fixee

kolide · Apr 3, 2024 · 0f4d551 · 0f4d551
1 parent a73e22d
commit 0f4d551
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 4 deletions.
diff --git a/ee/debug/checkups/init_logs_windows.go b/ee/debug/checkups/init_logs_windows.go
@@ -9,7 +9,7 @@ import (
 )
 
 func writeInitLogs(ctx context.Context, logZip *zip.Writer) error {
-	cmdStr := `Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='launcher'} | ForEach-Object { $_.Message }`
+	cmdStr := `Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='launcher'} | ConvertTo-Json`
 	cmd, err := allowedcmd.Powershell(ctx, cmdStr)
 	if err != nil {
 		return fmt.Errorf("creating powershell command: %w", err)

diff --git a/ee/debug/checkups/services_windows.go b/ee/debug/checkups/services_windows.go
@@ -239,11 +239,14 @@ func gatherServiceManagerEvents(ctx context.Context, z *zip.Writer) error {
 		return fmt.Errorf("creating eventlog-Get-WinEvent.json: %w", err)
 	}
 
+	filterExpression := fmt.Sprintf(`@{LogName='System'; ProviderName='Service Control Manager'; Data=%s}`, kolideSvcName)
+
 	cmdArgs := []string{
 		"Get-WinEvent",
-		`-FilterHashtable @{LogName='System'; ProviderName='Service Control Manager'}`,
+		"-MaxEvents 100",
+		"-FilterHashtable", filterExpression,
 		"|",
-		"ForEach-Object { $_.Message }",
+		"ConvertTo-Json",
 	}
 
 	cmd, err := allowedcmd.Powershell(ctx, cmdArgs...)
@@ -268,7 +271,7 @@ func gatherServiceManagerEventLogs(ctx context.Context, z *zip.Writer) error {
 
 	cmdletArgs := []string{
 		"Get-EventLog",
-		"-Newest", "50",
+		"-Newest", "100",
 		"-LogName", "System",
 		"-Source", "\"Service Control Manager\"",
 		"-Message", fmt.Sprintf("*%s*", kolideSvcName),