Skip to content

iis_eventlog_collector.ps1

File: iis/iis_scripts/iis_eventlog_collector.ps1

<#
.SYNOPSIS
    IIS Event Log Collector - Exports IIS-related events from Event Viewer
#>

# ============================================
# CONFIGURATION SECTION
# ============================================
# IIS Event Sources to collect
$IISEventSources = @(
    "IIS AspNetCore Module V2",
    "W3SVC-WP"
)

# Date range options - set ONE of these to $true
$CollectToday = $false
$CollectLast2Days = $false
$CollectLast7Days = $true
$CollectSpecificDays = $false  # If true, specify days below
$SpecificDays = @(9, 10, 11)   # Days of current month

# ============================================
# SCRIPT START
# ============================================

# Get current date info
$Today = Get-Date
$DateSuffix = $Today.ToString("yyyy-MM-dd")
$OutputFolder = Join-Path $env:USERPROFILE "Desktop\IIS_EventLogs_$DateSuffix"

# Create output folder
New-Item -ItemType Directory -Path $OutputFolder -Force | Out-Null

Write-Host "`n=== IIS Event Log Collector ===" -ForegroundColor Cyan
Write-Host "Output folder: $OutputFolder" -ForegroundColor Gray

# Determine date filter
$StartDate = $null
if ($CollectToday) {
    $StartDate = $Today.Date
    Write-Host "Collecting: Today only" -ForegroundColor Green
}
elseif ($CollectLast2Days) {
    $StartDate = $Today.AddDays(-1)
    Write-Host "Collecting: Last 2 days" -ForegroundColor Green
}
elseif ($CollectLast7Days) {
    $StartDate = $Today.AddDays(-6)
    Write-Host "Collecting: Last 7 days" -ForegroundColor Green
}
elseif ($CollectSpecificDays) {
    Write-Host "Collecting: Specific days mode" -ForegroundColor Green
    # Will filter by day number later
}

Write-Host "`n=== Collecting Events ===" -ForegroundColor Cyan

$AllEvents = @()

# Build filter for event sources
$SourceFilter = $IISEventSources | ForEach-Object { "`$_.Source -eq `"$_`"" }
$FilterScript = [scriptblock]::Create(($SourceFilter -join " -or "))

# Collect events
if ($CollectSpecificDays) {
    # Get all events from current month
    $CurrentYear = $Today.Year
    $CurrentMonth = $Today.Month
    $MonthStart = Get-Date -Year $CurrentYear -Month $CurrentMonth -Day 1

    Write-Host "Fetching events from Application log..." -ForegroundColor Gray
    $Events = Get-EventLog -LogName Application -After $MonthStart -ErrorAction SilentlyContinue | 
        Where-Object -FilterScript $FilterScript |
        Where-Object { $SpecificDays -contains $_.TimeGenerated.Day }

    $AllEvents += $Events
}
else {
    Write-Host "Fetching events from Application log..." -ForegroundColor Gray
    $Events = Get-EventLog -LogName Application -After $StartDate -ErrorAction SilentlyContinue | 
        Where-Object -FilterScript $FilterScript

    $AllEvents += $Events
}

Write-Host "Total events collected: $($AllEvents.Count)" -ForegroundColor Green

if ($AllEvents.Count -eq 0) {
    Write-Host "`nNo IIS events found for the specified date range" -ForegroundColor Red
    Remove-Item -Path $OutputFolder -Recurse -Force
    Write-Host "`n=== COMPLETE ===" -ForegroundColor Cyan
    exit
}

# Export to CSV
Write-Host "`n=== Exporting Events ===" -ForegroundColor Cyan

$CsvPath = Join-Path $OutputFolder "IIS_Events_$DateSuffix.csv"
$AllEvents | 
    Select-Object TimeGenerated, Source, EntryType, EventID, Message | 
    Export-Csv -Path $CsvPath -NoTypeInformation

Write-Host "CSV exported: $CsvPath" -ForegroundColor Green

# Create summary by event type
$Summary = $AllEvents | Group-Object EntryType | 
    Select-Object @{Name="EventType";Expression={$_.Name}}, @{Name="Count";Expression={$_.Count}}

$SummaryPath = Join-Path $OutputFolder "Summary_$DateSuffix.csv"
$Summary | Export-Csv -Path $SummaryPath -NoTypeInformation

Write-Host "Summary exported: $SummaryPath" -ForegroundColor Green

# Create zip
Write-Host "`n=== Creating Archive ===" -ForegroundColor Cyan
$ZipPath = Join-Path (Split-Path $OutputFolder) "IIS_EventLogs_$DateSuffix.zip"
Compress-Archive -Path "$OutputFolder\*" -DestinationPath $ZipPath -Force
Remove-Item -Path $OutputFolder -Recurse -Force

Write-Host "`nSUCCESS!" -ForegroundColor Green
Write-Host "Archive created: $ZipPath" -ForegroundColor Green
Write-Host "Total events: $($AllEvents.Count)" -ForegroundColor Gray
Write-Host "Size: $([math]::Round((Get-Item $ZipPath).Length / 1KB, 2)) KB" -ForegroundColor Gray

Write-Host "`n=== COMPLETE ===" -ForegroundColor Cyan