAAdABoAGkAcwAgAEMAZQByAHQAaQBmAGkAYwBhAHQAZQAgAGMAbwBuAHMAdABp 303 | # AHQAdQB0AGUAcwAgAGEAYwBjAGUAcAB0AGEAbgBjAGUAIABvAGYAIAB0AGgAZQAg 304 | # AEQAaQBnAGkAQwBlAHIAdAAgAEMAUAAvAEMAUABTACAAYQBuAGQAIAB0AGgAZQAg 305 | # AFIAZQBsAHkAaQBuAGcAIABQAGEAcgB0AHkAIABBAGcAcgBlAGUAbQBlAG4AdAAg 306 | # AHcAaABpAGMAaAAgAGwAaQBtAGkAdAAgAGwAaQBhAGIAaQBsAGkAdAB5ACAAYQBu 307 | # AGQAIABhAHIAZQAgAGkAbgBjAG8AcgBwAG8AcgBhAHQAZQBkACAAaABlAHIAZQBp 308 | # AG4AIABiAHkAIAByAGUAZgBlAHIAZQBuAGMAZQAuMAsGCWCGSAGG/WwDFTAfBgNV 309 | # HSMEGDAWgBQVABIrE5iymQftHt+ivlcNK2cCzTAdBgNVHQ4EFgQUYVpNJLZJMp1K 310 | # Knkag0v0HonByn0wfQYDVR0fBHYwdDA4oDagNIYyaHR0cDovL2NybDMuZGlnaWNl 311 | # cnQuY29tL0RpZ2lDZXJ0QXNzdXJlZElEQ0EtMS5jcmwwOKA2oDSGMmh0dHA6Ly9j 312 | # cmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRENBLTEuY3JsMHcGCCsG 313 | # AQUFBwEBBGswaTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29t 314 | # MEEGCCsGAQUFBzAChjVodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNl 315 | # cnRBc3N1cmVkSURDQS0xLmNydDANBgkqhkiG9w0BAQUFAAOCAQEAnSV+GzNNsiaB 316 | # XJuGziMgD4CH5Yj//7HUaiwx7ToXGXEXzakbvFoWOQCd42yE5FpA+94GAYw3+pux 317 | # nSR+/iCkV61bt5qwYCbqaVchXTQvH3Gwg5QZBWs1kBCge5fH9j/n4hFBpr1i2fAn 318 | # PTgdKG86Ugnw7HBi02JLsOBzppLA044x2C/jbRcTBu7kA7YUq/OPQ6dxnSHdFMoV 319 | # XZJB2vkPgdGZdA0mxA5/G7X1oPHGdwYoFenYk+VVFvC7Cqsc21xIJ2bIo4sKHOWV 320 | # 2q7ELlmgYd3a822iYemKC23sEhi991VUQAOSK2vCUcIKSK+w1G7g9BQKOhvjjz3K 321 | # r2qNe9zYRDCCBs0wggW1oAMCAQICEAb9+QOWA63qAArrPye7uhswDQYJKoZIhvcN 322 | # AQEFBQAwZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcG 323 | # A1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgQXNzdXJl 324 | # ZCBJRCBSb290IENBMB4XDTA2MTExMDAwMDAwMFoXDTIxMTExMDAwMDAwMFowYjEL 325 | # MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3 326 | # LmRpZ2ljZXJ0LmNvbTEhMB8GA1UEAxMYRGlnaUNlcnQgQXNzdXJlZCBJRCBDQS0x 327 | # MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6IItmfnKwkKVpYBzQHDS 328 | # nlZUXKnE0kEGj8kz/E1FkVyBn+0snPgWWd+etSQVwpi5tHdJ3InECtqvy15r7a2w 329 | # cTHrzzpADEZNk+yLejYIA6sMNP4YSYL+x8cxSIB8HqIPkg5QycaH6zY/2DDD/6b3 330 | # +6LNb3Mj/qxWBZDwMiEWicZwiPkFl32jx0PdAug7Pe2xQaPtP77blUjE7h6z8rwM 331 | # K5nQxl0SQoHhg26Ccz8mSxSQrllmCsSNvtLOBq6thG9IhJtPQLnxTPKvmPv2zkBd 332 | # XPao8S+v7Iki8msYZbHBc63X8djPHgp0XEK4aH631XcKJ1Z8D2KkPzIUYJX9BwSi 333 | # CQIDAQABo4IDejCCA3YwDgYDVR0PAQH/BAQDAgGGMDsGA1UdJQQ0MDIGCCsGAQUF 334 | # BwMBBggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwMEBggrBgEFBQcDCDCCAdIG 335 | # A1UdIASCAckwggHFMIIBtAYKYIZIAYb9bAABBDCCAaQwOgYIKwYBBQUHAgEWLmh0 336 | # dHA6Ly93d3cuZGlnaWNlcnQuY29tL3NzbC1jcHMtcmVwb3NpdG9yeS5odG0wggFk 337 | # BggrBgEFBQcCAjCCAVYeggFSAEEAbgB5ACAAdQBzAGUAIABvAGYAIAB0AGgAaQBz 338 | # ACAAQwBlAHIAdABpAGYAaQBjAGEAdABlACAAYwBvAG4AcwB0AGkAdAB1AHQAZQBz 339 | # ACAAYQBjAGMAZQBwAHQAYQBuAGMAZQAgAG8AZgAgAHQAaABlACAARABpAGcAaQBD 340 | # AGUAcgB0ACAAQwBQAC8AQwBQAFMAIABhAG4AZAAgAHQAaABlACAAUgBlAGwAeQBp 341 | # AG4AZwAgAFAAYQByAHQAeQAgAEEAZwByAGUAZQBtAGUAbgB0ACAAdwBoAGkAYwBo 342 | # ACAAbABpAG0AaQB0ACAAbABpAGEAYgBpAGwAaQB0AHkAIABhAG4AZAAgAGEAcgBl 343 | # ACAAaQBuAGMAbwByAHAAbwByAGEAdABlAGQAIABoAGUAcgBlAGkAbgAgAGIAeQAg 344 | # AHIAZQBmAGUAcgBlAG4AYwBlAC4wCwYJYIZIAYb9bAMVMBIGA1UdEwEB/wQIMAYB 345 | # Af8CAQAweQYIKwYBBQUHAQEEbTBrMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5k 346 | # aWdpY2VydC5jb20wQwYIKwYBBQUHMAKGN2h0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0 347 | # LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcnQwgYEGA1UdHwR6MHgwOqA4 348 | # oDaGNGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJv 349 | # b3RDQS5jcmwwOqA4oDaGNGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2Vy 350 | # dEFzc3VyZWRJRFJvb3RDQS5jcmwwHQYDVR0OBBYEFBUAEisTmLKZB+0e36K+Vw0r 351 | # ZwLNMB8GA1UdIwQYMBaAFEXroq/0ksuCMS1Ri6enIZ3zbcgPMA0GCSqGSIb3DQEB 352 | # BQUAA4IBAQBGUD7Jtygkpzgdtlspr1LPUukxR6tWXHvVDQtBs+/sdR90OPKyXGGi 353 | # nJXDUOSCuSPRujqGcq04eKx1XRcXNHJHhZRW0eu7NoR3zCSl8wQZVann4+erYs37 354 | # iy2QwsDStZS9Xk+xBdIOPRqpFFumhjFiqKgz5Js5p8T1zh14dpQlc+Qqq8+cdkvt 355 | # X8JLFuRLcEwAiR78xXm8TBJX/l/hHrwCXaj++wc4Tw3GXZG5D2dFzdaD7eeSDY2x 356 | # aYxP+1ngIw/Sqq4AfO6cQg7PkdcntxbuD8O9fAqg7iwIVYUiuOsYGk38KiGtSTGD 357 | # R5V3cdyxG0tLHBCcdxTBnU8vWpUIKRAmMYIETDCCBEgCAQEwgYYwcjELMAkGA1UE 358 | # BhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2lj 359 | # ZXJ0LmNvbTExMC8GA1UEAxMoRGlnaUNlcnQgU0hBMiBBc3N1cmVkIElEIENvZGUg 360 | # U2lnbmluZyBDQQIQDhlON30mOhkOirPIWrUoYzANBglghkgBZQMEAgEFAKCBhDAY 361 | # BgorBgEEAYI3AgEMMQowCKACgAChAoAAMBkGCSqGSIb3DQEJAzEMBgorBgEEAYI3 362 | # AgEEMBwGCisGAQQBgjcCAQsxDjAMBgorBgEEAYI3AgEVMC8GCSqGSIb3DQEJBDEi 363 | # BCA76aHF9UWkQLZ7VsXY3Q9Fe4yEw+YT4gVlPnHWa+mnKTANBgkqhkiG9w0BAQEF 364 | # AASCAQCQP5F8EtnYjLB8DvaAqSszCmKlAXN6XxGCPTBSAfW+Atqs/GsgfK3BPRNo 365 | # 2xruqCYrUHZzuWRWmiuxWUrZCl+KSu6FkbTzYSRspDjNEutWH+kHaIXnX+UcQZg3 366 | # V0DTm1PzkFjMYY/ICapQHio/ZCfrsGh29imoeVS5K8aUMA9UYo/6mD/Wro6Mn0cR 367 | # LtI1OBLOXxIeJmXxT0mU9CswOeVsAUc8x+Lv87rGSfjh/TUQhNm/q6Sm9UFbkn35 