Created
December 20, 2018 15:18
-
-
Save jpogran/f9db889208489b1c56a65a66ebe6a207 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $LogName = 'Application' | |
| $pathType = [System.Diagnostics.Eventing.Reader.PathType]::LogName; | |
| $xpath = @" | |
| <QueryList> | |
| <Query Id="0" Path="Application"> | |
| <Select Path="Application">*</Select> | |
| </Query> | |
| </QueryList> | |
| "@ | |
| # do a check for a existing file, its ok to not have a file at start | |
| $lastRecord = Get-Content -Path $bookmarkFile; | |
| # this will return nothing if we don't have a lastrecord, or just pass null into eventLogReader | |
| $eventBookmark = (Get-WinEvent -LogName $LogName -FilterXPath "*[System[(EventRecordID=$($lastRecord))]]" -ErrorAction 0 -ErrorVariable bookError).Bookmark; | |
| # this is your query part | |
| $eventLogQuery = New-Object System.Diagnostics.Eventing.Reader.EventLogQuery $LogName, $pathType, $XPath; | |
| # if the bookmark is null, it ignores it, if it has a value it starts at that id | |
| $eventLogReader = New-Object System.Diagnostics.Eventing.Reader.EventLogReader $eventLogQuery, $eventBookmark; | |
| # read how you want | |
| # do a loop or however you access events | |
| $eventRecord = $eventLogReader.ReadEvent(); | |
| #get last read record id | |
| [string]$r = $eventRecord.RecordId | |
| # write to file, repeat step 1 | |
| Set-Content -Path $bookmarkFile -Value $r; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment