From 62ed5cb1f547947a468cdd5d5929e32188ff3add Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Thu, 17 Apr 2025 23:39:51 +0900 Subject: [PATCH 01/18] feat: check size setting --- .github/workflows/check-audit.yml | 2 +- WELA.ps1 | 56 ++++++++++++++++++++++++++++--- 2 files changed, 53 insertions(+), 5 deletions(-) diff --git a/.github/workflows/check-audit.yml b/.github/workflows/check-audit.yml index 8c470d1d..d4280d82 100644 --- a/.github/workflows/check-audit.yml +++ b/.github/workflows/check-audit.yml @@ -49,7 +49,7 @@ jobs: - name: Run WELA.ps1 run: | - ./WELA.ps1 audit + ./WELA.ps1 audit-settings - name: Output UsableRules.csv run: | diff --git a/WELA.ps1 b/WELA.ps1 index 86066b53..6df2c151 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -1428,6 +1428,50 @@ function AuditLogSetting { } +function AuditFileSize { + # 対象のイベントログ名をハッシュテーブル化 + $logNames = @{ + "Application" = @("20MB", "128MB+") + "Microsoft-Windows-AppLocker/EXE and DLL" = @("1MB", "256MB+") + "Microsoft-Windows-AppLocker/MSI and Script" = @("1MB", "256MB+") + "Microsoft-Windows-AppLocker/Packaged app-Deployment" = @("1MB", "256MB+") + "Microsoft-Windows-AppLocker/Packaged app-Execution" = @("1MB", "256MB+") + "Microsoft-Windows-Bits-Client/Analytic" = @("1MB", "128MB+") + "Microsoft-Windows-Bits-Client/Operational" = @("1MB", "128MB+") + "Microsoft-Windows-CodeIntegrity/Operational" = @("1MB", "128MB+") + "Microsoft-Windows-DriverFrameworks-UserMode/Operational" = @("1MB", "128MB+") + "Microsoft-Windows-PowerShell/Operational" = @("20MB", "TBD") + "Microsoft-Windows-PrintService/Admin" = @("1MB", "128MB+") + "Microsoft-Windows-PrintService/Operational" = @("1MB", "128MB+") + "Microsoft-Windows-Security-Mitigations/KernelMode" = @("1MB", "128MB+") + "Microsoft-Windows-Security-Mitigations/UserMode" = @("1MB", "128MB+") + "Microsoft-Windows-SmbClient/Security" = @("8MB", "128MB+") + "Microsoft-Windows-TaskScheduler/Operational" = @("1MB", "128MB+") + "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" = @("1MB", "128MB+") + "Microsoft-Windows-Windows Defender/Operational" = @("16MB", "128MB+") + "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" = @("1MB", "256MB+") + "Security" = @("20MB", "256MB+") + "System" = @("20MB", "128MB+") + "Windows PowerShell" = @("15MB", "TBD") + } + + $results = @() + + foreach ($logName in $logNames.Keys) { + $logInfo = Get-WinEvent -ListLog $logName -ErrorAction Stop + $results += [PSCustomObject]@{ + LogName = $logInfo.LogName + LogSize = "{0:N2} MB" -f ($logInfo.FileSize / 1MB) + MaxLogSize = "{0:N2} MB" -f ($logInfo.MaximumSizeInBytes / 1MB) + Description1 = $logNames[$logName][0] # + Description2 = $logNames[$logName][1] # + } + } + + $results | Format-Table -AutoSize +} + + $logo = @" ┏┓┏┓┏┳━━━┳┓ ┏━━━┓ ┃┃┃┃┃┃┏━━┫┃ ┃┏━┓┃ @@ -1441,9 +1485,9 @@ $logo = @" $help = @" Usage: - ./WELA.ps1 audit # Audit current setting and show in stdout, save to csv - ./WELA.ps1 audit gui # Audit current setting and show in gui, save to csv - ./WELA.ps1 audit table # Audit current setting and show in table layout, save to csv + ./WELA.ps1 audit-settings # Audit current setting and show in stdout, save to csv + ./WELA.ps1 audit-settings gui # Audit current setting and show in gui, save to csv + ./WELA.ps1 audit-settings table # Audit current setting and show in table layout, save to csv ./WELA.ps1 help # Show this help "@ @@ -1458,7 +1502,7 @@ if ($args.Count -eq 0) { $command = $args[0].ToLower() switch ($command) { - "audit" { + "audit-settings" { $outType = "std" $debug = $false if ($args.Count -eq 2) { @@ -1470,6 +1514,10 @@ switch ($command) { } AuditLogSetting $outType $debug } + "audit-filesize" { + AuditFileSize + } + "help" { Write-Host $help } From ad54ac54d7193f5eae388755e290fd17bfdf3ce1 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Thu, 17 Apr 2025 23:41:49 +0900 Subject: [PATCH 02/18] feat: check size setting --- .github/workflows/check-audit.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/check-audit.yml b/.github/workflows/check-audit.yml index d4280d82..a46152b4 100644 --- a/.github/workflows/check-audit.yml +++ b/.github/workflows/check-audit.yml @@ -47,10 +47,14 @@ jobs: # $duration = $endTime - $startTime # Write-Output "Duration: $duration" - - name: Run WELA.ps1 + - name: Run WELA.ps1 audit-settings run: | ./WELA.ps1 audit-settings + - name: Run WELA.ps1 audit-filesize + run: | + ./WELA.ps1 audit-filesize + - name: Output UsableRules.csv run: | Get-Content UsableRules.csv From 5cfff69738e85be745ec8c55455bf9730f6c5a19 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Thu, 17 Apr 2025 23:44:26 +0900 Subject: [PATCH 03/18] feat: check size setting --- WELA.ps1 | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/WELA.ps1 b/WELA.ps1 index 6df2c151..3067c50c 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -1440,7 +1440,7 @@ function AuditFileSize { "Microsoft-Windows-Bits-Client/Operational" = @("1MB", "128MB+") "Microsoft-Windows-CodeIntegrity/Operational" = @("1MB", "128MB+") "Microsoft-Windows-DriverFrameworks-UserMode/Operational" = @("1MB", "128MB+") - "Microsoft-Windows-PowerShell/Operational" = @("20MB", "TBD") + "Microsoft-Windows-PowerShell/Operational" = @("20MB", "256MB+") "Microsoft-Windows-PrintService/Admin" = @("1MB", "128MB+") "Microsoft-Windows-PrintService/Operational" = @("1MB", "128MB+") "Microsoft-Windows-Security-Mitigations/KernelMode" = @("1MB", "128MB+") @@ -1452,7 +1452,7 @@ function AuditFileSize { "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" = @("1MB", "256MB+") "Security" = @("20MB", "256MB+") "System" = @("20MB", "128MB+") - "Windows PowerShell" = @("15MB", "TBD") + "Windows PowerShell" = @("15MB", "256MB+") } $results = @() @@ -1461,10 +1461,10 @@ function AuditFileSize { $logInfo = Get-WinEvent -ListLog $logName -ErrorAction Stop $results += [PSCustomObject]@{ LogName = $logInfo.LogName - LogSize = "{0:N2} MB" -f ($logInfo.FileSize / 1MB) + CurrentLogSize = "{0:N2} MB" -f ($logInfo.FileSize / 1MB) MaxLogSize = "{0:N2} MB" -f ($logInfo.MaximumSizeInBytes / 1MB) - Description1 = $logNames[$logName][0] # - Description2 = $logNames[$logName][1] # + Default = $logNames[$logName][0] # + Recommended = $logNames[$logName][1] # } } From 1052a795b1b61091bb98fe7c20dea6048af7faee Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Thu, 17 Apr 2025 23:46:14 +0900 Subject: [PATCH 04/18] feat: check size setting --- WELA.ps1 | 42 +++++++++++++++++++++--------------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/WELA.ps1 b/WELA.ps1 index 3067c50c..4cabc2d7 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -1431,28 +1431,28 @@ function AuditLogSetting { function AuditFileSize { # 対象のイベントログ名をハッシュテーブル化 $logNames = @{ - "Application" = @("20MB", "128MB+") - "Microsoft-Windows-AppLocker/EXE and DLL" = @("1MB", "256MB+") - "Microsoft-Windows-AppLocker/MSI and Script" = @("1MB", "256MB+") - "Microsoft-Windows-AppLocker/Packaged app-Deployment" = @("1MB", "256MB+") - "Microsoft-Windows-AppLocker/Packaged app-Execution" = @("1MB", "256MB+") - "Microsoft-Windows-Bits-Client/Analytic" = @("1MB", "128MB+") - "Microsoft-Windows-Bits-Client/Operational" = @("1MB", "128MB+") - "Microsoft-Windows-CodeIntegrity/Operational" = @("1MB", "128MB+") - "Microsoft-Windows-DriverFrameworks-UserMode/Operational" = @("1MB", "128MB+") - "Microsoft-Windows-PowerShell/Operational" = @("20MB", "256MB+") - "Microsoft-Windows-PrintService/Admin" = @("1MB", "128MB+") - "Microsoft-Windows-PrintService/Operational" = @("1MB", "128MB+") - "Microsoft-Windows-Security-Mitigations/KernelMode" = @("1MB", "128MB+") - "Microsoft-Windows-Security-Mitigations/UserMode" = @("1MB", "128MB+") - "Microsoft-Windows-SmbClient/Security" = @("8MB", "128MB+") - "Microsoft-Windows-TaskScheduler/Operational" = @("1MB", "128MB+") - "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" = @("1MB", "128MB+") + "Application" = @("20 MB", "128 MB+") + "Microsoft-Windows-AppLocker/EXE and DLL" = @("1 MB", "256 MB+") + "Microsoft-Windows-AppLocker/MSI and Script" = @("1 MB", "256 MB+") + "Microsoft-Windows-AppLocker/Packaged app-Deployment" = @("1 MB", "256 MB+") + "Microsoft-Windows-AppLocker/Packaged app-Execution" = @("1 MB", "256 MB+") + "Microsoft-Windows-Bits-Client/Analytic" = @("1 MB", "128 MB+") + "Microsoft-Windows-Bits-Client/Operational" = @("1 MB", "128 MB+") + "Microsoft-Windows-CodeIntegrity/Operational" = @("1 MB", "128 MB+") + "Microsoft-Windows-DriverFrameworks-UserMode/Operational" = @("1 MB", "128 MB+") + "Microsoft-Windows-PowerShell/Operational" = @("20 MB", "256 MB+") + "Microsoft-Windows-PrintService/Admin" = @("1 MB", "128 MB+") + "Microsoft-Windows-PrintService/Operational" = @("1 MB", "128 MB+") + "Microsoft-Windows-Security-Mitigations/KernelMode" = @("1 MB", "128 MB+") + "Microsoft-Windows-Security-Mitigations/UserMode" = @("1 MB", "128 MB+") + "Microsoft-Windows-SmbClient/Security" = @("8 MB", "128 MB+") + "Microsoft-Windows-TaskScheduler/Operational" = @("1 MB", "128 MB+") + "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" = @("1 MB", "128 MB+") "Microsoft-Windows-Windows Defender/Operational" = @("16MB", "128MB+") - "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" = @("1MB", "256MB+") - "Security" = @("20MB", "256MB+") - "System" = @("20MB", "128MB+") - "Windows PowerShell" = @("15MB", "256MB+") + "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" = @("1 MB", "256 MB+") + "Security" = @("20 MB", "256 MB+") + "System" = @("20 MB", "128 MB+") + "Windows PowerShell" = @("15 MB", "256 MB+") } $results = @() From 7ab8a2102da31754b17877966597c608c2ea0fc7 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Thu, 17 Apr 2025 23:47:56 +0900 Subject: [PATCH 05/18] feat: check size setting --- WELA.