368 | # IG5TIA+wVJtkdQ79tv8XH+m/fMXoCHsSvpB3eEvf+9lFGULVGXNHYtOmiS4C+Sud 369 | # XwS9KjqnxoNmu8FeHdbwCDjxHeu0oYICDzCCAgsGCSqGSIb3DQEJBjGCAfwwggH4 370 | # AgEBMHYwYjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcG 371 | # A1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEhMB8GA1UEAxMYRGlnaUNlcnQgQXNzdXJl 372 | # ZCBJRCBDQS0xAhADAZoCOv9YsWvW1ermF/BmMAkGBSsOAwIaBQCgXTAYBgkqhkiG 373 | # 9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNzA0MjgwMTUwMTZa 374 | # MCMGCSqGSIb3DQEJBDEWBBQBBcreF3L9iR0egP4MwRQoaRQeozANBgkqhkiG9w0B 375 | # AQEFAASCAQBkHn11CW51J+u2ABgHPbvj0ViUmHMpC/Nc6ovibNK8RBf1+bBJTW5V 376 | # h5T2xdZ2TFTSuqY8GA4xSsncPVggWViQ1wO2YqOz0Zd5OlFMu5wCykizsNzgEpbT 377 | # iv7szM8gF9aa9UXj1CGX9Abng6e5J0hqAgqWOaDiGKEelay/FbhtIIs2TbgiljxX 378 | # X5CmjXyipf9fvEUKIA16nlEIfGYDEWvm8J5Hz5pMzBZ1bDt29Aiob2iSx7cDC+GX 379 | # RoKER1WluntE0+e9smbOmwwWXmf+BiQ5/tNVpN/WXS55yXYFT7LYO6NPiLMKxuR3 380 | # ick/KbWydOBbJuC/lQnOjlUiKAktqDSS 381 | # SIG # End signature block 382 | -------------------------------------------------------------------------------- /DCEvents.csv: -------------------------------------------------------------------------------- 1 | ProviderSymbol,ProviderName,ProviderGUID,ChannelSymbol,ChannelName,QueryPath,Query,TargetGroup 2 | DC_AL_LF_EVENTS,Domain Controllers-Account Logon-Failure,{57EE544A-1408-4D96-80D2-C9E0F8DA51F2},DC_AL_LF_DISABLEDEXPIREDLOCKEDOUT,Domain Controllers-Account Logon-Failure/Account Logon Failure Disabled Expired Locked Out,Security,"",Domain Controllers 3 | DC_AL_LF_EVENTS,Domain Controllers-Account Logon-Failure,{57EE544A-1408-4D96-80D2-C9E0F8DA51F2},DC_AL_LF_INVALIDPASSWORD,Domain Controllers-Account Logon-Failure/Account Logon Failure Invalid Password,Security,"",Domain Controllers 4 | DC_AL_LF_EVENTS,Domain Controllers-Account Logon-Failure,{57EE544A-1408-4D96-80D2-C9E0F8DA51F2},DC_AL_LF_INVALIDUSER,Domain Controllers-Account Logon-Failure/Account Logon Failure Invalid Username,Security,"",Domain Controllers 5 | DC_AL_LF_EVENTS,Domain Controllers-Account Logon-Failure,{57EE544A-1408-4D96-80D2-C9E0F8DA51F2},DC_AL_LF_PASSWORDEXPIRED,Domain Controllers-Account Logon-Failure/Account Logon Failure Password Expired,Security,"",Domain Controllers 6 | DC_AL_LF_EVENTS,Domain Controllers-Account Logon-Failure,{57EE544A-1408-4D96-80D2-C9E0F8DA51F2},DC_AL_LF_RESTRICTIONS,Domain Controllers-Account Logon-Failure/Account Logon Failure Workstation Restrictions,Security,"",Domain Controllers 7 | DC_AL_LF_EVENTS,Domain Controllers-Account Logon-Failure,{57EE544A-1408-4D96-80D2-C9E0F8DA51F2},DC_AL_LF_TGS,Domain Controllers-Account Logon-Failure/Account Logon Failure Kerberos TGS Failure,Security,"*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4769)]] and *[EventData[Data[@Name='Status']='0x0']]",Domain Controllers 8 | DC_AL_LS_EVENTS,Domain Controllers-Account Logon-Successful,{23A75316-1AE6-4B6C-9417-C3C7DD6BB730},DC_AL_LS_CV,Domain Controllers-Account Logon-Successful/Account Logon Success Credential Validation,Security,"",Domain Controllers 9 | DC_AL_LS_EVENTS,Domain Controllers-Account Logon-Successful,{23A75316-1AE6-4B6C-9417-C3C7DD6BB730},DC_AL_LS_AS, Domain Controllers-Account Logon-Successful/Account Logon Success Kerberos AS,Security,"",Domain Controllers 10 | DC_AL_LS_EVENTS,Domain Controllers-Account Logon-Successful,{23A75316-1AE6-4B6C-9417-C3C7DD6BB730},DC_AL_LS_TGS,Domain Controllers-Account Logon-Successful/Account Logon Success Kerberos TGS,Security,"",Domain Controllers 11 | DC_AM_CM_EVENTS,Domain Controllers-Object Management-Computer,{FF41F360-52E6-4513-8D87-77B85A4FE6A1},DC_AM_CM_CHANGED,Domain Controllers-Object Management-Computer/Computer Changed,Security,"",Domain Controllers 12 | DC_AM_CM_EVENTS,Domain Controllers-Object Management-Computer,{FF41F360-52E6-4513-8D87-77B85A4FE6A1},DC_AM_CM_CREATED,Domain Controllers-Object Management-Computer/Computer Created,Security,"",Domain Controllers 13 | DC_AM_CM_EVENTS,Domain Controllers-Object Management-Computer,{FF41F360-52E6-4513-8D87-77B85A4FE6A1},DC_AM_CM_DELETED,Domain Controllers-Object Management-Computer/Computer Deleted,Security,"",Domain Controllers 14 | DC_AM_DGM_EVENTS,Domain Controllers-Object Management-Distribution Group,{E0EC04B7-EF45-4AF0-8B4A-C69189688E64},DC_AM_DGM_CREATED,Domain Controllers-Object Management-Distribution Group/Distribution Group Created,Security,"",Domain Controllers 15 | DC_AM_DGM_EVENTS,Domain Controllers-Object Management-Distribution Group,{E0EC04B7-EF45-4AF0-8B4A-C69189688E64},DC_AM_DGM_DELETED,Domain Controllers-Object Management-Distribution Group/Distribution Group Deleted,Security,"",Domain Controllers 16 | DC_AM_DGM_EVENTS,Domain Controllers-Object Management-Distribution Group,{E0EC04B7-EF45-4AF0-8B4A-C69189688E64},DC_AM_DGM_MEMBERADDED,Domain Controllers-Object Management-Distribution Group/Distribution Group Member Added,Security,"",Domain Controllers 17 | DC_AM_DGM_EVENTS,Domain