Battle Faction Puzzle 10

This topic contains 10 replies, has 3 voices, and was last updated by  The Shah of Hash 2 months ago.

  • Author
    Posts
  • #96302

    Axel Bøg Andersen
    Participant

    A take on Puzzle 10:

    Get-EventLog -List only gets the basic eventlogs. If we have to get all eventlogs, Get-WinEvent must be used.

    Limit-EventLog proved pretty useless on anything else the events retrieved by Get-EventLog, but MaximumLogLimit and LogMode can be updated and saved directly on the object.

    Out of pure grief, that this is the final prequel puzzle I took the time to do a oneliner 😉

  • #96390

    Yubu
    Participant

    🙂

    Get-WinEvent -ListLog * -Force -ea Ignore | ? RecordCount | select LogName,RecordCount,@{n='LogFull(%)';e={ $logFullCurr=$_.FileSize/$_.MaximumSizeInBytes; if ($logFullCurr -gt 0.8) {$_.MaximumSizeInBytes=$_.MaximumSizeInBytes*1.1; $_.LogMode='Circular'; $_.SaveChanges(); Write-EventLog -LogName "Windows PowerShell" -Source "PowerShell" -EventID 600 -EntryType Information -Message "$($_.Logname) log was extended. Current max log size is $($_.MaximumSizeInBytes) bytes"; $logFullNew=$_.FileSize/$_.MaximumSizeInBytes; [math]::round($logFullNew*100,2)} else {[math]::round($logFullNew*100,2)}}} | select LogName,RecordCount | sort RecordCount -desc
    
    • #96393

      Axel Bøg Andersen
      Participant

      I thought about using the eventlog too, but it said log file in the assignment. Well, basically that is a file aswell.

    • #96401

      Yubu
      Participant

      I wanted to use the file, then i thought if we're all about logs, i'll use the logs. Tried New-WinEvent first, then found that with Write-EventLog you can write to any log, just need to find more or less suitable ID. This may be very useful in many occasions. No additional files to create, every line has timestamp, searchable and works remotely.

    • #96422

      Axel Bøg Andersen
      Participant

      I agree Yubu. I used that technique a lot when an external vendor was to monitor my other ramblings 🙂

    • #96431

      Yubu
      Participant

      🙂
      Exactly! It's excellent way to hide the traces.
      It was fun being here. I've liked your more programmer approach vs mine, CNA's (Click Next Admin).

      Big thanks to Richard, for his time spent on us.
      Good luck everyone.

    • #96434

      Axel Bøg Andersen
      Participant

      Yes, it has been great fun and I have learned a lot. I'm really looking forward to working with you guys at the summit!

  • #96398

    The Shah of Hash
    Participant

    More verbose than the others, but I'm trying to build up a reusable code base for the challenge.

    • #96428

      Axel Bøg Andersen
      Participant

      Sounds like a good idea!

      The rules seem to allow import of modules from the PS gallery. There are quire a lot of logging modules there. Does anyone use or know any of them?

      Had a glance at this one: https://github.com/9to5IT/PSLogging

    • #96435

      Yubu
      Participant

      Dave Wyatt's powershellogging for few years...

    • #96438

      The Shah of Hash
      Participant

      I considered using a pre-built logging module, but decided that the prequel challenges specified very easy logging requirements and I didn't feel the need to bring in firepower here. Just my $.02

You must be logged in to reply to this topic.