Thursday, August 11, 2011

Sorting Windows events by UserID: Part II (Building a Module)

I am a bit late to some v2.0 functionality.  I made my first attempt at creating a module, in this case a six function script that queries general information from an event log. I ran into at least two problems:
  • (a) get-winevent is slow for high volume queries
  • (b) modules so encapsulate their variables in functions that I could not find how to call all functions globally from an internal or external script.                                                                                                                                                                                                                                                                                                                                                                                           

You can find the system module locations with:


$env:PSModulePath 
(($env:PSModulePath -split(";"))[0])


$env:PSModulePath 
C:\Users\rferrisx\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\


(($env:PSModulePath -split(";"))[0])
C:\Users\rferrisx\Documents\WindowsPowerShell\Modules


After you have created your functions for your module, you can import them into your session:


Import-Module .\UserIDEventsModule.psm1


If you change your module you can remove it:


remove-module UserIDEventsModule


While your module is imported, you can list your functions:


$commands=(get-module UserIDEventsModule).ExportedCommands
$list=(($commands).Values) | %{$_.Name} | Sort
$list


0Check-EventLogsBySize
1Check-EventLogsByLastWrite
2Count-Providers
3Find-UniqueUserIDs
4UserID-filter
5Event-filter
logtime
Run-AllModFunc


I constructed an internal function to run all the modules that declared all the specific variables to the functions. However, whether I run such a function from as part of a module or an external script, I cannot alter the individual module function variables globally.  Setting the variables global with AllScope (as below) does not help:



function Global:Run-AllModFunc {
[CmdletBinding()]
    Param(
        [Parameter(ValueFromPipeline=$true)]
        [int]$Global:hours=1,
        [string]$Global:filter = "ID",
        [array]$Global:logs = @("Security","System","Application"),
        [string]$Modpath = (($env:PSModulePath -split(";"))[0]),
        $NoRun="Run-AllModFunc",
        $FileTime=[DateTime]::Now.ToFileTime()
        )

sv -Name hours -Option AllScope
sv -Name filter -Option AllScope
sv -Name logs -Option AllScope

$host.UI.RawUI.BufferSize = new-object System.Management.Automation.Host.Size(500,1000)
Import-Module $Modpath\UserIDEventsModule.psm1
$commands=(get-module UserIDEventsModule).ExportedCommands
$list=(($commands).Values) | %{$_.Name} | Sort
logtime | out-file -append  -encoding ascii -FilePath $($Filetime)
foreach ($func in $list) {if ($func -eq $NoRun ){} else {$($func;logtime); &($func) | ft -auto -wrap |  out-file -append  -encoding ascii -FilePath $($Filetime) }}
}

The module runs and produces a text file of critical information, but in the case of a security audit configuration as below, it processes events somewhat slowly, most obviously because of the volume of large amounts 'Filtering Platform Connections' events:



auditpol /get /category:* | findstr Success
  Security System Extension               Success and Failure
  System Integrity                        Success and Failure
  IPsec Driver                            Success and Failure
  Other System Events                     Success and Failure
  Security State Change                   Success and Failure
  Logon                                   Success and Failure
  Logoff                                  Success and Failure
  Account Lockout                         Success and Failure
  IPsec Main Mode                         Success and Failure
  IPsec Quick Mode                        Success and Failure
  IPsec Extended Mode                     Success and Failure
  Special Logon                           Success and Failure
  Other Logon/Logoff Events               Success and Failure
  Network Policy Server                   Success and Failure
  Filtering Platform Connection           Success
  Sensitive Privilege Use                 Success
  Process Termination                     Success
  Process Creation                        Success
  Authentication Policy Change            Success
  Filtering Platform Policy Change        Success



Run-AllModFunc
0Check-EventLogsBySize


2011     8  11   11      19       7 611


1Check-EventLogsByLastWrite


2011     8  11   11      19      12 741


2Count-Providers


2011     8  11   11      19      13 828


3Find-UniqueUserIDs


2011     8  11   11      20      10 522


4UserID-filter


2011     8  11   11      20      25 843


5Event-filter


2011     8  11   11      20      47 190


logtime


2011     8  11   11      21       7 207


If you will run the module as a job you must use the parameter 'initializationScript' to import the module into the job session:


start-job -name AllModFunc -initializationScript {import-module .\UserIDEventsModule.psm1} -scriptblock {Run-AllModFunc}

No comments:

Post a Comment