Controllers-Object Management-Distribution Group,{E0EC04B7-EF45-4AF0-8B4A-C69189688E64},DC_AM_DGM_MEMBERREMOVED,Domain Controllers-Object Management-Distribution Group/Distribution Group Member Removed,Security,"",Domain Controllers 18 | DC_AM_DGM_EVENTS,Domain Controllers-Object Management-Distribution Group,{E0EC04B7-EF45-4AF0-8B4A-C69189688E64},DC_AM_DGM_MEMBERSHIPCHANGED,Domain Controllers-Object Management-Distribution Group/Distribution Group Member Changed,Security,"",Domain Controllers 19 | DC_AM_OAM_EVENTS,Domain Controllers-Object Management-Other Account Management,{6DC62704-1194-4BFC-8D75-F1BC18CCA81C},DC_AM_OAM_HASH,Domain Controllers-Object Management-Other Account Management/Password Hash Accessed,Security,"",Domain Controllers 20 | DC_AM_OAM_EVENTS,Domain Controllers-Object Management-Other Account Management,{6DC62704-1194-4BFC-8D75-F1BC18CCA81C},DC_AM_OAM_PWDPOLICY,Domain Controllers-Object Management-Other Account Management/Password Policy Checking API Called,Security,"",Domain Controllers 21 | DC_AM_SGM_EVENTS,Domain Controllers-Object Management-Security Group,{F0EC04B7-EF45-4AF0-8B4A-C69189688E64},DC_AM_SGM_CREATED,Domain Controllers-Object Management-Security Group/Security Group Created,Security,"",Domain Controllers 22 | DC_AM_SGM_EVENTS,Domain Controllers-Object Management-Security Group,{F0EC04B7-EF45-4AF0-8B4A-C69189688E64},DC_AM_SGM_DELETED,Domain Controllers-Object Management-Security Group/Security Group Deleted,Security,"",Domain Controllers 23 | DC_AM_SGM_EVENTS,Domain Controllers-Object Management-Security Group,{F0EC04B7-EF45-4AF0-8B4A-C69189688E64},DC_AM_SGM_MEMBERADDED,Domain Controllers-Object Management-Security Group/Security Group Member Added,Security,"",Domain Controllers 24 | DC_AM_SGM_EVENTS,Domain Controllers-Object Management-Security Group,{F0EC04B7-EF45-4AF0-8B4A-C69189688E64},DC_AM_SGM_MEMBERREMOVED,Domain Controllers-Object Management-Security Group/Security Group Member Removed,Security,"",Domain Controllers 25 | DC_AM_SGM_EVENTS,Domain Controllers-Object Management-Security Group,{F0EC04B7-EF45-4AF0-8B4A-C69189688E64},DC_AM_SGM_MEMBERSHIPCHANGED,Domain Controllers-Object Management-Security Group/Security Group Member Changed,Security,"",Domain Controllers 26 | DC_AM_SGM_EVENTS,Domain Controllers-Object Management-Security Group,{F0EC04B7-EF45-4AF0-8B4A-C69189688E64},DC_AM_SGM_TYPECHANGED,Domain Controllers-Object Management-Security Group/Security Group Type Changed,Security,"",Domain Controllers 27 | DC_AM_UM1_EVENTS,Domain Controllers-Object Management-User1,{66A20C87-CD40-4464-9199-87A81CD03C73},DC_AM_UM1_CHANGED,Domain Controllers-Object Management-User1/User Changed,Security,"",Domain Controllers 28 | DC_AM_UM1_EVENTS,Domain Controllers-Object Management-User1,{66A20C87-CD40-4464-9199-87A81CD03C73},DC_AM_UM1_CREATED,Domain Controllers-Object Management-User1/User Created,Security,"",Domain Controllers 29 | DC_AM_UM1_EVENTS,Domain Controllers-Object Management-User1,{66A20C87-CD40-4464-9199-87A81CD03C73},DC_AM_UM1_DELETED,Domain Controllers-Object Management-User1/User Deleted,Security,"",Domain Controllers 30 | DC_AM_UM1_EVENTS,Domain Controllers-Object Management-User1,{66A20C87-CD40-4464-9199-87A81CD03C73},DC_AM_UM1_DISABLED,Domain Controllers-Object Management-User1/User Disabled,Security,"",Domain Controllers 31 | DC_AM_UM1_EVENTS,Domain Controllers-Object Management-User1,{66A20C87-CD40-4464-9199-87A81CD03C73},DC_AM_UM1_ENABLED,Domain Controllers-Object Management-User1/User Enabled,Security,"",Domain Controllers 32 | DC_AM_UM1_EVENTS,Domain Controllers-Object Management-User1,{66A20C87-CD40-4464-9199-87A81CD03C73},DC_AM_UM1_PASSWORDCHANGED,Domain Controllers-Object Management-User1/User Password Changed,Security,"",Domain Controllers 33 | DC_AM_UM1_EVENTS,Domain Controllers-Object Management-User1,{66A20C87-CD40-4464-9199-87A81CD03C73},DC_AM_UM1_PASSWORDRESET,Domain Controllers-Object Management-User1/User Password Reset,Security,"",Domain Controllers 34 | DC_AM_UM2_EVENTS,Domain Controllers-Object Management-User2,{A7976A01-C182-41B4-AE79-5120B444E8B5},DC_AM_UM2_ADMINSDHOLDER,Domain Controllers-Object Management-User2/User AdminSDHolder Applied,Security,"",Domain Controllers 35 | DC_AM_UM2_EVENTS,Domain Controllers-Object Management-User2,{A7976A01-C182-41B4-AE79-5120B444E8B5},DC_AM_UM2_DSRMCHANGED,Domain Controllers-Object Management-User2/DSRM Password Changed,Security,"",Domain Controllers 36 | DC_AM_UM2_EVENTS,Domain Controllers-Object Management-User2,{A7976A01-C182-41B4-AE79-5120B444E8B5},DC_AM_UM2_LOCKEDOUT,Domain Controllers-Object Management-User2/User Locked Out,Security,"",Domain Controllers 37 | DC_AM_UM2_EVENTS,Domain Controllers-Object Management-User2,{A7976A01-C182-41B4-AE79-5120B444E8B5},DC_AM_UM2_SAMANCHANGED,Domain Controllers-Object Management-User2/User SAM Account Name Changed,Security,"",Domain Controllers 38 | DC_AM_UM2_EVENTS,Domain