From ef776a717adce62230d1bc91aeffc14187da1655 Mon Sep 17 00:00:00 2001
From: Stefan Chivu <schivu@cloudbasesolutions.com>
Date: Tue, 14 Feb 2023 11:47:03 +0000
Subject: [PATCH] ceph-windows: Fix event log artifacts

Previously, the windows event log artifacts were being dumped in
evtx format and then converted to txt by individually querying them
using wevtutil.

After doing this, the resulting txt logs contained xml entries that
omitted the actual event message.

Now, they will be directly dumped as txt using Get-WinEvent and the
evtx logs can be obtained using the -IncludeEvtxFiles flag.

Signed-off-by: Stefan Chivu <schivu@cloudbasesolutions.com>
---
 scripts/ceph-windows/collect-event-logs.ps1 | 24 +++++++++------------
 1 file changed, 10 insertions(+), 14 deletions(-)

diff --git a/scripts/ceph-windows/collect-event-logs.ps1 b/scripts/ceph-windows/collect-event-logs.ps1
index 4be0ab47..de870aeb 100644
--- a/scripts/ceph-windows/collect-event-logs.ps1
+++ b/scripts/ceph-windows/collect-event-logs.ps1
@@ -20,16 +20,13 @@ function DumpEventLogEvtx($path){
     }
 }
 
-function ConvertEvtxDumpToTxt($path){
-    foreach ($i in (Get-ChildItem $path -Filter eventlog_*.evtx)) {
-        $logName = $i.BaseName + ".txt"
+function DumpEventLogTxt($path){
+    foreach ($i in (Get-WinEvent -ListLog * |  ? {$_.RecordCount -gt 0 })) {
+        $logName = "eventlog_" + $i.LogName + ".txt"
         $logName = $logName.replace(" ","-").replace("/", "-").replace("\", "-")
-        Write-Output "converting "$i.BaseName" evtx to txt"
+        Write-Output "exporting "$i.LogName" as "$logName
         $logFile = Join-Path $path $logName
-        & $Env:WinDir\System32\wevtutil.exe qe $i.FullName /lf > $logFile
-        if ($LASTEXITCODE) {
-            Throw "Failed to convert $($i.FullName) to txt"
-        }
+        Get-WinEvent -FilterHashtable @{LogName=$i.LogName;StartTime=$(Get-Date).AddHours(-24)} | Format-Table -AutoSize -Wrap > $logFile
     }
 }
 
@@ -44,13 +41,12 @@ function ClearEventLog(){
 
 mkdir -force $LogDirectory
 
-DumpEventLogEvtx $LogDirectory
-ConvertEvtxDumpToTxt $LogDirectory
+DumpEventLogTxt $LogDirectory
 
-if ($CleanupEventLog) {
-    ClearEventLog
+if ($IncludeEvtxFiles) {
+    DumpEventLogEvtx $LogDirectory
 }
 
-if (-not $IncludeEvtxFiles) {
-    rm $LogDirectory\eventlog_*.evtx
+if ($CleanupEventLog) {
+    ClearEventLog
 }
-- 
2.47.3