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/WELA.ps1 b/WELA.ps1 index 4cabc2d7..2474a32c 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -1457,7 +1457,7 @@ function AuditFileSize { $results = @() - foreach ($logName in $logNames.Keys) { + foreach ($logName in $logNames.Keys | Sort-Object) { $logInfo = Get-WinEvent -ListLog $logName -ErrorAction Stop $results += [PSCustomObject]@{ LogName = $logInfo.LogName From cd377bf456c12c4eb92781177212113d6b522aaf Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Thu, 17 Apr 2025 23:51:19 +0900 Subject: [PATCH 06/18] feat: check size setting --- WELA.ps1 | 1 + 1 file changed, 1 insertion(+) diff --git a/WELA.ps1 b/WELA.ps1 index 2474a32c..7765f963 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -1461,6 +1461,7 @@ function AuditFileSize { $logInfo = Get-WinEvent -ListLog $logName -ErrorAction Stop $results += [PSCustomObject]@{ LogName = $logInfo.LogName + LogFilePath = Split-Path $logInfo.LogFilePath -Leaf CurrentLogSize = "{0:N2} MB" -f ($logInfo.FileSize / 1MB) MaxLogSize = "{0:N2} MB" -f ($logInfo.MaximumSizeInBytes / 1MB) Default = $logNames[$logName][0] # From f5b2751ddab1f09941340a2223802168dad5b3bd Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Thu, 17 Apr 2025 23:53:08 +0900 Subject: [PATCH 07/18] feat: check size setting --- WELA.ps1 | 1 - 1 file changed, 1 deletion(-) diff --git a/WELA.ps1 b/WELA.ps1 index 7765f963..1b23c7cb 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -1460,7 +1460,6 @@ function AuditFileSize { foreach ($logName in $logNames.Keys | Sort-Object) { $logInfo = Get-WinEvent -ListLog $logName -ErrorAction Stop $results += [PSCustomObject]@{ - LogName = $logInfo.LogName LogFilePath = Split-Path $logInfo.LogFilePath -Leaf CurrentLogSize = "{0:N2} MB" -f ($logInfo.FileSize / 1MB) MaxLogSize = "{0:N2} MB" -f ($logInfo.MaximumSizeInBytes / 1MB) From d87a05bb002e46c58953b4e0bc348dc6618a5fac Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Thu, 17 Apr 2025 23:57:20 +0900 Subject: [PATCH 08/18] feat: check size setting --- WELA.ps1 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/WELA.ps1 b/WELA.ps1 index 1b23c7cb..edb900c4 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -1440,6 +1440,7 @@ function AuditFileSize { "Microsoft-Windows-Bits-Client/Operational" = @("1 MB", "128 MB+") "Microsoft-Windows-CodeIntegrity/Operational" = @("1 MB", "128 MB+") "Microsoft-Windows-DriverFrameworks-UserMode/Operational" = @("1 MB", "128 MB+") + "Microsoft-Windows-NTLM/Operational" = @("1 MB", "128 MB+") "Microsoft-Windows-PowerShell/Operational" = @("20 MB", "256 MB+") "Microsoft-Windows-PrintService/Admin" = @("1 MB", "128 MB+") "Microsoft-Windows-PrintService/Operational" = @("1 MB", "128 MB+") @@ -1450,6 +1451,7 @@ function AuditFileSize { "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" = @("1 MB", "128 MB+") "Microsoft-Windows-Windows Defender/Operational" = @("16MB", "128MB+") "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" = @("1 MB", "256 MB+") + "Microsoft-Windows-WMI-Activity/Operational" = @("1 MB", "128 MB+") "Security" = @("20 MB", "256 MB+") "System" = @("20 MB", "128 MB+") "Windows PowerShell" = @("15 MB", "256 MB+") From 1a94a1be2411b9023fbb7550880c94c277b097e6 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Thu, 17 Apr 2025 23:57:48 +0900 Subject: [PATCH 09/18] feat: check size setting --- WELA.ps1 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/WELA.ps1 b/WELA.ps1 index edb900c4..6266bc3e 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -1471,6 +1471,8 @@ function AuditFileSize { } $results | Format-Table -AutoSize + $results | Export-Csv -Path "WELA-FileSize-Result.csv" -NoTypeInformation + Write-Host "Audit file size result saved to: WELA-FileSize-Result.csv" } From b8714c1a64d3b8da58bd18dd47ad478594e77ebd Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Fri, 18 Apr 2025 00:02:44 +0900 Subject: [PATCH 10/18] feat: check size setting --- WELA.ps1 | 1 + 1 file changed, 1 insertion(+) diff --git a/WELA.ps1 b/WELA.ps1 index 6266bc3e..2ad32354 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -1492,6 +1492,7 @@ Usage: ./WELA.ps1 audit-settings # Audit current setting and show in stdout, save to csv ./WELA.ps1 audit-settings gui # Audit current setting and show in gui, save to csv ./WELA.ps1 audit-settings table # Audit current setting and show in table layout, save to csv + ./WELA.ps1 audit-filesize # Audit current file size and show in stdout, save to csv ./WELA.ps1 help # Show this help "@ From 0d87e79731e9e721aaea45e1f1dd9915ef435d1d Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Fri, 18 Apr 2025 14:47:15 +0900 Subject: [PATCH 11/18] feat: check size setting --- WELA.ps1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/WELA.ps1 b/WELA.ps1 index 2ad32354..665aa95b 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -1463,8 +1463,8 @@ function AuditFileSize { $logInfo = Get-WinEvent -ListLog $logName -ErrorAction Stop $results += [PSCustomObject]@{ LogFilePath = Split-Path $logInfo.LogFilePath -Leaf - CurrentLogSize = "{0:N2} MB" -f ($logInfo.FileSize / 1MB) - MaxLogSize = "{0:N2} MB" -f ($logInfo.MaximumSizeInBytes / 1MB) + CurrentLogSize = "{0} MB" -f ($logInfo.FileSize / 1MB) + MaxLogSize = "{0} MB" -f ($logInfo.MaximumSizeInBytes / 1MB) Default = $logNames[$logName][0] # Recommended = $logNames[$logName][1] # } From ebcc05629a7a5ade11e767ef6324c3fa9ab511ef Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Fri, 18 Apr 2025 14:52:39 +0900 Subject: [PATCH 12/18] feat: check size setting --- WELA.ps1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/WELA.ps1 b/WELA.ps1 index 665aa95b..2ad32354 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -1463,8 +1463,8 @@ function AuditFileSize { $logInfo = Get-WinEvent -ListLog $logName -ErrorAction Stop $results += [PSCustomObject]@{ LogFilePath = Split-Path $logInfo.LogFilePath -Leaf - CurrentLogSize = "{0} MB" -f ($logInfo.FileSize / 1MB) - MaxLogSize = "{0} MB" -f ($logInfo.MaximumSizeInBytes / 1MB) + CurrentLogSize = "{0:N2} MB" -f ($logInfo.FileSize / 1MB) + MaxLogSize = "{0:N2} MB" -f ($logInfo.MaximumSizeInBytes / 1MB) Default = $logNames[$logName][0] # Recommended = $logNames[$logName][1] # } From 29c36b14c6d9dab6029b837e1d0bd9016b6db594 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Fri, 18 Apr 2025 14:54:00 +0900 Subject: [PATCH 13/18] feat: check size setting --- WELA.ps1 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/WELA.ps1 b/WELA.ps1 index 2ad32354..5c731eae 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -1464,9 +1464,9 @@ function AuditFileSize { $results += [PSCustomObject]@{ LogFilePath = Split-Path $logInfo.LogFilePath -Leaf CurrentLogSize = "{0:N2} MB" -f ($logInfo.FileSize / 1MB) - MaxLogSize = "{0:N2} MB" -f ($logInfo.MaximumSizeInBytes / 1MB) - Default = $logNames[$logName][0] # - Recommended = $logNames[$logName][1] # + MaxLogSize = "{0} MB" -f [math]::Floor($logInfo.MaximumSizeInBytes / 1MB) + Default = $logNames[$logName][0] + Recommended = $logNames[$logName][1] } } From 848851db4431279d663869c12eaec3161d6af2ed Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Fri, 18 Apr 2025 14:56:23 +0900 Subject: [PATCH 14/18] add space --- WELA.