Controllers-Object Management-User2,{A7976A01-C182-41B4-AE79-5120B444E8B5},DC_AM_UM2_SIDHISTORY,Domain Controllers-Object Management-User2/User SID History Changes,Security,"",Domain Controllers 39 | DC_AM_UM2_EVENTS,Domain Controllers-Object Management-User2,{A7976A01-C182-41B4-AE79-5120B444E8B5},DC_AM_UM2_UNLOCKED,Domain Controllers-Object Management-User2/User Unlocked,Security,"",Domain Controllers 40 | DC_LL_LF_EVENTS,Domain Controllers-Logon-Failure,{0D2F6021-4853-4092-B688-FB9BC9330BB0},DC_LL_LF_BATCH,Domain Controllers-Logon-Failure/Logon Failure Batch (4),Security,"",Domain Controllers 41 | DC_LL_LF_EVENTS,Domain Controllers-Logon-Failure,{0D2F6021-4853-4092-B688-FB9BC9330BB0},DC_LL_LF_LOCALINTERACTIVE,Domain Controllers-Logon-Failure/Logon Failure Interactive (2),Security,"",Domain Controllers 42 | DC_LL_LF_EVENTS,Domain Controllers-Logon-Failure,{0D2F6021-4853-4092-B688-FB9BC9330BB0},DC_LL_LF_NETWORK,Domain Controllers-Logon-Failure/Logon Failure Network (3),Security,"",Domain Controllers 43 | DC_LL_LF_EVENTS,Domain Controllers-Logon-Failure,{0D2F6021-4853-4092-B688-FB9BC9330BB0},DC_LL_LF_REMOTEINTERACTIVE,Domain Controllers-Logon-Failure/Logon Failure Remote Interactive (10),Security,"",Domain Controllers 44 | DC_LL_LF_EVENTS,Domain Controllers-Logon-Failure,{0D2F6021-4853-4092-B688-FB9BC9330BB0},DC_LL_LF_SERVICE,Domain Controllers-Logon-Failure/Logon Failure Service (5),Security,"",Domain Controllers 45 | DC_LL_LF_EVENTS,Domain Controllers-Logon-Failure,{0D2F6021-4853-4092-B688-FB9BC9330BB0},DC_LL_LF_UNLOCK,Domain Controllers-Logon-Failure/Logon Failure Unlock (7),Security,"",Domain Controllers 46 | DC_LL_LS_EVENTS,Domain Controllers-Logon-Success,{24ECD28C-778B-46C6-9486-17EF931F15A2},DC_LL_LS_BATCH,Domain Controllers-Logon-Success/Logon Success Batch (4),Security,"",Domain Controllers 47 | DC_LL_LS_EVENTS,Domain Controllers-Logon-Success,{24ECD28C-778B-46C6-9486-17EF931F15A2},DC_LL_LS_LOCALINTERACTIVE,Domain Controllers-Logon-Success/Logon Success Interactive (2),Security,"*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4624)]] and *[EventData[Data[@Name='TargetDomainName']='Window Manager']]",Domain Controllers 48 | DC_LL_LS_EVENTS,Domain Controllers-Logon-Success,{24ECD28C-778B-46C6-9486-17EF931F15A2},DC_LL_LS_NETWORK,Domain Controllers-Logon-Success/Logon Success Network (3),Security,"*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4624)]] and *[EventData[Data[@Name='TargetUserSid']='S-1-5-18']]",Domain Controllers 49 | DC_LL_LS_EVENTS,Domain Controllers-Logon-Success,{24ECD28C-778B-46C6-9486-17EF931F15A2},DC_LL_LS_REMOTEINTERACTIVE,Domain Controllers-Logon-Success/Logon Success Remote Interactive (10),Security,"",Domain Controllers 50 | DC_LL_LS_EVENTS,Domain Controllers-Logon-Success,{24ECD28C-778B-46C6-9486-17EF931F15A2},DC_LL_LS_SERVICE,Domain Controllers-Logon-Success/Logon Success Service (5),Security,"*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4624)]] and *[EventData[Data[@Name='TargetDomainName']='NT AUTHORITY']]",Domain Controllers 51 | DC_LL_LS_EVENTS,Domain Controllers-Logon-Success,{24ECD28C-778B-46C6-9486-17EF931F15A2},DC_LL_LS_UNLOCK,Domain Controllers-Logon-Success/Logon Success Unlock (7),Security,"",Domain Controllers 52 | DC_DS_EVENTS,Domain Controllers-Directory Services-LDAP Weak Binds,{22301b37-f278-404d-bd04-ff63c12796f1},DC_DS_LDAP_WEAKALLOWEDSUMMARY,Domain Controllers-Directory Services-LDAP Weak Binds/LDAP Weak Bind Allowed Summary,Directory Service,"",Domain Controllers 53 | DC_DS_EVENTS,Domain Controllers-Directory Services-LDAP Weak Binds,{22301b37-f278-404d-bd04-ff63c12796f1},DC_DS_LDAP_WEAKBLOCKEDSUMMARY,Domain Controllers-Directory Services-LDAP Weak Binds/LDAP Weak Bind Blocked Summary,Directory Service,"",Domain Controllers 54 | DC_DS_EVENTS,Domain Controllers-Directory Services-LDAP Weak Binds,{22301b37-f278-404d-bd04-ff63c12796f1},DC_DS_LDAP_WEAKATTEMPTED,Domain Controllers-Directory Services-LDAP Weak Binds/LDAP Weak Bind Attempted,Directory Service,"",Domain Controllers 55 | DC_DS_GP_EVENTS,Domain Controllers-Object Management-Group Policy,{17d03549-aeb3-46f2-9d10-2e3e1d694f38},DC_DS_GPC_CREATED,Domain Controllers-Object Management-Group Policy/Group Policy Container Created,Security,"",Domain Controllers 56 | DC_DS_GP_EVENTS,Domain Controllers-Object Management-Group Policy,{17d03549-aeb3-46f2-9d10-2e3e1d694f38},DC_DS_GPC_DELETED,Domain Controllers-Object Management-Group Policy/Group Policy Container Deleted,Security,"",Domain Controllers 57 | DC_DS_GP_EVENTS,Domain Controllers-Object Management-Group Policy,{17d03549-aeb3-46f2-9d10-2e3e1d694f38},DC_DS_GPC_CHANGED,Domain Controllers-Object Management-Group Policy/Group Policy Container Changed,Security,"",Domain Controllers 58 | DC_DS_GP_EVENTS,Domain Controllers-Object Management-Group Policy,{17d03549-aeb3-46f2-9d10-2e3e1d694f38},DC_DS_GPC_LINKED,Domain Controllers-Object Management-Group Policy/Group Policy Container Linked,Security,"",Domain Controllers -------------------------------------------------------------------------------- /Prepare-EventChannels.