# Configuration - modify these values as needed $LogNames = @("System", "Application", "Security") $MaxEvents = 100 $HoursBack = 24 $MessageMaxLength = 300 $IncludeWarnings = $false # Set to $true to include Warning level events $ExportToCsv = $false $CsvPath = "EventLogs_$(Get-Date -Format 'yyyyMMdd_HHmmss').csv" $ShowNoiseEvents = $false # Set to $true to show filtered noise events # Known noise patterns (update based on your environment) $NoisePatterns = @( @{ EventId = 11730; Source = "MsiInstaller"; Reason = "User attempted uninstall without admin rights" } @{ EventId = 10016; Source = "Microsoft-Windows-DistributedCOM"; Reason = "DCOM permission cosmetic errors" } @{ EventId = 1014; Source = "Microsoft-Windows-DNS-Client"; Reason = "DNS resolution timeout (usually transient)" } @{ EventId = 36888; Source = "Microsoft-Windows-Kernel-Power"; Reason = "Modern standby entry (informational)" } ) # Critical event IDs that always warrant attention $CriticalEventIds = @( @{ EventId = 7001; Source = "Service Control Manager"; Severity = "High"; Description = "Service crash" } @{ EventId = 7031; Source = "Service Control Manager"; Severity = "High"; Description = "Service terminated unexpectedly" } @{ EventId = 7034; Source = "Service Control Manager"; Severity = "High"; Description = "Service crashed" } @{ EventId = 41; Source = "Microsoft-Windows-Kernel-Power"; Severity = "Critical"; Description = "System reboot without clean shutdown" } @{ EventId = 6008; Source = "EventLog"; Severity = "Critical"; Description = "Unexpected shutdown" } @{ EventId = 55; Source = "Ntfs"; Severity = "Critical"; Description = "NTFS file system corruption" } @{ EventId = 7; Source = "Disk"; Severity = "Critical"; Description = "Bad block detected" } @{ EventId = 11; Source = "Disk"; Severity = "Critical"; Description = "Disk controller error" } @{ EventId = 153; Source = "Disk"; Severity = "Critical"; Description = "Disk I/O error" } @{ EventId = 4719; Source = "Microsoft-Windows-Security-Auditing"; Severity = "High"; Description = "System audit policy changed" } ) # Critical sources to monitor even at Warning level $CriticalSources = @( "Disk", "Ntfs", "volmgr", "volsnap", "Microsoft-Windows-Kernel-Power", "Service Control Manager", "Microsoft-Windows-WindowsUpdateClient" ) # Check for admin rights if Security log is requested if ($LogNames -contains "Security") { $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) if (-not $isAdmin) { Write-Host "WARNING: Security log requires administrator privileges. Skipping Security log." -ForegroundColor Yellow $LogNames = $LogNames | Where-Object { $_ -ne "Security" } } } $StartTime = (Get-Date).AddHours(-$HoursBack) $AllEvents = @() # Determine which levels to query $Levels = @(1, 2) # Critical, Error if ($IncludeWarnings) { $Levels += 3 # Warning } foreach ($Log in $LogNames) { Write-Host "Querying $Log log..." -ForegroundColor Gray try { $Events = Get-WinEvent -FilterHashtable @{ LogName = $Log Level = $Levels StartTime = $StartTime } -MaxEvents $MaxEvents -ErrorAction Stop foreach ($Event in $Events) { # Safe message handling $RawMessage = if ($Event.Message) { $Event.Message } else { "(No message available)" } $TruncatedMessage = if ($RawMessage.Length -gt $MessageMaxLength) { $RawMessage.Substring(0, $MessageMaxLength) + "..." } else { $RawMessage } # Check if this is known noise $NoiseMatch = $NoisePatterns | Where-Object { $_.EventId -eq $Event.Id -and $_.Source -eq $Event.ProviderName } $IsNoise = $null -ne $NoiseMatch $NoiseReason = if ($NoiseMatch) { $NoiseMatch.Reason } else { $null } # Check if this is a critical event $CriticalMatch = $CriticalEventIds | Where-Object { $_.EventId -eq $Event.Id -and ($_.Source -eq $Event.ProviderName -or $_.Source -eq "*") } $IsCritical = $null -ne $CriticalMatch $CriticalInfo = if ($CriticalMatch) { $CriticalMatch } else { $null } # Check if source is critical $IsCriticalSource = $CriticalSources -contains $Event.ProviderName # Calculate priority score $Priority = 0 if ($Event.Level -eq 