From 2cb80c58a1618fea6d5b9d73284815dcf47f0f45 Mon Sep 17 00:00:00 2001 From: linxiehong <2813826100@qq.com> Date: Mon, 16 Dec 2024 21:15:46 +0800 Subject: [PATCH 1/4] 123456 --- test1.txt | 1 + 1 file changed, 1 insertion(+) create mode 100644 test1.txt diff --git a/test1.txt b/test1.txt new file mode 100644 index 0000000..e2e107a --- /dev/null +++ b/test1.txt @@ -0,0 +1 @@ +123456789 \ No newline at end of file -- 2.34.1 From 19501d4439b3f4a9f8cc738800023244976b1875 Mon Sep 17 00:00:00 2001 From: linxiehong <2813826100@qq.com> Date: Mon, 16 Dec 2024 21:21:31 +0800 Subject: [PATCH 2/4] 123 added --- 123.txt | 1 + test1.txt | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) create mode 100644 123.txt delete mode 100644 test1.txt diff --git a/123.txt b/123.txt new file mode 100644 index 0000000..b23c1c5 --- /dev/null +++ b/123.txt @@ -0,0 +1 @@ +111111 \ No newline at end of file diff --git a/test1.txt b/test1.txt deleted file mode 100644 index e2e107a..0000000 --- a/test1.txt +++ /dev/null @@ -1 +0,0 @@ -123456789 \ No newline at end of file -- 2.34.1 From ca84da7bc318f8a1b2492476c1afa4e4302c69fc Mon Sep 17 00:00:00 2001 From: "2813826100@qq.com" <2813826100@qq.com> Date: Mon, 16 Dec 2024 21:37:59 +0800 Subject: [PATCH 3/4] try --- 123.txt | 1 - test.txt | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) delete mode 100644 123.txt create mode 100644 test.txt diff --git a/123.txt b/123.txt deleted file mode 100644 index b23c1c5..0000000 --- a/123.txt +++ /dev/null @@ -1 +0,0 @@ -111111 \ No newline at end of file diff --git a/test.txt b/test.txt new file mode 100644 index 0000000..5bd5b2c --- /dev/null +++ b/test.txt @@ -0,0 +1 @@ + 不会搞 \ No newline at end of file -- 2.34.1 From 8ad48ca39037c396f9ea5872b0cb2619e64c5938 Mon Sep 17 00:00:00 2001 From: linxiehong <2813826100@qq.com> Date: Mon, 30 Dec 2024 19:28:54 +0800 Subject: [PATCH 4/4] Fin --- src/windows-log-collector-full-v3-CSV.ps1 | 138 ++++++++++---------- src/windows-log-collector-full-v3-EVTX.ps1 | 142 +++++++++++---------- 2 files changed, 146 insertions(+), 134 deletions(-) diff --git a/src/windows-log-collector-full-v3-CSV.ps1 b/src/windows-log-collector-full-v3-CSV.ps1 index a7e72ce..4a38139 100644 --- a/src/windows-log-collector-full-v3-CSV.ps1 +++ b/src/windows-log-collector-full-v3-CSV.ps1 @@ -1,101 +1,107 @@ -try{ -New-Item -ItemType "directory" -Path "wineventlog" - +# 尝试创建一个名为 "wineventlog" 的目录 +try { + New-Item -ItemType "directory" -Path "wineventlog" } -catch -{ -echo "can't create a new directory" +catch { + # 如果创建目录失败,输出错误信息 + echo "can't create a new directory" } -try{ -get-eventlog -log Security | export-csv wineventlog/Security.csv +# 尝试获取安全日志并导出为 CSV 文件 +try { + get-eventlog -log Security | export-csv wineventlog/Security.csv } -catch -{ -echo "Can't retrieve Security Logs" +catch { + # 如果获取安全日志失败,输出错误信息 + echo "Can't retrieve Security Logs" } -try -{ -Get-WinEvent -LogName System | export-csv wineventlog/System.csv +# 尝试获取系统日志并导出为 CSV 文件 +try { + Get-WinEvent -LogName System | export-csv wineventlog/System.csv } -catch -{ -echo "Can't retrieve System Logs" +catch { + # 如果获取系统日志失败,输出错误信息 + echo "Can't retrieve System Logs" } -try{ -Get-WinEvent -LogName Application | export-csv wineventlog/Application.csv +# 尝试获取应用程序日志并导出为 CSV 文件 +try { + Get-WinEvent -LogName Application | export-csv wineventlog/Application.csv } -catch -{ -echo "Can't retrieve Application Logs" +catch { + # 如果获取应用程序日志失败,输出错误信息 + echo "Can't retrieve Application Logs" } - -try{ -Get-WinEvent -LogName "Windows PowerShell" | export-csv wineventlog/Windows_PowerShell.csv +# 尝试获取 Windows PowerShell 日志并导出为 CSV 文件 +try { + Get-WinEvent -LogName "Windows PowerShell" | export-csv wineventlog/Windows_PowerShell.csv } -catch -{ -echo "Can't retrieve Windows PowerShell Logs" +catch { + # 如果获取 Windows PowerShell 日志失败,输出错误信息 + echo "Can't retrieve Windows PowerShell Logs" } -try{ -Get-WinEvent -LogName "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" | export-csv wineventlog/LocalSessionManager.csv +# 尝试获取 Microsoft-Windows-TerminalServices-LocalSessionManager/Operational 日志并导出为 CSV 文件 +try { + Get-WinEvent -LogName "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" | export-csv wineventlog/LocalSessionManager.csv } -catch -{ -echo "Can't retrieve Microsoft-Windows-TerminalServices-LocalSessionManager/Operational Logs" +catch { + # 如果获取 LocalSessionManager 日志失败,输出错误信息 + echo "Can't retrieve Microsoft-Windows-TerminalServices-LocalSessionManager/Operational Logs" } -try{ -Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational" | export-csv wineventlog/Windows_Defender.csv +# 尝试获取 Microsoft-Windows-Windows Defender/Operational 日志并导出为 CSV 文件 +try { + Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational" | export-csv wineventlog/Windows_Defender.csv } -catch -{ -echo "Can't retrieve Microsoft-Windows-Windows Defender/Operational Logs" +catch { + # 如果获取 Windows Defender 日志失败,输出错误信息 + echo "Can't retrieve Microsoft-Windows-Windows Defender/Operational Logs" } -try{ -Get-WinEvent -LogName Microsoft-Windows-TaskScheduler/Operational | export-csv wineventlog/TaskScheduler.csv +# 尝试获取 Microsoft-Windows-TaskScheduler/Operational 日志并导出为 CSV 文件 +try { + Get-WinEvent -LogName Microsoft-Windows-TaskScheduler/Operational | export-csv wineventlog/TaskScheduler.csv } -catch -{ -echo "Can't retrieve Microsoft-Windows-TaskScheduler/Operational Logs" +catch { + # 如果获取 TaskScheduler 日志失败,输出错误信息 + echo "Can't retrieve Microsoft-Windows-TaskScheduler/Operational Logs" } -try{ -Get-WinEvent -LogName Microsoft-Windows-WinRM/Operational | export-csv wineventlog/WinRM.csv +# 尝试获取 Microsoft-Windows-WinRM/Operational 日志并导出为 CSV 文件 +try { + Get-WinEvent -LogName Microsoft-Windows-WinRM/Operational | export-csv wineventlog/WinRM.csv } -catch -{ -echo "Can't retrieve Microsoft-Windows-WinRM/Operational Logs" +catch { + # 如果获取 WinRM 日志失败,输出错误信息 + echo "Can't retrieve Microsoft-Windows-WinRM/Operational Logs" } -try{ -Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | export-csv