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/WELA.ps1 b/WELA.ps1 index 5c731eae..ecc47cc3 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -1449,7 +1449,7 @@ function AuditFileSize { "Microsoft-Windows-SmbClient/Security" = @("8 MB", "128 MB+") "Microsoft-Windows-TaskScheduler/Operational" = @("1 MB", "128 MB+") "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" = @("1 MB", "128 MB+") - "Microsoft-Windows-Windows Defender/Operational" = @("16MB", "128MB+") + "Microsoft-Windows-Windows Defender/Operational" = @("16MB", "128 MB+") "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" = @("1 MB", "256 MB+") "Microsoft-Windows-WMI-Activity/Operational" = @("1 MB", "128 MB+") "Security" = @("20 MB", "256 MB+") From 2b6398d9903b43aa6a4611cf273350de01e2967a Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Sun, 20 Apr 2025 09:14:23 +0900 Subject: [PATCH 15/18] add color table --- WELA.ps1 | 43 +++++++++++++++++++++++++++++++++++++------ 1 file changed, 37 insertions(+), 6 deletions(-) diff --git a/WELA.ps1 b/WELA.ps1 index ecc47cc3..75c9d7e4 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -1461,17 +1461,48 @@ function AuditFileSize { foreach ($logName in $logNames.Keys | Sort-Object) { $logInfo = Get-WinEvent -ListLog $logName -ErrorAction Stop + $maxLogSize = [math]::Floor($logInfo.MaximumSizeInBytes / 1MB) + $recommendedSize = [int]($logNames[$logName][1] -replace " MB\+?", "") + $correctSetting = if ($maxLogSize -ge $recommendedSize) { "Y" } else { "N" } + $results += [PSCustomObject]@{ - LogFilePath = Split-Path $logInfo.LogFilePath -Leaf - CurrentLogSize = "{0:N2} MB" -f ($logInfo.FileSize / 1MB) - MaxLogSize = "{0} MB" -f [math]::Floor($logInfo.MaximumSizeInBytes / 1MB) - Default = $logNames[$logName][0] - Recommended = $logNames[$logName][1] + LogFilePath = Split-Path $logInfo.LogFilePath -Leaf + CurrentLogSize = "{0:N2} MB" -f ($logInfo.FileSize / 1MB) + MaxLogSize = "$maxLogSize MB" + Default = $logNames[$logName][0] + Recommended = $logNames[$logName][1] + CorrectSetting = $correctSetting } } - $results | Format-Table -AutoSize + # Format-Tableには色つき出力の機能はないので、Write-Hostで色をつける + Write-Host ("{0,-75} {1,-15} {2,-15} {3,-15} {4,-15} {5,-10}" -f ` + "Log File Path", ` + "Current Size", ` + "Max Size", ` + "Default", ` + "Recommended", ` + "Correct Setting") + Write-Host ("{0,-75} {1,-15} {2,-15} {3,-15} {4,-15} {5,-10}" -f ` + "-------------", ` + "------------", ` + "--------", ` + "------", ` + "-----------", ` + "------------") + foreach ($result in $results) { + $color = if ($result.CorrectSetting -eq "Y") { "Green" } else { "Red" } + Write-Host ("{0,-75} {1,-15} {2,-15} {3,-15} {4,-15} {5,-10}" -f ` + $result.LogFilePath, ` + $result.CurrentLogSize, ` + $result.MaxLogSize, ` + $result.Default, ` + $result.Recommended, ` + $result.CorrectSetting) -ForegroundColor $color + } + $results | Export-Csv -Path "WELA-FileSize-Result.csv" -NoTypeInformation + Write-Host "" Write-Host "Audit file size result saved to: WELA-FileSize-Result.csv" } From 9c2fd63688a952eb001f7cae43d1af4b74559e4e Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Sun, 20 Apr 2025 09:18:13 +0900 Subject: [PATCH 16/18] add color table --- WELA.