1) { $Priority += 100 } # Critical level elseif ($Event.Level -eq 2) { $Priority += 50 } # Error level elseif ($Event.Level -eq 3) { $Priority += 10 } # Warning level if ($IsCritical) { $Priority += 200 } if ($IsCriticalSource) { $Priority += 50 } if ($IsNoise) { $Priority = 1 } # Demote noise # Create structured output object $EventObj = [PSCustomObject]@{ TimeCreated = $Event.TimeCreated LogName = $Event.LogName Level = $Event.LevelDisplayName EventId = $Event.Id Source = $Event.ProviderName Message = $TruncatedMessage FullMessage = $RawMessage IsNoise = $IsNoise NoiseReason = $NoiseReason IsCritical = $IsCritical CriticalSeverity = if ($CriticalInfo) { $CriticalInfo.Severity } else { $null } CriticalDescription = if ($CriticalInfo) { $CriticalInfo.Description } else { $null } IsCriticalSource = $IsCriticalSource Priority = $Priority } $AllEvents += $EventObj } if ($Events.Count -eq 0) { $LevelText = if ($IncludeWarnings) { "Error/Critical/Warning" } else { "Error/Critical" } Write-Host "[INFO] No $LevelText events in $Log (last $HoursBack hours)" -ForegroundColor Green } } catch { if ($_.Exception.Message -match "No events were found") { $LevelText = if ($IncludeWarnings) { "Error/Critical/Warning" } else { "Error/Critical" } Write-Host "[INFO] No $LevelText events in $Log (last $HoursBack hours)" -ForegroundColor Green } else { Write-Host "WARNING: Failed to query $Log log: $($_.Exception.Message)" -ForegroundColor Yellow } } } # Sort by priority (highest first), then by time (newest first) $AllEvents = $AllEvents | Sort-Object @{Expression="Priority";Descending=$true}, @{Expression="TimeCreated";Descending=$true} # Display events Write-Host "" Write-Host "===============================================================================" -ForegroundColor Cyan Write-Host " EVENT LOG ANALYSIS " -ForegroundColor Cyan Write-Host "===============================================================================" -ForegroundColor Cyan $ImportantEvents = $AllEvents | Where-Object { -not $_.IsNoise } $NoiseEvents = $AllEvents | Where-Object { $_.IsNoise } if ($ImportantEvents.Count -gt 0) { Write-Host "" Write-Host "HIGH PRIORITY EVENTS ($($ImportantEvents.Count) found)" -ForegroundColor Red Write-Host "--------------------------------------------------------------------------------" -ForegroundColor DarkGray foreach ($Event in $ImportantEvents) { # Color coding based on severity $Color = switch ($Event.Level) { "Critical" { "Red" } "Error" { "Yellow" } "Warning" { "DarkYellow" } default { "White" } } $Prefix = if ($Event.IsCritical) { "[!] CRITICAL" } elseif ($Event.IsCriticalSource) { "[!]" } else { "[-]" } Write-Host "" Write-Host "$Prefix [$($Event.TimeCreated)] [$($Event.Source)]" -ForegroundColor $Color Write-Host " Event ID: $($Event.EventId) | Level: $($Event.Level) | Priority Score: $($Event.Priority)" -ForegroundColor Gray if ($Event.CriticalDescription) { Write-Host " Known Issue: $($Event.CriticalDescription)" -ForegroundColor Magenta } Write-Host " $($Event.Message)" -ForegroundColor White } } else { Write-Host "" Write-Host "No critical or error events requiring attention" -ForegroundColor Green } if ($NoiseEvents.Count -gt 0) { if ($ShowNoiseEvents) { Write-Host "" Write-Host "" Write-Host "NOISE EVENTS ($($NoiseEvents.Count) found - likely ignorable)" -ForegroundColor DarkGray Write-Host "--------------------------------------------------------------------------------" -ForegroundColor DarkGray foreach ($Event in $NoiseEvents) { Write-Host "" Write-Host "[-] [$($Event.TimeCreated)] [$($Event.Source)]" -ForegroundColor DarkGray Write-Host " Event ID: $($Event.EventId) | Reason: $($Event.NoiseReason)" -ForegroundColor DarkGray Write-Host " $($Event.Message)" -ForegroundColor DarkGray } } else { Write-Host "" Write-Host "" Write-Host "$($NoiseEvents.Count) noise events filtered out (set ShowNoiseEvents = true to display)" -ForegroundColor DarkGray } } # Event distribution analysis Write-Host "" Write-Host "" Write-Host "===============================================================================" -ForegroundColor Cyan Write-Host " PATTERN ANALYSIS " -ForegroundColor Cyan Write-Host "===============================================================================" -ForegroundColor Cyan $EventGroups = $AllEvents | Group-Object Source | Sort-Object Count -Descending Write-Host "" Write-Host "Event Distribution by Source:" -ForegroundColor White foreach ($Group in $EventGroups) { $NoiseCount = ($Group.Group | Where-Object IsNoise).Count $CriticalCount = ($Group.Group | Where-Object IsCritical).Count $SourceDisplay = " $($Group.Name): $($Group.Count) events" Write-Host $SourceDisplay -ForegroundColor White -NoNewline if ($CriticalCount -gt 0) { Write-Host " [$CriticalCount CRITICAL]" -ForegroundColor Red -NoNewline } if ($NoiseCount -gt 0) { Write-Host " ($NoiseCount noise)" -ForegroundColor DarkGray -NoNewline } Write-Host "" } # Frequency analysis for repeated events $FrequentEvents = $AllEvents | Group-Object EventId, Source | Where-Object { $_.Count -gt 1 } | Sort-Object Count -Descending | Select-Object -First 5 if ($FrequentEvents) { Write-Host "" Write-Host "Most Frequent Events (possible recurring issues):" -ForegroundColor Yellow foreach ($FreqEvent in $FrequentEvents) { $Sample = $FreqEvent.Group[0] Write-Host " Event $($Sample.EventId) from $($Sample.Source): occurred $($FreqEvent.Count) times" -ForegroundColor White if ($Sample.IsNoise) { Write-Host " (Known noise pattern)" -ForegroundColor DarkGray } } } # Summary statistics Write-Host "" Write-Host "" Write-Host "===============================================================================" -ForegroundColor Cyan Write-Host " SUMMARY " -ForegroundColor Cyan Write-Host "===============================================================================" -ForegroundColor Cyan Write-Host "" Write-Host "Total events found: $($AllEvents.Count)" -ForegroundColor White Write-Host " - Requiring attention: $($ImportantEvents.Count)" -ForegroundColor $(if ($ImportantEvents.Count -gt 0) { "Yellow" } else { "Green" }) Write-Host " - Known noise: $($NoiseEvents.Count)" -ForegroundColor DarkGray Write-Host " - Critical events: $(($AllEvents | Where-Object IsCritical).Count)" -ForegroundColor $(if (($AllEvents | Where-Object IsCritical).Count -gt 0) { "Red" } else { "Green" }) $CriticalLevelCount = ($AllEvents | Where-Object { $_.Level -eq "Critical" }).Count $ErrorCount = ($AllEvents | Where-Object { $_.Level -eq "Error" }).Count $WarningCount = ($AllEvents | Where-Object { $_.Level -eq "Warning" }).Count Write-Host "" Write-Host "By Severity:" -ForegroundColor White if ($CriticalLevelCount -gt 0) { Write-Host " Critical: $CriticalLevelCount" -ForegroundColor Red } if ($ErrorCount -gt 0) { Write-Host " Error: $ErrorCount" -ForegroundColor Yellow } if ($WarningCount -gt 0) { Write-Host " Warning: $WarningCount" -ForegroundColor DarkYellow } Write-Host "" Write-Host "Time range analyzed: Last $HoursBack hours" -ForegroundColor White Write-Host "Analysis completed: $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')" -ForegroundColor White # Recommendations if ($ImportantEvents.Count -eq 0 -and $AllEvents.Count -gt 0) { Write-Host "" Write-Host "System appears healthy. All events are known noise patterns." -ForegroundColor Green } elseif ($ImportantEvents.Count -gt 0) { $CriticalImportant = $ImportantEvents | Where-Object { $_.IsCritical -or $_.Level -eq "Critical" } if ($CriticalImportant.Count -gt 0) { Write-Host "" Write-Host "ATTENTION REQUIRED: $($CriticalImportant.Count) critical events detected!" -ForegroundColor Red Write-Host "Review the events above and take appropriate action." -ForegroundColor Yellow } } # Export option if ($ExportToCsv -and $AllEvents.Count -gt 0) { $AllEvents | Export-Csv -Path $CsvPath -NoTypeInformation Write-Host "" Write-Host "Events exported to: $CsvPath" -ForegroundColor Green } Write-Host "" Write-Host "===============================================================================" -ForegroundColor Cyan Write-Host ""