- (a) get-winevent is slow for high volume queries
- (b) modules so encapsulate their variables in functions that I could not find how to call all functions globally from an internal or external script.
You can find the system module locations with:
$env:PSModulePath
(($env:PSModulePath -split(";"))[0])
$env:PSModulePath
C:\Users\rferrisx\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
(($env:PSModulePath -split(";"))[0])
C:\Users\rferrisx\Documents\WindowsPowerShell\Modules
After you have created your functions for your module, you can import them into your session:
Import-Module .\UserIDEventsModule.psm1
If you change your module you can remove it:
remove-module UserIDEventsModule
While your module is imported, you can list your functions:
$commands=(get-module UserIDEventsModule).ExportedCommands
$list=(($commands).Values) | %{$_.Name} | Sort
$list
0Check-EventLogsBySize
1Check-EventLogsByLastWrite
2Count-Providers
3Find-UniqueUserIDs
4UserID-filter
5Event-filter
logtime
Run-AllModFunc
I constructed an internal function to run all the modules that declared all the specific variables to the functions. However, whether I run such a function from as part of a module or an external script, I cannot alter the individual module function variables globally. Setting the variables global with AllScope (as below) does not help:
function Global:Run-AllModFunc {
[CmdletBinding()]
Param(
[Parameter(ValueFromPipeline=$true)]
[int]$Global:hours=1,
[string]$Global:filter = "ID",
[array]$Global:logs = @("Security","System","Application"),
[string]$Modpath = (($env:PSModulePath -split(";"))[0]),
$NoRun="Run-AllModFunc",
$FileTime=[DateTime]::Now.ToFileTime()
)
sv -Name hours -Option AllScope
sv -Name filter -Option AllScope
sv -Name logs -Option AllScope
$host.UI.RawUI.BufferSize = new-object System.Management.Automation.Host.Size(500,1000)
Import-Module $Modpath\UserIDEventsModule.psm1
$commands=(get-module UserIDEventsModule).ExportedCommands
$list=(($commands).Values) | %{$_.Name} | Sort
logtime | out-file -append -encoding ascii -FilePath $($Filetime)
foreach ($func in $list) {if ($func -eq $NoRun ){} else {$($func;logtime); &($func) | ft -auto -wrap | out-file -append -encoding ascii -FilePath $($Filetime) }}
}
The module runs and produces a text file of critical information, but in the case of a security audit configuration as below, it processes events somewhat slowly, most obviously because of the volume of large amounts 'Filtering Platform Connections' events:
auditpol /get /category:* | findstr Success
Security System Extension Success and Failure
System Integrity Success and Failure
IPsec Driver Success and Failure
Other System Events Success and Failure
Security State Change Success and Failure
Logon Success and Failure
Logoff Success and Failure
Account Lockout Success and Failure
IPsec Main Mode Success and Failure
IPsec Quick Mode Success and Failure
IPsec Extended Mode Success and Failure
Special Logon Success and Failure
Other Logon/Logoff Events Success and Failure
Network Policy Server Success and Failure
Filtering Platform Connection Success
Sensitive Privilege Use Success
Process Termination Success
Process Creation Success
Authentication Policy Change Success
Filtering Platform Policy Change Success
Run-AllModFunc
0Check-EventLogsBySize
2011 8 11 11 19 7 611
1Check-EventLogsByLastWrite
2011 8 11 11 19 12 741
2Count-Providers
2011 8 11 11 19 13 828
3Find-UniqueUserIDs
2011 8 11 11 20 10 522
4UserID-filter
2011 8 11 11 20 25 843
5Event-filter
2011 8 11 11 20 47 190
logtime
2011 8 11 11 21 7 207
If you will run the module as a job you must use the parameter 'initializationScript' to import the module into the job session:
start-job -name AllModFunc -initializationScript {import-module .\UserIDEventsModule.psm1} -scriptblock {Run-AllModFunc}
No comments:
Post a Comment