From 3434daa7461ce95f397b9c0317e47e1f8cfdb397 Mon Sep 17 00:00:00 2001
From: Yonko Ganchev <yonko.ganchev@profisee.com>
Date: Fri, 27 Sep 2024 18:09:47 -0400
Subject: [PATCH] Forensics script update and adding startup-probe

---
 Azure-ARM/forensics_log_pull.ps1 | 76 +++++++++++++++++---------------
 Azure-ARM/startup-probe.ps1      | 34 ++++++++++++++
 2 files changed, 74 insertions(+), 36 deletions(-)
 create mode 100644 Azure-ARM/startup-probe.ps1

diff --git a/Azure-ARM/forensics_log_pull.ps1 b/Azure-ARM/forensics_log_pull.ps1
index 04c50af..79a06d7 100644
--- a/Azure-ARM/forensics_log_pull.ps1
+++ b/Azure-ARM/forensics_log_pull.ps1
@@ -20,47 +20,51 @@ if ($result -eq 'READ_ONLY') {
 # Rest of the script
 Write-Host "Executing the rest of the script..."
 
-New-Item -Path "C:\Fileshare\" -Name "alllogs" -ItemType "directory" -ErrorAction Ignore
-# Pull Product Services, IIS, Event Viewer logs as well as Netstat and TCPConnection logs
-$DT = get-date -UFormat "%m-%d-%Y-%H%M%S-UTC-%a"
-mkdir "$env:TEMP\all-Logs\$DT\ProfiseeLogs\Config"
-mkdir "$env:TEMP\all-Logs\$DT\ProfiseeLogs\Gateway"
-mkdir "$env:TEMP\all-Logs\$DT\ProfiseeLogs\Attachments"
-mkdir "$env:TEMP\all-Logs\$DT\ProfiseeLogs\Auth"
-mkdir "$env:TEMP\all-Logs\$DT\ProfiseeLogs\Governance"
-mkdir "$env:TEMP\all-Logs\$DT\ProfiseeLogs\Monolith"
-mkdir "$env:TEMP\all-Logs\$DT\ProfiseeLogs\Workflows"
-mkdir "$env:TEMP\all-Logs\$DT\ProfiseeLogs\Web"
-mkdir "$env:TEMP\all-Logs\$DT\ProfiseeLogs\Webportal"
-mkdir "$env:TEMP\all-Logs\$DT\ProfiseeLogs\Monitor"
-mkdir "$env:TEMP\all-Logs\$DT\ProfiseeLogs\Data"
-mkdir "$env:TEMP\all-Logs\$DT\ProfiseeLogs\ConnEx"
-mkdir "$env:TEMP\all-Logs\$DT\EventViewerLogs"
-mkdir "$env:TEMP\all-Logs\$DT\TCPLogs"
-mkdir "$env:TEMP\all-Logs\$DT\IISLogs"
-robocopy "$env:SystemRoot\System32\winevt\Logs\" "$env:TEMP\all-Logs\$DT\EventViewerLogs" /E /COPYALL /DCOPY:T
-robocopy "c:\profisee\configuration\logfiles" "$env:TEMP\all-Logs\$DT\ProfiseeLogs\Config" /E /COPYALL /DCOPY:T
-robocopy "c:\profisee\gateway\logfiles" "$env:TEMP\all-Logs\$DT\ProfiseeLogs\Gateway" /E /COPYALL /DCOPY:T
-robocopy "c:\profisee\services\attachments\logfiles" "$env:TEMP\all-Logs\$DT\ProfiseeLogs\Attachments" /E /COPYALL /DCOPY:T
-robocopy "c:\profisee\services\auth\logfiles" "$env:TEMP\all-Logs\$DT\ProfiseeLogs\Auth" /E /COPYALL /DCOPY:T
-robocopy "c:\profisee\services\governance\logfiles" "$env:TEMP\all-Logs\$DT\ProfiseeLogs\Governance" /E /COPYALL /DCOPY:T
-robocopy "c:\profisee\services\monolith\logfiles" "$env:TEMP\all-Logs\$DT\ProfiseeLogs\Monolith" /E /COPYALL /DCOPY:T
-robocopy "c:\profisee\services\workflows\logfiles" "$env:TEMP\all-Logs\$DT\ProfiseeLogs\Workflows" /E /COPYALL /DCOPY:T
-robocopy "C:\Profisee\Services\Monitor\LogFiles" "$env:TEMP\all-Logs\$DT\ProfiseeLogs\Monitor" /E /COPYALL /DCOPY:T
-robocopy "C:\Profisee\Services\Data\LogFiles" "$env:TEMP\all-Logs\$DT\ProfiseeLogs\Data" /E /COPYALL /DCOPY:T
-robocopy "C:\Profisee\Services\ConnEx\LogFiles" "$env:TEMP\all-Logs\$DT\ProfiseeLogs\ConnEx" /E /COPYALL /DCOPY:T
-robocopy "c:\profisee\web\logfiles" "$env:TEMP\all-Logs\$DT\ProfiseeLogs\Web" /E /COPYALL /DCOPY:T
-robocopy "c:\profisee\webportal\logfiles" "$env:TEMP\all-Logs\$DT\ProfiseeLogs\Webportal" /E /COPYALL /DCOPY:T
-robocopy "c:\inetpub\logs\LogFiles\W3SVC1" "$env:TEMP\all-Logs\$DT\IISLogs" /E /COPYALL /DCOPY:T
-netstat -anobq > $env:TEMP\all-Logs\$DT\TCPLogs\netstat.txt
-Get-NetTCPConnection | Group-Object -Property State, OwningProcess | Select -Property Count, Name, @{Name="ProcessName";Expression={(Get-Process -PID ($_.Name.Split(',')[-1].Trim(' '))).Name}}, Group | Sort Count -Descending | out-file $env:TEMP\all-Logs\$DT\TCPLogs\TCPconnections.txt
+# Get hostname of pod to know which pod the logs are from
+$hostname = hostname
 
