Add tests for queries against userdata (#2388)
add a custom evtx file for the userdata tests to use
This commit is contained in:
parent
561824c306
commit
24f9dea287
2 changed files with 32 additions and 1 deletions
|
@ -73,8 +73,39 @@ Describe 'Get-WinEvent' -Tags "CI" {
|
||||||
$results = Get-WinEvent -logname $logname -filterXPath $xpathFilter -max 3
|
$results = Get-WinEvent -logname $logname -filterXPath $xpathFilter -max 3
|
||||||
$results | should Not BeNullOrEmpty
|
$results | should Not BeNullOrEmpty
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
# Get-WinEvent works only on windows
|
Context "Get-WinEvent UserData Queries" {
|
||||||
|
It 'Get-WinEvent can retrieve events with UserData queries using FilterXml' {
|
||||||
|
# this relies on apriori knowledge about the log file
|
||||||
|
# the provided log file has been edited to remove MS PII, so we must use -ea silentlycontinue
|
||||||
|
$eventLogFile = [io.path]::Combine($PSScriptRoot, "assets", "Saved-Events.evtx")
|
||||||
|
$filter = "<QueryList><Query><Select Path='file://$eventLogFile'>*[UserData/*/Param2='Windows x64']</Select></Query></QueryList>"
|
||||||
|
$results = Get-WinEvent -FilterXml $filter -ea silentlycontinue
|
||||||
|
@($results).Count | Should be 1
|
||||||
|
$results.RecordId | should be 10
|
||||||
|
}
|
||||||
|
<#
|
||||||
|
It 'Get-WinEvent can retrieve events with UserData queries using FilterHashtable' {
|
||||||
|
# this relies on apriori knowledge about the log file
|
||||||
|
# the provided log file has been edited to remove MS PII, so we must use -ea silentlycontinue
|
||||||
|
$eventLogFile = [io.path]::Combine($PSScriptRoot, "assets", "Saved-Events.evtx")
|
||||||
|
$filter = @{ path = "$eventLogFile"; Param2 = "Windows x64"}
|
||||||
|
$results = Get-WinEvent -filterHashtable $filter -ea silentlycontinue
|
||||||
|
@($results).Count | Should be 1
|
||||||
|
$results.RecordId | should be 10
|
||||||
|
}
|
||||||
|
#>
|
||||||
|
It 'Get-WinEvent can retrieve events with UserData queries using FilterXPath' {
|
||||||
|
# this relies on apriori knowledge about the log file
|
||||||
|
# the provided log file has been edited to remove MS PII, so we must use -ea silentlycontinue
|
||||||
|
$eventLogFile = [io.path]::Combine($PSScriptRoot, "assets", "Saved-Events.evtx")
|
||||||
|
$filter = "*/UserData/*/Param2='Windows x64'"
|
||||||
|
$results = Get-WinEvent -path $eventLogFile -filterXPath $filter -ea silentlycontinue
|
||||||
|
@($results).Count | Should be 1
|
||||||
|
$results.RecordId | should be 10
|
||||||
|
}
|
||||||
|
} # Get-WinEvent works only on windows
|
||||||
It 'can query a System log' {
|
It 'can query a System log' {
|
||||||
Get-WinEvent -LogName System -MaxEvents 1 | Should Not BeNullOrEmpty
|
Get-WinEvent -LogName System -MaxEvents 1 | Should Not BeNullOrEmpty
|
||||||
}
|
}
|
||||||
|
|
Binary file not shown.
Loading…
Reference in a new issue