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Name: Prep-EventChannels.ps1 4 | Version: 1.1 5 | Author: Russell Tomkins - Microsoft Premier Field Engineer 6 | Blog: https://aka.ms/russellt 7 | 8 | Preparation of event channels to receive event collection subscriptions from an input CSV 9 | Source: https://www.github.com/russelltomkins/ProjectSauron 10 | 11 | .DESCRIPTION 12 | Leverages an input CSV file to prepare the custom event channels created by Create-Manifest.ps1 13 | 14 | Refer to this blog series for more details 15 | http://blogs.technet.microsoft.com/russellt/2017/03/23/project-sauron-part-1 16 | 17 | .EXAMPLE 18 | Prepare the Event Chanenls using the Input CSV file. 19 | Create-Subscriptions.ps1 -InputFile DCEvents.csv 20 | 21 | .PARAMETER InputFile 22 | A CSV file which must include a ChannelName, ChannelSymbol, QueryPath and the xPath Query itself 23 | 24 | .PARAMETER LogRootPath 25 | The location of .evtx event log files. Defaults to "D:\Logs" 26 | 27 | LEGAL DISCLAIMER 28 | This Sample Code is provided for the purpose of illustration only and is not 29 | intended to be used in a production environment. THIS SAMPLE CODE AND ANY 30 | RELATED INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER 31 | EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF 32 | MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. We grant You a 33 | nonexclusive, royalty-free right to use and modify the Sample Code and to 34 | reproduce and distribute the object code form of the Sample Code, provided 35 | that You agree: (i) to not use Our name, logo, or trademarks to market Your 36 | software product in which the Sample Code is embedded; (ii) to include a valid 37 | copyright notice on Your software product in which the Sample Code is embedded; 38 | and (iii) to indemnify, hold harmless, and defend Us and Our suppliers from and 39 | against any claims or lawsuits, including attorneys fees, that arise or result 40 | from the use or distribution of the Sample Code. 41 | 42 | This posting is provided "AS IS" with no warranties, and confers no rights. Use 43 | of included script samples are subject to the terms specified 44 | at http://www.microsoft.com/info/cpyright.htm. 45 | #> 46 | # ----------------------------------------------------------------------------------- 47 | # Main Script 48 | # ----------------------------------------------------------------------------------- 49 | 50 | # Prepare the Input Paremeters 51 | [CmdletBinding()] 52 | Param ( 53 | [Parameter(Mandatory=$true)][ValidateNotNullOrEmpty()][String]$InputFile, 54 | [Parameter(Mandatory=$false)][String]$LogRootPath="D:\Logs") 55 | 56 | # Import our Custom Events 57 | $CustomChannels = Import-CSV $InputFile 58 | 59 | # Create The Folder 60 | If(!(Test-Path $LogRootPath )){New-Item -Type Directory $LogRootPath | Out-Null} 61 | 62 | # Add an ACE to allow LOCAL SERVICE to modify the folder 63 | $ACE = New-Object System.Security.AccessControl.FileSystemAccessRule("LOCAL SERVICE",'Modify','ContainerInherit,ObjectInherit','None','Allow') 64 | $LogRootPathACL = (Get-Item $LogRootPath) | Get-ACL 65 | $LogRootPathACL.AddAccessRule($ACE) 66 | $LogRootPathACL | Set-ACL 67 | 68 | # Enable NTFS compression to save disk space 69 | $Query = "select * from CIM_Directory where name = `"$($LogRootPath.Replace('\','\\'))`"" 70 | $Results = Invoke-CimMethod -Query $Query -MethodName Compress 71 | 72 | # Loop through Chanell form the InputCSV 73 | ForEach($Channel in $CustomChannels){ 74 | 75 | # --- Setup the Event Channels --- 76 | # Bind to the Event Channel 77 | $EventChannel = Get-WinEvent -ListLog $Channel.ChannelName -ErrorAction "SilentlyContinue" 78 | If ($EventChannel -eq $Null){ 79 | Write-Host "`nError: Event channel not loaded:`"$($Channel.ChannelName)`"" -ForeGroundColor Red 80 | Write-Host "`nEnsure the manifest and dll has been loaded with wevtutil.exe im `n" -foregroundColor Green 81 | Exit 82 | } 83 | 84 | # Disable the channel to allow changes 85 | If ($EventChannel.IsEnabled) { 86 | $EventChannel.IsEnabled = $False 87 | $EventChannel.SaveChanges() 88 | } 89 | 90 | # Update the channel to our requried Values 91 | $NewLogFilePath = $LogRootPath + "\" + $Channel.ChannelSymbol + ".evtx" 92 | $EventChannel.LogFilePath = $NewLogFilePath 93 | $EventChannel.LogMode = "AutoBackup" 94 | $EventChannel.MaximumSizeInBytes = 1073741824 95 | $EventChannel.SaveChanges() 96 | 97 | # Enable the Log 98 | $EventChannel.IsEnabled = $True 99 | $EventChannel.SaveChanges() 100 | } 101 | # ----------------------------------------------------------------------------------- 102 | # End of Script 103 | # ----------------------------------------------------------------------------------- 104 | # SIG # Begin signature