 # Make Webapp name w/ Capital letter
 $WebAppName = $env:ProfiseeWebAppName.substring(0, 1).ToUpper() + $env:ProfiseeWebAppName.Substring(1)
 
+New-Item -Path "C:\Fileshare\" -Name "alllogs" -ItemType "directory" -ErrorAction Ignore
+# Pull Product Services, IIS, Event Viewer logs as well as Netstat and TCPConnection logs
+$DT = get-date -UFormat "%m-%d-%Y-%H%M%S-UTC-%a"
+$logsFolder = "$WebAppName-$hostname-$DT"
+mkdir "$env:TEMP\all-Logs\$logsFolder\ProfiseeLogs\Config"
+mkdir "$env:TEMP\all-Logs\$logsFolder\ProfiseeLogs\Gateway"
+mkdir "$env:TEMP\all-Logs\$logsFolder\ProfiseeLogs\Attachments"
+mkdir "$env:TEMP\all-Logs\$logsFolder\ProfiseeLogs\Auth"
+mkdir "$env:TEMP\all-Logs\$logsFolder\ProfiseeLogs\Governance"
+mkdir "$env:TEMP\all-Logs\$logsFolder\ProfiseeLogs\Monolith"
+mkdir "$env:TEMP\all-Logs\$logsFolder\ProfiseeLogs\Workflows"
+mkdir "$env:TEMP\all-Logs\$logsFolder\ProfiseeLogs\Web"
+mkdir "$env:TEMP\all-Logs\$logsFolder\ProfiseeLogs\Webportal"
+mkdir "$env:TEMP\all-Logs\$logsFolder\ProfiseeLogs\Monitor"
+mkdir "$env:TEMP\all-Logs\$logsFolder\ProfiseeLogs\Data"
+mkdir "$env:TEMP\all-Logs\$logsFolder\ProfiseeLogs\ConnEx"
+mkdir "$env:TEMP\all-Logs\$logsFolder\EventViewerLogs"
+mkdir "$env:TEMP\all-Logs\$logsFolder\TCPLogs"
+mkdir "$env:TEMP\all-Logs\$logsFolder\IISLogs"
+robocopy "$env:SystemRoot\System32\winevt\Logs\" "$env:TEMP\all-Logs\$logsFolder\EventViewerLogs" /E /COPYALL /DCOPY:T
+robocopy "c:\profisee\configuration\logfiles" "$env:TEMP\all-Logs\$logsFolder\ProfiseeLogs\Config" /E /COPYALL /DCOPY:T
+robocopy "c:\profisee\gateway\logfiles" "$env:TEMP\all-Logs\$logsFolder\ProfiseeLogs\Gateway" /E /COPYALL /DCOPY:T
+robocopy "c:\profisee\services\attachments\logfiles" "$env:TEMP\all-Logs\$logsFolder\ProfiseeLogs\Attachments" /E /COPYALL /DCOPY:T
+robocopy "c:\profisee\services\auth\logfiles" "$env:TEMP\all-Logs\$logsFolder\ProfiseeLogs\Auth" /E /COPYALL /DCOPY:T
+robocopy "c:\profisee\services\governance\logfiles" "$env:TEMP\all-Logs\$logsFolder\ProfiseeLogs\Governance" /E /COPYALL /DCOPY:T
+robocopy "c:\profisee\services\monolith\logfiles" "$env:TEMP\all-Logs\$logsFolder\ProfiseeLogs\Monolith" /E /COPYALL /DCOPY:T
+robocopy "c:\profisee\services\workflows\logfiles" "$env:TEMP\all-Logs\$logsFolder\ProfiseeLogs\Workflows" /E /COPYALL /DCOPY:T
+robocopy "C:\Profisee\Services\Monitor\LogFiles" "$env:TEMP\all-Logs\$logsFolder\ProfiseeLogs\Monitor" /E /COPYALL /DCOPY:T
+robocopy "C:\Profisee\Services\Data\LogFiles" "$env:TEMP\all-Logs\$logsFolder\ProfiseeLogs\Data" /E /COPYALL /DCOPY:T
+robocopy "C:\Profisee\Services\ConnEx\LogFiles" "$env:TEMP\all-Logs\$logsFolder\ProfiseeLogs\ConnEx" /E /COPYALL /DCOPY:T
+robocopy "c:\profisee\web\logfiles" "$env:TEMP\all-Logs\$logsFolder\ProfiseeLogs\Web" /E /COPYALL /DCOPY:T
+robocopy "c:\profisee\webportal\logfiles" "$env:TEMP\all-Logs\$logsFolder\ProfiseeLogs\Webportal" /E /COPYALL /DCOPY:T
+robocopy "c:\inetpub\logs\LogFiles\W3SVC1" "$env:TEMP\all-Logs\$logsFolder\IISLogs" /E /COPYALL /DCOPY:T
+netstat -anobq > $env:TEMP\all-Logs\$logsFolder\TCPLogs\netstat.txt
+Get-NetTCPConnection | Group-Object -Property State, OwningProcess | Select -Property Count, Name, @{Name="ProcessName";Expression={(Get-Process -PID ($_.Name.Split(',')[-1].Trim(' '))).Name}}, Group | Sort Count -Descending | out-file $env:TEMP\all-Logs\$logsFolder\TCPLogs\TCPconnections.txt
+
 # Compress and copy to fileshare
-compress-archive -Path "$env:TEMP\all-Logs\$DT\" -DestinationPath "$env:TEMP\$WebAppName-All-Logs-$DT.zip"
-copy "$env:TEMP\$WebAppName-All-Logs-$DT.zip" "C:\fileshare\alllogs"
+compress-archive -Path "$env:TEMP\all-Logs\$logsFolder\" -DestinationPath "$env:TEMP\$WebAppName-$hostname-All-Logs-$DT.zip"
+copy "$env:TEMP\$WebAppName-$hostname-All-Logs-$DT.zip" "C:\fileshare\alllogs\"
 
