Merge pull request #17 from Thumbscrew/dev

Merge for 0.4

public/Get-PSFirewallLog.ps1

@@ -1,4 +1,45 @@
 function Get-PSFirewallLog {
+    <#
+    .SYNOPSIS
+
+    Retrieves Windows Firewall log events and returns them as a table.
+
+    .DESCRIPTION
+
+    Retrieves Windows Firewall log events and returns them as a table. Log path can be directly specified or automatically determined based on local or remote registry settings.
+
+    .EXAMPLE
+
+    Get-PSFirewallLog -Path C:\Windows\system32\logfiles\firewall\pfirewall.log -Tail 1000
+
+    Get last 1000 Windows Firewall log lines at a specific path.
+
+    .EXAMPLE
+
+    Get-PSFirewallLog -LogDirectory C:\Windows\system32\logfiles\firewall\ -LogFileName domainfw.log
+
+    Get Windows Firewall log by specifying the log directory and filename separately.
+
+    .EXAMPLE
+
+    Get-PSFirewallLog -LogProfile Domain
+
+    Get Windows Firewall log by retrieving the path automatically from the registry on the local machine.
+
+    .EXAMPLE
+
+    Get-PSFirewallLog -LogProfile Public -ComputerName MyRemoteComputer -Verbose
+
+    Get Windows Firewall log on a remote computer using the Remote Registry service to get the log path.
+
+    .EXAMPLE
+
+    Get-PSFirewallLog -LogProfile Public -ComputerName MyRemoteComputer -InferPath
+
+    Get Windows Firewall log on a remote computer using the path configured in the local machine's registry (converted to a UNC path).
+    
+    #>
+
     [CmdletBinding(DefaultParameterSetName = 'direct')]
     param (
         # Path to firewall log. Defaults to $ENV:SystemRoot\system32\LogFiles\Firewall\pfirewall.log if parameter not supplied.
@@ -36,7 +77,12 @@ function Get-PSFirewallLog {
         # Follow the log
         [Parameter(Mandatory = $false)]
         [switch]
-        $Wait
+        $Wait,
+
+        # Use local machine's registry setting to infer remote machine's log path
+        [Parameter(Mandatory = $false, ParameterSetName = 'remote')]
+        [switch]
+        $InferPath
     )
     
     begin {
@@ -44,7 +90,13 @@ function Get-PSFirewallLog {
             $Path = Get-PSFirewallLogPath -LogProfile $LogProfile -Verbose:$VerbosePreference
         }
         elseif($PSCmdlet.ParameterSetName -eq 'remote') {
-            $Path = Get-PSFirewallLogPath -LogProfile $LogProfile -ComputerName $ComputerName -Verbose:$VerbosePreference
+            $lpc = "Get-PSFirewallLogPath -LogProfile $LogProfile -ComputerName $ComputerName"
+
+            if($InferPath) {
+                $lpc += " -InferPath"
+            }
+
+            $Path = Invoke-Expression $lpc -Verbose:$VerbosePreference
         }
     }
     

public/Get-PSFirewallLogPath.ps1

@@ -1,4 +1,33 @@
 function Get-PSFirewallLogPath {
+    <#
+    .SYNOPSIS
+
+    Retrieves Windows Firewall log path for a given Profile.
+
+    .DESCRIPTION
+
+    Retrieves Windows Firewall log path for a local or remote machine for given Profile.
+
+    .EXAMPLE
+
+    Get-PSFirewallLogPath -LogProfile Domain
+
+    Retrieves path of the specified profile's log from the local machine.
+
+    .EXAMPLE
+
+    Get-PSFirewallLogPath -LogProfile Private -ComputerName MyRemoteComputer
+
+    Retrieves path of the specified profile's log from a remote machine using the Remote Regsitry service.
+
+    .EXAMPLE
+
+    Get-PSFirewallLogPath -LogProfile Domain -ComputerName MyRemoteComputer -InferPath
+
+    Retrieves path of the specified profile's log from a remote machine using registry settings configured on the local machine.
+
+    #>
+
     param(
         # Log Profile to retrieve path for
         [Parameter(Mandatory = $true)]
@@ -9,13 +38,29 @@ function Get-PSFirewallLogPath {
         # Remote Host to retrieve from
         [Parameter(Mandatory = $false, ParameterSetName = 'remote')]
         [string]
-        $ComputerName
+        $ComputerName,
+
+        # Use local machine's registry setting to infer remote machine's log path
+        [Parameter(Mandatory = $false, ParameterSetName = 'remote')]
+        [switch]
+        $InferPath
     )
 
     process {
-        $serviceName = "RemoteRegistry"
-
         if($PSCmdlet.ParameterSetName -eq 'remote') {
+
+            if($InferPath) {
+                # Get local registry key entry
+                $localPath = [Environment]::ExpandEnvironmentVariables((Get-ItemProperty -Path ("HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\{0}Profile\Logging" -f $LogProfile) -Name "LogFilePath").LogFilePath)
+
+                if($null -eq $localPath) {
+                    $defaultPath = "$ENV:SystemRoot\system32\LogFiles\Firewall\pfirewall.log"
+                    Write-Warning "Path for $LogProfile firewall log not defined in registry. Assuming default path of $defaultPath"
+                    $localPath = $defaultPath
+                }
+            }
+            else {
+                $serviceName = "RemoteRegistry"
                 $startTypeChanged = $false
                 $statusChanged = $false
 
@@ -80,6 +125,7 @@ function Get-PSFirewallLogPath {
                         Write-Warning "Failed to revert startup type of $serviceName to $($remoteRegistry.StartType)!"
                     }
                 }
+            }
 
             # Do the conversion to UNC path
             $path = "\\$ComputerName\" + $localPath.replace(':', '$')
@@ -91,7 +137,9 @@ function Get-PSFirewallLogPath {
             $path = [Environment]::ExpandEnvironmentVariables((Get-ItemProperty -Path ("HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\{0}Profile\Logging" -f $LogProfile) -Name "LogFilePath").LogFilePath)
 
             if($null -eq $path) {
-                $path = "$ENV:SystemRoot\system32\LogFiles\Firewall\pfirewall.log"
+                $defaultPath = "$ENV:SystemRoot\system32\LogFiles\Firewall\pfirewall.log"
+                Write-Warning "Path for $LogProfile firewall log not defined in registry. Assuming default path of $defaultPath"
+                $path = $defaultPath
             }
 
             return $path