block 105 | # MIIgVAYJKoZIhvcNAQcCoIIgRTCCIEECAQExDzANBglghkgBZQMEAgEFADB5Bgor 106 | # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG 107 | # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCCeQjMRHWwBGMg0 108 | # u4WEWqkl6YBDK1kW3ZwEIa7LdxvYwaCCG14wggO3MIICn6ADAgECAhAM5+DlF9hG 109 | # /o/lYPwb8DA5MA0GCSqGSIb3DQEBBQUAMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQK 110 | # EwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAiBgNV 111 | # BAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTAeFw0wNjExMTAwMDAwMDBa 112 | # Fw0zMTExMTAwMDAwMDBaMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2Vy 113 | # dCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMTG0RpZ2lD 114 | # ZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC 115 | # AQoCggEBAK0OFc7kQ4BcsYfzt2D5cRKlrtwmlIiq9M71IDkoWGAM+IDaqRWVMmE8 116 | # tbEohIqK3J8KDIMXeo+QrIrneVNcMYQq9g+YMjZ2zN7dPKii72r7IfJSYd+fINcf 117 | # 4rHZ/hhk0hJbX/lYGDW8R82hNvlrf9SwOD7BG8OMM9nYLxj+KA+zp4PWw25EwGE1 118 | # lhb+WZyLdm3X8aJLDSv/C3LanmDQjpA1xnhVhyChz+VtCshJfDGYM2wi6YfQMlqi 119 | # uhOCEe05F52ZOnKh5vqk2dUXMXWuhX0irj8BRob2KHnIsdrkVxfEfhwOsLSSplaz 120 | # vbKX7aqn8LfFqD+VFtD/oZbrCF8Yd08CAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGG 121 | # MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEXroq/0ksuCMS1Ri6enIZ3zbcgP 122 | # MB8GA1UdIwQYMBaAFEXroq/0ksuCMS1Ri6enIZ3zbcgPMA0GCSqGSIb3DQEBBQUA 123 | # A4IBAQCiDrzf4u3w43JzemSUv/dyZtgy5EJ1Yq6H6/LV2d5Ws5/MzhQouQ2XYFwS 124 | # TFjk0z2DSUVYlzVpGqhH6lbGeasS2GeBhN9/CTyU5rgmLCC9PbMoifdf/yLil4Qf 125 | # 6WXvh+DfwWdJs13rsgkq6ybteL59PyvztyY1bV+JAbZJW58BBZurPSXBzLZ/wvFv 126 | # hsb6ZGjrgS2U60K3+owe3WLxvlBnt2y98/Efaww2BxZ/N3ypW2168RJGYIPXJwS+ 127 | # S86XvsNnKmgR34DnDDNmvxMNFG7zfx9jEB76jRslbWyPpbdhAbHSoyahEHGdreLD 128 | # +cOZUbcrBwjOLuZQsqf6CkUvovDyMIIFLDCCBBSgAwIBAgIQDhlON30mOhkOirPI 129 | # WrUoYzANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGln 130 | # aUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMTEwLwYDVQQDEyhE 131 | # aWdpQ2VydCBTSEEyIEFzc3VyZWQgSUQgQ29kZSBTaWduaW5nIENBMB4XDTE3MDMy 132 | # NzAwMDAwMFoXDTE4MDQwNDEyMDAwMFowaTELMAkGA1UEBhMCQVUxEzARBgNVBAgT 133 | # ClF1ZWVuc2xhbmQxETAPBgNVBAcTCEJyaXNiYW5lMRgwFgYDVQQKEw9SdXNzZWxs 134 | # IFRvbWtpbnMxGDAWBgNVBAMTD1J1c3NlbGwgVG9ta2luczCCASIwDQYJKoZIhvcN 135 | # AQEBBQADggEPADCCAQoCggEBAL9yEH4Y+mOkq5qq1yIMMQxZks06om9d6ifoWnQZ 136 | # LwleCoIohbxLcc9RsAsY3b0E0alY/WGBbvxrAXDsfNtV2oRBwq4I1wRbrazuYdec 137 | # V/ON+0cOKvSN3df9AJmbw53MBqlOLJr+f3IyLan40iY2PCt/N12zKVvPnFtoP+Lr 138 | # QwLkUTMT+5LdmGl0UfaLkgno7EG+7CXKL1QDIw1NLiYkw1fxlcu8+MOslqV6ZFVm 139 | # rhrM+Q0tzvVtq4DWSyn63U8j8Ij9cjnPpG3mABFN1dpu31yFBYogcPvFfQzx013f 140 | # s4GI4mu70CDCy1vbi3oSa3jjiqExysDXcOHhZ4RVZ3xKUAsCAwEAAaOCAcUwggHB 141 | # MB8GA1UdIwQYMBaAFFrEuXsqCqOl6nEDwGD5LfZldQ5YMB0GA1UdDgQWBBSiIVol 142 | # K54Mdi8hZEbQ+ZcbWmjObTAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYB 143 | # BQUHAwMwdwYDVR0fBHAwbjA1oDOgMYYvaHR0cDovL2NybDMuZGlnaWNlcnQuY29t 144 | # L3NoYTItYXNzdXJlZC1jcy1nMS5jcmwwNaAzoDGGL2h0dHA6Ly9jcmw0LmRpZ2lj 145 | # ZXJ0LmNvbS9zaGEyLWFzc3VyZWQtY3MtZzEuY3JsMEwGA1UdIARFMEMwNwYJYIZI 146 | # AYb9bAMBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9D 147 | # UFMwCAYGZ4EMAQQBMIGEBggrBgEFBQcBAQR4MHYwJAYIKwYBBQUHMAGGGGh0dHA6 148 | # Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBOBggrBgEFBQcwAoZCaHR0cDovL2NhY2VydHMu 149 | # ZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFzc3VyZWRJRENvZGVTaWduaW5nQ0Eu 150 | # Y3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggEBAPLir+VRKD+MIfvl 151 | # S7s8KtE6sBOx2JCNewUh4JVtmQECTTpvKvx25TYO23MrApApfhc8qa2mkHNpyjMX 152 | # U7SZog3mNSIJlQrhiF1Y6xNafqbDz31qGU/booX2AHV1yfJbXNWw2tTnbukdhFO/ 153 | # 2vSKdUqJZbYp2A+dx5zemxvtf46CTy4PxrcKmn+Umd+Cil3O3TlDTy0LGfzPTL1f 154 | # IOAqtc4bbge6pMn5BwV0dxOZ4JTIsXlFzzIKjjOUNX/+0/iGoYAXvkyOA0wdEiDN 155 | # qug5CTbskpE/ltGa0XCSkglk2j4431JgUC+ew2YgSsEq0dukmdUjz3HpdvrMEYfg 156 | # T5PcXa4wggUwMIIEGKADAgECAhAECRgbX9W7ZnVTQ7VvlVAIMA0GCSqGSIb3DQEB 157 | # CwUAMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNV 158 | # BAsTEHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQg 159 | # SUQgUm9vdCBDQTAeFw0xMzEwMjIxMjAwMDBaFw0yODEwMjIxMjAwMDBaMHIxCzAJ 160 | # BgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5k 161 | # aWdpY2VydC5jb20xMTAvBgNVBAMTKERpZ2lDZXJ0IFNIQTIgQXNzdXJlZCBJRCBD 162 | # b2RlIFNpZ25pbmcgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD4 163 | # 07Mcfw4Rr2d3B9MLMUkZz9D7RZmxOttE9X/lqJ3bMtdx6nadBS63j/qSQ8Cl+YnU 164 | # NxnXtqrwnIal2CWsDnkoOn7p0WfTxvspJ8fTeyOU5JEjlpB3gvmhhCNmElQzUHSx 165 | # KCa7JGnCwlLyFGeKiUXULaGj6YgsIJWuHEqHCN8M9eJNYBi+qsSyrnAxZjNxPqxw 166 | # oqvOf+l8y5Kh5TsxHM/q8grkV7tKtel05iv+bMt+dDk2DZDv5LVOpKnqagqrhPOs 167 | # Z061xPeM0SAlI+sIZD5SlsHyDxL0xY4PwaLoLFH3c7y9hbFig3NBggfkOItqcyDQ 168 | # D2RzPJ6fpjOp/RnfJZPRAgMBAAGjggHNMIIByTASBgNVHRMBAf8ECDAGAQH/AgEA 169 | # MA4GA1UdDwEB/wQEAwIBhjATBgNVHSUEDDAKBggrBgEFBQcDAzB5BggrBgEFBQcB 170 | # AQRtMGswJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBDBggr 171 | # BgEFBQcwAoY3aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0QXNz 172 | # dXJlZElEUm9vdENBLmNydDCBgQYDVR0fBHoweDA6oDigNoY0aHR0cDovL2NybDQu 173 | # ZGlnaWNlcnQuY29tL0RpZ2lDZXJ0QXNzdXJlZElEUm9vdENBLmNybDA6oDigNoY0 174 | # aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0QXNzdXJlZElEUm9vdENB 175 | # LmNybDBPBgNVHSAESDBGMDgGCmCGSAGG/WwAAgQwKjAoBggrBgEFBQcCARYcaHR0 176 | # cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAKBghghkgBhv1sAzAdBgNVHQ4EFgQU 177 | # WsS5eyoKo6XqcQPAYPkt9mV1DlgwHwYDVR0jBBgwFoAUReuir/SSy4IxLVGLp6ch 178 | # nfNtyA8wDQYJKoZIhvcNAQELBQADggEBAD7sDVoks/Mi0RXILHwlKXaoHV0cLToa 179 | # xO8wYdd+C2D9wz0PxK+L/e8q3yBVN7Dh9tGSdQ9RtG6ljlriXiSBThCk7j9xjmMO 180 | # E0ut119EefM2FAaK95xGTlz/kLEbBw6RFfu6r7VRwo0kriTGxycqoSkoGjpxKAI8 181 | # LpGjwCUR4pwUR6F6aGivm6dcIFzZcbEMj7uo+MUSaJ/PQMtARKUT8OZkDCUIQjKy 182 | # NookAv4vcn4c10lFluhZHen6dGRrsutmQ9qzsIzV6Q3d9gEgzpkxYz0IGhizgZtP 183 | # xpMQBvwHgfqL2vmCSfdibqFT+hKUGIUukpHqaGxEMrJmoecYpJpkUe8wggZqMIIF 184 | # UqADAgECAhADAZoCOv9YsWvW1ermF/BmMA0GCSqGSIb3DQEBBQUAMGIxCzAJBgNV 185 | # BAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdp 186 | # Y2VydC5jb20xITAfBgNVBAMTGERpZ2lDZXJ0IEFzc3VyZWQgSUQgQ0EtMTAeFw0x 187 | # NDEwMjIwMDAwMDBaFw0yNDEwMjIwMDAwMDBaMEcxCzAJBgNVBAYTAlVTMREwDwYD 188 | # VQQKEwhEaWdpQ2VydDElMCMGA1UEAxMcRGlnaUNlcnQgVGltZXN0YW1wIFJlc3Bv 189 | # bmRlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKNkXfx8s+CCNeDg 190 | # 9sYq5kl1O8xu4FOpnx9kWeZ8a39rjJ1V+JLjntVaY1sCSVDZg85vZu7dy4XpX6X5 191 | # 1Id0iEQ7Gcnl9ZGfxhQ5rCTqqEsskYnMXij0ZLZQt/USs3OWCmejvmGfrvP9Enh1 192 | # DqZbFP1FI46GRFV9GIYFjFWHeUhG98oOjafeTl/iqLYtWQJhiGFyGGi5uHzu5uc0 193 | # LzF3gTAfuzYBje8n4/ea8EwxZI3j6/oZh6h+z+yMDDZbesF6uHjHyQYuRhDIjegE 194 | # YNu8c3T6Ttj+qkDxss5wRoPp2kChWTrZFQlXmVYwk/PJYczQCMxr7GJCkawCwO+k 195 | # 8IkRj3cCAwEAAaOCAzUwggMxMA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAA 196 | # MBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMIMIIBvwYDVR0gBIIBtjCCAbIwggGhBglg 197 | # hkgBhv1sBwEwggGSMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5j 198 | # b20vQ1BTMIIBZAYIKwYBBQUHAgIwggFWHoIBUgBBAG4AeQAgAHUAcwBlACAAbwBm 199 | # ACAAdABoAGkAcwAgAEMAZQByAHQAaQBmAGkAYwBhAHQAZQAgAGMAbwBuAHMAdABp 200 | # AHQAdQB0AGUAcwAgAGEAYwBjAGUAcAB0AGEAbgBjAGUAIABvAGYAIAB0AGgAZQAg 201 | # AEQAaQBnAGkAQwBlAHIAdAAgAEMAUAAvAEMAUABTACAAYQBuAGQAIAB0AGgAZQAg 202 | # AFIAZQBsAHkAaQBuAGcAIABQAGEAcgB0AHkAIABBAGcAcgBlAGUAbQBlAG4AdAAg 203 | # AHcAaABpAGMAaAAgAGwAaQBtAGkAdAAgAGwAaQBhAGIAaQBsAGkAdAB5ACAAYQBu 204 | # AGQAIABhAHIAZQAgAGkAbgBjAG8AcgBwAG8AcgBhAHQAZQBkACAAaABlAHIAZQBp 205 | # AG4AIABiAHkAIAByAGUAZgBlAHIAZQBuAGMAZQAuMAsGCWCGSAGG/WwDFTAfBgNV 206 | # HSMEGDAWgBQVABIrE5iymQftHt+ivlcNK2cCzTAdBgNVHQ4EFgQUYVpNJLZJMp1K 207 | # Knkag0v0HonByn0wfQYDVR0fBHYwdDA4oDagNIYyaHR0cDovL2NybDMuZGlnaWNl 208 | # cnQuY29tL0RpZ2lDZXJ0QXNzdXJlZElEQ0EtMS5jcmwwOKA2oDSGMmh0dHA6Ly9j 209 | # cmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRENBLTEuY3JsMHcGCCsG 210 | # AQUFBwEBBGswaTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29t 211 | # MEEGCCsGAQUFBzAChjVodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNl 212 | # cnRBc3N1cmVkSURDQS0xLmNydDANBgkqhkiG9w0BAQUFAAOCAQEAnSV+GzNNsiaB 213 | # XJuGziMgD4CH5Yj//7HUaiwx7ToXGXEXzakbvFoWOQCd42yE5FpA+94GAYw3+pux 214 | # nSR+/iCkV61bt5qwYCbqaVchXTQvH3Gwg5QZBWs1kBCge5fH9j/n4hFBpr1i2fAn 215 | # PTgdKG86Ugnw7HBi02JLsOBzppLA044x2C/jbRcTBu7kA7YUq/OPQ6dxnSHdFMoV 216 | # XZJB2vkPgdGZdA0mxA5/G7X1oPHGdwYoFenYk+VVFvC7Cqsc21xIJ2bIo4sKHOWV 217 | # 2q7ELlmgYd3a822iYemKC23sEhi991VUQAOSK2vCUcIKSK+w1G7g9BQKOhvjjz3K 218 | # r2qNe9zYRDCCBs0wggW1oAMCAQICEAb9+QOWA63qAArrPye7uhswDQYJKoZIhvcN 219 | # AQEFBQAwZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcG 220 | # A1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgQXNzdXJl 221 | # ZCBJRCBSb290IENBMB4XDTA2MTExMDAwMDAwMFoXDTIxMTExMDAwMDAwMFowYjEL 222 | # MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3 223 | # LmRpZ2ljZXJ0LmNvbTEhMB8GA1UEAxMYRGlnaUNlcnQgQXNzdXJlZCBJRCBDQS0x 224 | # MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6IItmfnKwkKVpYBzQHDS 225 | # nlZUXKnE0kEGj8kz/E1FkVyBn+0snPgWWd+etSQVwpi5tHdJ3InECtqvy15r7a2w 226 | # cTHrzzpADEZNk+yLejYIA6sMNP4YSYL+x8cxSIB8HqIPkg5QycaH6zY/2DDD/6b3 227 | # +6LNb3Mj/qxWBZDwMiEWicZwiPkFl32jx0PdAug7Pe2xQaPtP77blUjE7h6z8rwM 228 | # K5nQxl0SQoHhg26Ccz8mSxSQrllmCsSNvtLOBq6thG9IhJtPQLnxTPKvmPv2zkBd 229 | # XPao8S+v7Iki8msYZbHBc63X8djPHgp0XEK4aH631XcKJ1Z8D2KkPzIUYJX9BwSi 230 | # CQIDAQABo4IDejCCA3YwDgYDVR0PAQH/BAQDAgGGMDsGA1UdJQQ0MDIGCCsGAQUF 231 | # BwMBBggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwMEBggrBgEFBQcDCDCCAdIG 232 | # A1UdIASCAckwggHFMIIBtAYKYIZIAYb9bAABBDCCAaQwOgYIKwYBBQUHAgEWLmh0 233 | # dHA6Ly93d3cuZGlnaWNlcnQuY29tL3NzbC1jcHMtcmVwb3NpdG9yeS5odG0wggFk 234 | # BggrBgEFBQcCAjCCAVYeggFSAEEAbgB5ACAAdQBzAGUAIABvAGYAIAB0AGgAaQBz 235 | # ACAAQwBlAHIAdABpAGYAaQBjAGEAdABlACAAYwBvAG4AcwB0AGkAdAB1AHQAZQBz 