 # Delete older zipped log files more than 30 days
 Get-ChildItem -Path C:\Fileshare\* -Include *all-logs-*.zip -Recurse | Where-Object {$_.LastWriteTime -lt (Get-Date).AddDays(-30)} | Remove-Item
\ No newline at end of file
diff --git a/Azure-ARM/startup-probe.ps1 b/Azure-ARM/startup-probe.ps1
new file mode 100644
index 0000000..d091fa1
--- /dev/null
+++ b/Azure-ARM/startup-probe.ps1
@@ -0,0 +1,34 @@
+# Start transcript for logging
+$hostname = hostname
+$probeLog = "C:\fileshare\startup-probe-$hostname.log"
+Start-Transcript -Path $probeLog
+
+$logFilePath = "C:\Profisee\Configuration\LogFiles\SystemLog.log" 
+$successString = "User Manager\\ContainerAdministrator Profisee platform configuration finished." 
+$checkIntervalSeconds = 5
+
+
+# Main loop
+while ($true) {
+    Write-Host "Parsing log file for success and failure strings..."
+    if (Test-Path $logFilePath) {
+        # Get the entries for success and failure strings
+        $successEntries = Get-Content -Path $logFilePath | Select-String -Pattern $successString
+
+        # Get the counts of the entries
+        $successCount = $successEntries.Count
+
+        # 1. If success count > 0, break successfully.
+        if ($successCount -gt 0) {
+            Write-Host "Configuration finished. There may be errors."
+            break
+        }
+    } else {
+        Write-Host "Log file not found."
+    }
+
+    # Sleep before checking again
+    Start-Sleep -Seconds $checkIntervalSeconds
+}
+
+Stop-Transcript