param( [int]$Min = 5, [string]$ExportPath ) $ComputerName = $env:COMPUTERNAME #$UserName = $env:USERNAME $Domain = $env:USERDOMAIN $Fqdn = [System.Net.Dns]::GetHostEntry($ComputerName).HostName function Mask-EventLogSensitiveData { param( [Parameter(ValueFromPipeline)] [AllowNull()] [string]$Text ) process { if ([string]::IsNullOrEmpty($Text)) { return $Text } $masked = $Text # Local Computer/User/Domain if ($Fqdn) { $masked = $masked.Replace($Fqdn, '__COMPUTER__.__DOMAIN__') } $masked = $masked.Replace($ComputerName, '__COMPUTER__') #$masked = $masked.Replace($UserName, '__USER__') $masked = $masked.Replace($Domain, '__DOMAIN__') # mailaddress $masked = $masked -replace '\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}\b', '' # userprofile path $masked = $masked -replace 'C:\\Users\\[^\\\s]+', 'C:\Users\' # domain user $masked = $masked -replace '\b[^\\\s]+\\[^\\\s]+\b', '\' # UNC path $masked = $masked -replace '\\\\[^\\\s]+\\[^\\\s]+', '\\\' # IPv4 $masked = $masked -replace '\b(?:\d{1,3}\.){3}\d{1,3}\b', '' # IPv6 $masked = $masked -replace '\b(?:[0-9A-Fa-f]{1,4}:){2,}[0-9A-Fa-f:]{1,}\b', '' # MAC address $masked = $masked -replace '\b[0-9A-Fa-f]{2}([-:])[0-9A-Fa-f]{2}(?:\1[0-9A-Fa-f]{2}){4}\b', '' # SID $masked = $masked -replace 'S-\d(?:-\d+)+', '' # GUID $masked = $masked -replace '\{?[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}\}?', '' # URL(FQDN) $masked = $masked -replace '(https?://)(?:[A-Za-z0-9-]+\.)+[A-Za-z]{2,}', '${1}' # URL(hostname only) $masked = $masked -replace '(https?://)[A-Za-z0-9-]+(?=[:/]|$)', '${1}' $masked = $masked.Replace('__DOMAIN__', '') $masked = $masked.Replace('__USER__', '') $masked = $masked.Replace('__COMPUTER__', '') return $masked } } $logs = (Get-WinEvent -ListLog * | Where-Object {($_.IsEnabled) -and ($_.RecordCount -gt 0)}).LogName 2>$null $last = (Get-Date).AddMinutes(-$Min) $allEvents = @() foreach ($log in $logs) { $events = Get-WinEvent -FilterHashtable @{ LogName = $log StartTime = $last #1 = Critical #2 = Error #3 = Warning #Level = 1,2,3 } -ErrorAction SilentlyContinue if ($events) { $allEvents += $events } } $result = $allEvents | Sort-Object TimeCreated | Select-Object TimeCreated, LogName, Id, LevelDisplayName, MachineName, Message if ([string]::IsNullOrWhiteSpace($ExportPath)) { # 引数なし:画面表示 $result | Format-Table -AutoSize } else { # 引数あり:CSV出力 $result | Export-Csv -Path $ExportPath -NoTypeInformation -Encoding UTF8 # マスク済み $result = $result | Select-Object TimeCreated, LogName, Id, LevelDisplayName, @{ Name = 'MachineName' Expression = { Mask-EventLogSensitiveData $_.MachineName } }, @{ Name = 'Message' Expression = { Mask-EventLogSensitiveData $_.Message } } $exportpath = $exportPath -Replace [System.IO.Path]::GetExtension($ExportPath), ("_masked"+[System.IO.Path]::GetExtension($ExportPath)) $result | Export-Csv -Path $ExportPath -NoTypeInformation -Encoding UTF8 }