236 | # ACAAYQBjAGMAZQBwAHQAYQBuAGMAZQAgAG8AZgAgAHQAaABlACAARABpAGcAaQBD 237 | # AGUAcgB0ACAAQwBQAC8AQwBQAFMAIABhAG4AZAAgAHQAaABlACAAUgBlAGwAeQBp 238 | # AG4AZwAgAFAAYQByAHQAeQAgAEEAZwByAGUAZQBtAGUAbgB0ACAAdwBoAGkAYwBo 239 | # ACAAbABpAG0AaQB0ACAAbABpAGEAYgBpAGwAaQB0AHkAIABhAG4AZAAgAGEAcgBl 240 | # ACAAaQBuAGMAbwByAHAAbwByAGEAdABlAGQAIABoAGUAcgBlAGkAbgAgAGIAeQAg 241 | # AHIAZQBmAGUAcgBlAG4AYwBlAC4wCwYJYIZIAYb9bAMVMBIGA1UdEwEB/wQIMAYB 242 | # Af8CAQAweQYIKwYBBQUHAQEEbTBrMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5k 243 | # aWdpY2VydC5jb20wQwYIKwYBBQUHMAKGN2h0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0 244 | # LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcnQwgYEGA1UdHwR6MHgwOqA4 245 | # oDaGNGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJv 246 | # b3RDQS5jcmwwOqA4oDaGNGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2Vy 247 | # dEFzc3VyZWRJRFJvb3RDQS5jcmwwHQYDVR0OBBYEFBUAEisTmLKZB+0e36K+Vw0r 248 | # ZwLNMB8GA1UdIwQYMBaAFEXroq/0ksuCMS1Ri6enIZ3zbcgPMA0GCSqGSIb3DQEB 249 | # BQUAA4IBAQBGUD7Jtygkpzgdtlspr1LPUukxR6tWXHvVDQtBs+/sdR90OPKyXGGi 250 | # nJXDUOSCuSPRujqGcq04eKx1XRcXNHJHhZRW0eu7NoR3zCSl8wQZVann4+erYs37 251 | # iy2QwsDStZS9Xk+xBdIOPRqpFFumhjFiqKgz5Js5p8T1zh14dpQlc+Qqq8+cdkvt 252 | # X8JLFuRLcEwAiR78xXm8TBJX/l/hHrwCXaj++wc4Tw3GXZG5D2dFzdaD7eeSDY2x 253 | # aYxP+1ngIw/Sqq4AfO6cQg7PkdcntxbuD8O9fAqg7iwIVYUiuOsYGk38KiGtSTGD 254 | # R5V3cdyxG0tLHBCcdxTBnU8vWpUIKRAmMYIETDCCBEgCAQEwgYYwcjELMAkGA1UE 255 | # BhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2lj 256 | # ZXJ0LmNvbTExMC8GA1UEAxMoRGlnaUNlcnQgU0hBMiBBc3N1cmVkIElEIENvZGUg 257 | # U2lnbmluZyBDQQIQDhlON30mOhkOirPIWrUoYzANBglghkgBZQMEAgEFAKCBhDAY 258 | # BgorBgEEAYI3AgEMMQowCKACgAChAoAAMBkGCSqGSIb3DQEJAzEMBgorBgEEAYI3 259 | # AgEEMBwGCisGAQQBgjcCAQsxDjAMBgorBgEEAYI3AgEVMC8GCSqGSIb3DQEJBDEi 260 | # BCAoJ3Ugifl5F59BKjDXweFVW5z11Ch8mfqEg/wr2w7P6TANBgkqhkiG9w0BAQEF 261 | # AASCAQBo7eP+G0VbuTFm3+I0Vs97zSFbX9/IUZKKgVr5cRmIJPLyorPn4DsK4Cu9 262 | # fyPugt3E5HazZUVXfS0t1fCpfUJ7Y0dMyqyJQdZlkB7qRVcPiKJqIBTv2gJM8tKE 263 | # RTsiEtpL2uDi/yTtQr593XOa+R+Iv+3kHty/ac2wfBpdHXxj5B7eKv+rpfobc6Ov 264 | # LzlFC8rvS2LAIxlF4GzmJ5TxLHE2gzaPE+iYHwIsknaWpr9ADiJzdD5lB+e/T+r3 265 | # qCQpA5aSqsWy7RzwJ7aX3ZPuU1Nye98qRsB85P0L07k5ynjyPyifTYdscVGGowsG 266 | # RWhV6Uwp396dvrr/GSyV+fiosvYLoYICDzCCAgsGCSqGSIb3DQEJBjGCAfwwggH4 267 | # AgEBMHYwYjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcG 268 | # A1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEhMB8GA1UEAxMYRGlnaUNlcnQgQXNzdXJl 269 | # ZCBJRCBDQS0xAhADAZoCOv9YsWvW1ermF/BmMAkGBSsOAwIaBQCgXTAYBgkqhkiG 270 | # 9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNzA0MDYxMjAwNTJa 271 | # MCMGCSqGSIb3DQEJBDEWBBQ7GxFbm/id7zUPbivMC9oCc0q/BTANBgkqhkiG9w0B 272 | # AQEFAASCAQB8PcnzSkBk4/kYQkFDrGOMOf2LSuNihoAqbl2BZTzwXR91y67eyvJS 273 | # tth/ZuH3EZI3WUAxQB0XboEKmrRP8x21phSNcvzMaUFtm2MZhVPSxDmBrYQumpKw 274 | # /SryyV4XTFBCr+ngMDGPAv9JX7Mg1GDqdATyfKmyv4UZkJ5qliwKS4xRqyOg3j59 275 | # WH2T2hOC7FuA2CIeYNPT/yddcdFWpiCZoXa8VFXew5Yki/mUNkP6Pqd3B2egL1qU 276 | # pX40VtVA0Bpqm7POI2AUmgkcyHsCg5za3jqQktQ73Hqs5n6FwdXEDY4shP+RpL9O 277 | # 3GbEF/zaPvTXNvbq5AD+9GnPBx7xxcgd 278 | # SIG # End signature block 279 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | Welcome to Project Sauron 3 | 4 | For an introduction to Project Sauron and a quick-start using a Domain Controller example, refer to the following blog post. 5 | https://blogs.technet.microsoft.com/russellt/2017/05/09/project-sauron-introduction/ 6 | 7 | 8 | The 4 core scripts can be used to build your own solutions as well. 9 | Create-CustomView.ps1 - Create a custom view tree that allows you to easily extract specific events 10 | Create-Manifest.ps1 - Creates an event channel manifest file for .dll compilation to create dedicated event channels (logs) for storage of events in management .evtx files 11 | Prepare-EventChannel.ps1 - Enables the custom event channels, configures their default size and enables auto-archive. 12 | Create-Subscriptions.ps1 - Creates the windows event collection subscription files to forward and store events in the appproiate log file. 13 | 14 | Want to create your own? 15 | 16 | 1. Create a csv to define the custom event channels and xPath queries 17 | 2. Compile a new .manifest and .dll file to define the custom event channels from your master input csv. 18 | 3. Load the custom events channel .manifest and .dll into your Windows Event Collector using wevtutil.exe um 19 | 4. Prepare the event channels 20 | 5. Create and import your WEC subscriptions using the master input csv. 21 | 6. Configure the machines to pull subscriptions from the WEC Subscription server 22 | 7. Begin leveraging your new centralised event logs. 23 | 24 | 25 | Contribute 26 | Got an idea for a new Channel/Subscription/View? Leave a comment on the repository 27 | --------------------------------------------------------------------------------