Last active
May 23, 2024 15:33
-
-
Save LM-CT/5ba41dbb0f632c328588fc8ee47774fc to your computer and use it in GitHub Desktop.
A simple script to manage Sysmon logs adapted from NVISO
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ErrorActionPreference = "Stop" | |
| # Define the Sysmon archive path, desired quota and query delay. | |
| $Archive_clean = "C:\Sysmon\" | |
| $Archive = $Archive_clean.Replace("\", "\\") | |
| $Limit = 2GB | |
| $Delay = 10 | |
| $FilterName = "SysmonArchiveWatcher" | |
| Write-Verbose "New WMI filter: $FilterName" | |
| $ConsumerName = "SysmonArchiveCleaner" | |
| Write-Verbose "New WMI event: $ConsumerName" | |
| $PreviousBindings = @(Get-CimInstance -Namespace root/subscription -ClassName __FilterToConsumerBinding | Where-Object {$_.Consumer.Name -Like $ConsumerName} ) | |
| if ($PreviousBindings.Count -ne 0){ | |
| Write-Verbose "Removing previous filter-event binding." | |
| $PreviousBindings | ForEach-Object { Remove-CimInstance $_ } | |
| } | |
| $PreviousFilters = @(Get-CimInstance -Namespace root/subscription -ClassName __EventFilter | Where-Object -Property Name -EQ $FilterName) | |
| if ($PreviousFilters.Count -ne 0){ | |
| Write-Verbose "Removing previous WMI filter." | |
| $PreviousFilters | ForEach-Object { Remove-CimInstance $_ } | |
| } | |
| $PreviousConsumers = @(Get-CimInstance -Namespace root/subscription -ClassName CommandLineEventConsumer | Where-Object -Property Name -EQ $ConsumerName) | |
| if ($PreviousConsumers.Count -ne 0){ | |
| Write-Verbose "Removing previous WMI event." | |
| $PreviousConsumers | ForEach-Object { Remove-CimInstance $_ } | |
| } | |
| Write-Verbose "Creating WMI Filter, CommandLineConsumer and binding." | |
| # Create a WMI filter for files being created within the Sysmon archive. | |
| $Filter = New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property @{ | |
| Name = 'SysmonArchiveWatcher'; | |
| EventNameSpace = 'root\cimv2'; | |
| QueryLanguage = "WQL"; | |
| Query = $Query | |
| } | |
| # Create a WMI consumer which will clean up the Sysmon archive folder until the quota is reached. | |
| $Consumer = New-CimInstance -Namespace root/subscription -ClassName CommandLineEventConsumer -Property @{ | |
| Name = 'SysmonArchiveCleaner'; | |
| ExecutablePath = (Get-Command PowerShell).Source; | |
| CommandLineTemplate = "-NoLogo -NoProfile -NonInteractive -WindowStyle Hidden -Command `"`$Archived = Get-ChildItem -Path '$Archive_clean' -File | Where-Object {`$_.LinkType -ne 'HardLink'} | Sort-Object -Property LastAccessTimeUtc; `$Size = (`$Archived | Measure-Object -Sum -Property Length).Sum; for(`$Index = 0; (`$Index -lt `$Archived.Count) -and (`$Size -gt $Limit); `$Index++){ try {`$Archived[`$Index] | Remove-Item -Force -ErrorAction Stop; `$Size -= `$Archived[`$Index].Length} catch {}}`"" | |
| } | |
| # Create a WMI binding from the filter to the consumer. | |
| New-CimInstance -Namespace root/subscription -ClassName __FilterToConsumerBinding -Property @{ | |
| Filter = [Ref]$Filter; | |
| Consumer = [Ref]$Consumer; | |
| } | |
| Write-Verbose "Created WMI instances" | |
| Get-CimInstance -Namespace root/subscription -ClassName __EventFilter | Where-Object -Property Name -EQ $FilterName | |
| Get-CimInstance -Namespace root/subscription -ClassName CommandLineEventConsumer | Where-Object -Property Name -EQ $ConsumerName | |
| Get-CimInstance -Namespace root/subscription -ClassName __FilterToConsumerBinding | Where-Object {$_.Consumer.Name -Like $ConsumerName} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment