Update forensics_log_pull.ps1

Azure-ARM/forensics_log_pull.ps1

@@ -18,7 +18,7 @@ if ($result -eq 'READ_ONLY') {
 }
 # Rest of the script
 Write-Host "Executing the rest of the script..."
-$LogQuery = "SELECT TOP (100) [Id]
+$LogQuery = "SELECT TOP (1000) [Id]
       ,[Message]
       ,[Level]
       ,[TimeStamp]
@@ -35,14 +35,13 @@ $SqlCmd.CommandText = $LogQuery;
 $SqlDataReader = $SqlCmd.ExecuteReader();
 $results = @()
 while ($SqlDataReader.Read()) {
-    # Collect each row into a hashtable for easy export
     $row = @{
         Id                  = $SqlDataReader["Id"]
         Message             = $SqlDataReader["Message"]
         Level               = $SqlDataReader["Level"]
         TimeStamp           = $SqlDataReader["TimeStamp"]
-		Exception           = if ($SqlDataReader["Exception"] -ne $null) { $SqlDataReader["Exception"] } else { "NULL" }
-        LogEvent            = if ($SqlDataReader["LogEvent"] -ne $null) { $SqlDataReader["LogEvent"].ToString() } else { "NULL" }
+	Exception           = if ($SqlDataReader["Exception"] -ne $null) { $SqlDataReader["Exception"] } else { "NULL" }
+        LogEvent            = $SqlDataReader["LogEvent"]
         AssemblyName        = $SqlDataReader["AssemblyName"]
         AssemblyVersion     = $SqlDataReader["AssemblyVersion"]
         SourceContext       = if ($SqlDataReader["LogEvent"] -ne $null) { $SqlDataReader["SourceContext"].ToString() } else { "NULL" }
@@ -54,10 +53,6 @@ while ($SqlDataReader.Read()) {
 $SqlDataReader.Close();
 $SqlConnection.Close();
 
-
-# Rest of the script
-#Write-Host "Executing the rest of the script..."
-
 # Get hostname of pod to know which pod the logs are from
 $hostname = hostname
 
@@ -83,6 +78,7 @@ mkdir "$env:TEMP\all-Logs\$logsFolder\ProfiseeLogs\ConnEx"
 mkdir "$env:TEMP\all-Logs\$logsFolder\EventViewerLogs"
 mkdir "$env:TEMP\all-Logs\$logsFolder\TCPLogs"
 mkdir "$env:TEMP\all-Logs\$logsFolder\IISLogs"
+mkdir "$env:TEMP\all-logs\$logsFolder\DatabaseLogs"
 robocopy "$env:SystemRoot\System32\winevt\Logs\" "$env:TEMP\all-Logs\$logsFolder\EventViewerLogs" /E /COPYALL /DCOPY:T
 robocopy "c:\profisee\configuration\logfiles" "$env:TEMP\all-Logs\$logsFolder\ProfiseeLogs\Config" /E /COPYALL /DCOPY:T
 robocopy "c:\profisee\gateway\logfiles" "$env:TEMP\all-Logs\$logsFolder\ProfiseeLogs\Gateway" /E /COPYALL /DCOPY:T
@@ -99,7 +95,7 @@ robocopy "c:\profisee\webportal\logfiles" "$env:TEMP\all-Logs\$logsFolder\Profis
 robocopy "c:\inetpub\logs\LogFiles\W3SVC1" "$env:TEMP\all-Logs\$logsFolder\IISLogs" /E /COPYALL /DCOPY:T
 netstat -anobq > $env:TEMP\all-Logs\$logsFolder\TCPLogs\netstat.txt
 Get-NetTCPConnection | Group-Object -Property State, OwningProcess | Select -Property Count, Name, @{Name="ProcessName";Expression={(Get-Process -PID ($_.Name.Split(',')[-1].Trim(' '))).Name}}, Group | Sort Count -Descending | out-file $env:TEMP\all-Logs\$logsFolder\TCPLogs\TCPconnections.txt
-$outputCsvPath = "C:\fileshare\alllogs\$logsFolder.csv"
+$outputCsvPath = "$env:TEMP\all-logs\$logsFolder\DatabaseLogs\$logsFolder.csv"
 $results | Select-Object Id, Message, Level, TimeStamp, Exception, LogEvent, AssemblyName, AssemblyVersion, SourceContext, EnvironmentUserName, MachineName | Export-Csv -Path $outputCsvPath -NoTypeInformation -Encoding UTF8
 # Compress and copy to fileshare
 compress-archive -Path "$env:TEMP\all-Logs\$logsFolder\" -DestinationPath "$env:TEMP\$WebAppName-$hostname-All-Logs-$DT.zip"