wineventlog/Sysmon.csv +# 尝试获取 Microsoft-Windows-Sysmon/Operational 日志并导出为 CSV 文件 +try { + Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | export-csv wineventlog/Sysmon.csv } -catch -{ -echo "Can't retrieve Microsoft-Windows-Sysmon/Operational Logs" +catch { + # 如果获取 Sysmon 日志失败,输出错误信息 + echo "Can't retrieve Microsoft-Windows-Sysmon/Operational Logs" } - -try{ -Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | export-csv wineventlog/Powershell_Operational.csv +# 尝试获取 Microsoft-Windows-PowerShell/Operational 日志并导出为 CSV 文件 +try { + Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | export-csv wineventlog/Powershell_Operational.csv } -catch -{ -echo "Can't retrieve Microsoft-Windows-PowerShell/Operational Logs" +catch { + # 如果获取 PowerShell Operational 日志失败,输出错误信息 + echo "Can't retrieve Microsoft-Windows-PowerShell/Operational Logs" } - -try -{ -Compress-Archive -Path wineventlog -DestinationPath ./logs.zip +# 尝试压缩 "wineventlog" 目录为 logs.zip +try { + Compress-Archive -Path wineventlog -DestinationPath ./logs.zip } -catch -{ -echo "couldn't compress the the log folder " +catch { + # 如果压缩失败,输出错误信息 + echo "couldn't compress the log folder" } diff --git a/src/windows-log-collector-full-v3-EVTX.ps1 b/src/windows-log-collector-full-v3-EVTX.ps1 index 4b121d4..ab9417e 100644 --- a/src/windows-log-collector-full-v3-EVTX.ps1 +++ b/src/windows-log-collector-full-v3-EVTX.ps1 @@ -1,101 +1,107 @@ -try{ -New-Item -ItemType "directory" -Path "wineventlog" - +# 尝试创建一个名为 "wineventlog" 的目录 +try { + New-Item -ItemType "directory" -Path "wineventlog" } -catch -{ -echo "can't create a new directory" +catch { + # 如果创建目录失败,输出错误信息 + echo "can't create a new directory" } -try{ - wevtutil epl Security wineventlog/Security.evtx +# 尝试导出安全日志到指定的 EVTX 文件 +try { + wevtutil epl Security wineventlog/Security.evtx } -catch -{ -echo "Can't retrieve Security Logs" +catch { + # 如果导出安全日志失败,输出错误信息 + echo "Can't retrieve Security Logs" } -try -{ - wevtutil epl System wineventlog/System.evtx +# 尝试导出系统日志到指定的 EVTX 文件 +try { + wevtutil epl System wineventlog/System.evtx } -catch -{ -echo "Can't retrieve System Logs" +catch { + # 如果导出系统日志失败,输出错误信息 + echo "Can't retrieve System Logs" } -try{ -wevtutil epl Application wineventlog/Application.evtx +# 尝试导出应用程序日志到指定的 EVTX 文件 +try { + wevtutil epl Application wineventlog/Application.evtx } -catch -{ -echo "Can't retrieve Application Logs" +catch { + # 如果导出应用程序日志失败,输出错误信息 + echo "Can't retrieve Application Logs" } - -try{ -wevtutil epl "Windows PowerShell" wineventlog/Windows_PowerShell.evtx +# 尝试导出 Windows PowerShell 日志到指定的 EVTX 文件 +try { + wevtutil epl "Windows PowerShell" wineventlog/Windows_PowerShell.evtx } -catch -{ -echo "Can't retrieve Windows PowerShell Logs" +catch { + # 如果导出 Windows PowerShell 日志失败,输出错误信息 + echo "Can't retrieve Windows PowerShell Logs" } -try{ -wevtutil epl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" wineventlog/LocalSessionManager.evtx +# 尝试导出 Microsoft-Windows-TerminalServices-LocalSessionManager/Operational 