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/WELA.ps1 b/WELA.ps1 index 75c9d7e4..de2f256a 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -1489,7 +1489,7 @@ function AuditFileSize { "--------", ` "------", ` "-----------", ` - "------------") + "--------------") foreach ($result in $results) { $color = if ($result.CorrectSetting -eq "Y") { "Green" } else { "Red" } Write-Host ("{0,-75} {1,-15} {2,-15} {3,-15} {4,-15} {5,-10}" -f ` From 74c03939936b92ad03a9b05c7043f049e01a9a53 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Sun, 20 Apr 2025 09:48:20 +0900 Subject: [PATCH 17/18] refactor --- WELA.ps1 | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/WELA.ps1 b/WELA.ps1 index de2f256a..3cf4331e 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -1476,14 +1476,15 @@ function AuditFileSize { } # Format-Tableには色つき出力の機能はないので、Write-Hostで色をつける - Write-Host ("{0,-75} {1,-15} {2,-15} {3,-15} {4,-15} {5,-10}" -f ` + $tableLayout = "{0,-75} {1,-15} {2,-15} {3,-15} {4,-15} {5,-10}" + Write-Host ($tableLayout -f ` "Log File Path", ` "Current Size", ` "Max Size", ` "Default", ` "Recommended", ` "Correct Setting") - Write-Host ("{0,-75} {1,-15} {2,-15} {3,-15} {4,-15} {5,-10}" -f ` + Write-Host ($tableLayout -f ` "-------------", ` "------------", ` "--------", ` @@ -1492,7 +1493,7 @@ function AuditFileSize { "--------------") foreach ($result in $results) { $color = if ($result.CorrectSetting -eq "Y") { "Green" } else { "Red" } - Write-Host ("{0,-75} {1,-15} {2,-15} {3,-15} {4,-15} {5,-10}" -f ` + Write-Host ($tableLayout -f ` $result.LogFilePath, ` $result.CurrentLogSize, ` $result.MaxLogSize, ` From b3f672733dd4e1908d4f92cf1b5bc24cfbd19b6d Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Sun, 20 Apr 2025 09:50:17 +0900 Subject: [PATCH 18/18] refactor --- WELA.ps1 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/WELA.ps1 b/WELA.ps1 index 3cf4331e..705177f6 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -1466,7 +1466,7 @@ function AuditFileSize { $correctSetting = if ($maxLogSize -ge $recommendedSize) { "Y" } else { "N" } $results += [PSCustomObject]@{ - LogFilePath = Split-Path $logInfo.LogFilePath -Leaf + LogFile = Split-Path $logInfo.LogFilePath -Leaf CurrentLogSize = "{0:N2} MB" -f ($logInfo.FileSize / 1MB) MaxLogSize = "$maxLogSize MB" Default = $logNames[$logName][0] @@ -1478,14 +1478,14 @@ function AuditFileSize { # Format-Tableには色つき出力の機能はないので、Write-Hostで色をつける $tableLayout = "{0,-75} {1,-15} {2,-15} {3,-15} {4,-15} {5,-10}" Write-Host ($tableLayout -f ` - "Log File Path", ` + "Log File", ` "Current Size", ` "Max Size", ` "Default", ` "Recommended", ` "Correct Setting") Write-Host ($tableLayout -f ` - "-------------", ` + "--------", ` "------------", ` "--------", ` "------", ` @@ -1494,7 +1494,7 @@ function AuditFileSize { foreach ($result in $results) { $color = if ($result.CorrectSetting -eq "Y") { "Green" } else { "Red" } Write-Host ($tableLayout -f ` - $result.LogFilePath, ` + $result.LogFile, ` $result.CurrentLogSize, ` $result.MaxLogSize, ` $result.Default, `