From 5f96c38afbeb9b7e7efee8402564427a3609b457 Mon Sep 17 00:00:00 2001
From: Kulwant Singh <ikulwant@amazon.com>
Date: Thu, 28 Mar 2024 16:43:09 +0000
Subject: [PATCH] Add support to collect Windows Events relevant to Windows
 Containers and EKS (#1739)

1. Application - Windows Application events
2. EKS - Events related to EKS
3. System - Windows system events
4. Microsoft-Windows-Containers - Windows containers related events
5. Microsoft-Windows-Host-Network-Service - Windows Container networking events
6. Microsoft-Windows-Hyper-V-Compute - Windows container compute service events
---
 .../windows/eks-log-collector.ps1             | 22 ++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/log-collector-script/windows/eks-log-collector.ps1 b/log-collector-script/windows/eks-log-collector.ps1
index 4bb1e454e..828703db0 100644
--- a/log-collector-script/windows/eks-log-collector.ps1
+++ b/log-collector-script/windows/eks-log-collector.ps1
@@ -62,6 +62,7 @@ Function create_working_dir{
         New-Item -type directory -path $info_system\containerd_log -Force >$null
         New-Item -type directory -path $info_system\network -Force >$null
         New-Item -type directory -path $info_system\network\hns -Force >$null
+        New-Item -type directory -path $info_system\events -Force >$null
         Write-Host "OK" -ForegroundColor "green"
     }
     catch {
@@ -349,6 +350,25 @@ Function get_network_info{
     }
 }
 
+Function get_windows_events{
+    try {
+        Write-Host "Collecting Windows events"
+        Copy-Item "$env:SystemDrive\Windows\System32\Winevt\Logs\Application.evtx" -Destination $info_system\events
+        Copy-Item "$env:SystemDrive\Windows\System32\Winevt\Logs\EKS.evtx" -Destination $info_system\events
+        Copy-Item "$env:SystemDrive\Windows\System32\Winevt\Logs\System.evtx" -Destination $info_system\events
+        Copy-Item "$env:SystemDrive\Windows\System32\Winevt\Logs\\Microsoft-Windows-Containers*.evtx" -Destination $info_system\events
+        Copy-Item "$env:SystemDrive\Windows\System32\Winevt\Logs\\Microsoft-Windows-Host-Network-Service*.evtx" -Destination $info_system\events
+        Copy-Item "$env:SystemDrive\Windows\System32\Winevt\Logs\\Microsoft-Windows-Hyper-V-Compute*.evtx" -Destination $info_system\events
+
+        Write-Host "OK" -ForegroundColor "green"
+    }
+    catch {
+        Write-Error "Unable to collect Windows events"
+        Break
+    }
+
+}
+
 Function cleanup{
     Write-Host "Cleaning up directory"
     Remove-Item -Recurse -Force $basedir -ErrorAction Ignore
@@ -390,7 +410,7 @@ Function collect{
     get_containerd_logs
     get_eks_logs
     get_network_info
-
+    get_windows_events
 }
 
 #--------------------------