日志到指定的 EVTX 文件 +try { + wevtutil epl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" wineventlog/LocalSessionManager.evtx } -catch -{ -echo "Can't retrieve Microsoft-Windows-TerminalServices-LocalSessionManager/Operational Logs" +catch { + # 如果导出 LocalSessionManager 日志失败,输出错误信息 + echo "Can't retrieve Microsoft-Windows-TerminalServices-LocalSessionManager/Operational Logs" } -try{ -wevtutil epl "Microsoft-Windows-Windows Defender/Operational" wineventlog/Windows_Defender.evtx +# 尝试导出 Microsoft-Windows-Windows Defender/Operational 日志到指定的 EVTX 文件 +try { + wevtutil epl "Microsoft-Windows-Windows Defender/Operational" wineventlog/Windows_Defender.evtx } -catch -{ -echo "Can't retrieve Microsoft-Windows-Windows Defender/Operational Logs" +catch { + # 如果导出 Windows Defender 日志失败,输出错误信息 + echo "Can't retrieve Microsoft-Windows-Windows Defender/Operational Logs" } -try{ -wevtutil epl Microsoft-Windows-TaskScheduler/Operational wineventlog/TaskScheduler.evtx +# 尝试导出 Microsoft-Windows-TaskScheduler/Operational 日志到指定的 EVTX 文件 +try { + wevtutil epl Microsoft-Windows-TaskScheduler/Operational wineventlog/TaskScheduler.evtx } -catch -{ -echo "Can't retrieve Microsoft-Windows-TaskScheduler/Operational Logs" +catch { + # 如果导出 TaskScheduler 日志失败,输出错误信息 + echo "Can't retrieve Microsoft-Windows-TaskScheduler/Operational Logs" } -try{ -wevtutil epl Microsoft-Windows-WinRM/Operational wineventlog/WinRM.evtx +# 尝试导出 Microsoft-Windows-WinRM/Operational 日志到指定的 EVTX 文件 +try { + wevtutil epl Microsoft-Windows-WinRM/Operational wineventlog/WinRM.evtx } -catch -{ -echo "Can't retrieve Microsoft-Windows-WinRM/Operational Logs" +catch { + # 如果导出 WinRM 日志失败,输出错误信息 + echo "Can't retrieve Microsoft-Windows-WinRM/Operational Logs" } -try{ -wevtutil epl Microsoft-Windows-Sysmon/Operational wineventlog/Sysmon.evtx +# 尝试导出 Microsoft-Windows-Sysmon/Operational 日志到指定的 EVTX 文件 +try { + wevtutil epl Microsoft-Windows-Sysmon/Operational wineventlog/Sysmon.evtx } -catch -{ -echo "Can't retrieve Microsoft-Windows-Sysmon/Operational Logs" +catch { + # 如果导出 Sysmon 日志失败,输出错误信息 + echo "Can't retrieve Microsoft-Windows-Sysmon/Operational Logs" } - -try{ -wevtutil epl Microsoft-Windows-PowerShell/Operational wineventlog/Powershell_Operational.evtx +# 尝试导出 Microsoft-Windows-PowerShell/Operational 日志到指定的 EVTX 文件 +try { + wevtutil epl Microsoft-Windows-PowerShell/Operational wineventlog/Powershell_Operational.evtx } -catch -{ -echo "Can't retrieve Microsoft-Windows-PowerShell/Operational Logs" +catch { + # 如果导出 PowerShell Operational 日志失败,输出错误信息 + echo "Can't retrieve Microsoft-Windows-PowerShell/Operational Logs" } - -try -{ -Compress-Archive -Path wineventlog -DestinationPath ./logs.zip -} -catch -{ -echo "couldn't compress the the log folder " -} +# 尝试压缩 "wineventlog" 目录为 logs.zip +try { + Compress-Archive -Path wineventlog -DestinationPath ./logs.zip +} +catch { + # 如果压缩失败,输出错误信息 + echo "couldn't compress the log folder" +} \ No newline at end of file -- 2.34.1