migrate to git.charlotte.sh

2025-04-19 23:42:08 -04:00 · 2025-04-19 23:42:08 -04:00 · fbd588721e
commit fbd588721e
412 changed files with 13750 additions and 0 deletions
--- a/automation-sys320/week03/ExternalScript.ps1
+++ b/automation-sys320/week03/ExternalScript.ps1
@ -0,0 +1,9 @@
+(Join-Path $PSScriptRoot .\FunctionsAndEventLogs.ps1)
+
+# get login and logoffs from past 14 days
+$loginoutsTable = getWinLogons(14)
+$loginoutsTable
+
+# get shutdowns from past 20 days
+$shutdownsTable = getShutdowns(20)
+$shutdownsTable
--- a/automation-sys320/week03/FunctionsAndEventLogs.ps1
+++ b/automation-sys320/week03/FunctionsAndEventLogs.ps1
@ -0,0 +1,64 @@
+# 9/12/24
+
+# 1. Get login and logoff records from Windows Events
+#Get-EventLog System -source Microsoft-Windows-Winlogon
+
+# 2. Get login and logoff reords from windows events and save to a variable
+#    Get the last 14 days
+# 3. Translate SID to Username
+# 4. Turn to function with 1 input (number of days)
+function getWinLogons ($days){
+    $loginouts = Get-EventLog System -source Microsoft-Windows-Winlogon -After (Get-Date).AddDays(-$days)
+
+    $loginoutsTable = @()
+    for($i=0; $i -lt $loginouts.Count; $i++){
+
+        # create event property value
+        $event = ""
+        if($loginouts[$i].InstanceID -eq 7001) {$event="Logon"}
+        if($loginouts[$i].InstanceID -eq 7002) {$event="Logoff"}
+
+        # create user property value
+        $userSID = New-Object System.Security.Principal.SecurityIdentifier `
+        ($loginouts[$i].ReplacementStrings[1])
+        $userNAME = $userSID.Translate([System.Security.Principal.NTAccount])
+
+        # add each entry to table
+        $loginoutsTable += [pscustomobject]@{"Time" = $loginouts[$i].TimeGenerated; `
+                                            "Id" = $loginouts[$i].InstanceId; `
+                                            "Event" = $event; `
+                                            "User" = $userNAME;                                    
+                                            }
+    }
+    return $loginoutsTable
+}
+
+#getWinLogons(30)
+
+
+# 5. Get shutdown and start events
+function getShutdowns ($days){
+
+    $shutdowns = Get-EventLog System -After (Get-Date).AddDays(-$days) | where { $_.EventID -match "600[56]" }
+
+    $shutdownsTable = @()
+    for($i=0; $i -lt $shutdowns.Count; $i++){
+
+
+        # create event property value
+        $event = ""
+        if($shutdowns[$i].EventID -eq 6006) {$event="Shutdown"}
+        if($shutdowns[$i].EventID -eq 6005) {$event="Start"}
+
+        # add each entry to table
+        $shutdownsTable += [pscustomobject]@{"Time" = $shutdowns[$i].TimeGenerated; `
+                                            "Id" = $shutdowns[$i].EventId; `
+                                            "Event" = $event; `
+                                            "User" = "SYSTEM";                                    
+                                            }
+    }
+    return $shutdownsTable
+}
+
+#getShutdowns
+