Fixed issue with header (#4)

reed1995 · bongiovimatthew-microsoft · commit 440d0488c742 · 2017-10-27T11:11:02.000-07:00
* Fixed issue with header

Wasn't being treated as array if only 1 item returned

* Maintain prior changes

Maintan table from previous

* Missing table row added

Added missing table row
diff --git a/AdfsEventsModule.psm1 b/AdfsEventsModule.psm1
@@ -273,7 +273,9 @@ function GetHTTPRequestInformation
     [System.Management.Automation.Runspaces.PSSession]$Session)
 
     #Retreive 403 (Request) and 404 (Response) events along with corresponding 510's from security log
-    $RequestAndResponseEvents = Get403And404Events -CorrID $CorrID -Session $Session
+    $RequestAndResponseEvents = @()
+    $RequestAndResponseEvents += Get403And404Events -CorrID $CorrID -Session $Session
+
     $HeaderEvents = @()
     foreach($Event in $RequestAndResponseEvents)
     {
@@ -289,6 +291,7 @@ function GetHTTPRequestInformation
     {
         $CurrentID = $RequestAndResponseEvents[$I].ID
 
+
         if($CurrentID -eq 403)
         {
             $HeaderObject.QueryString = $RequestAndResponseEvents[$I].RemoteProperties[4] + $RequestAndResponseEvents[$I].RemoteProperties[5] +  $RequestAndResponseEvents[$I].RemoteProperties[6]
@@ -308,7 +311,7 @@ function GetHTTPRequestInformation
             $HeaderObject = CreateHeaderObject #Clear object for next iteration of loop
         }
 
-        if(($I % 2 -eq 0 -and $CurrentID -eq 404) -or ($I %2 -eq 1 -and $CurrentID -eq 403))
+        if(($I % 2 -eq 0 -and $CurrentID -eq 404) -or ($I %2 -eq 1 -and $CurrentID -eq 403) -or ($CurrentID -eq 403 -and $I -eq $RequestAndResponseEvents.length-1) )
         {
             #Expecting each 403 to be followed by a 404. Each 403 should have an even index and each 404 should have an odd index in the list.
             Write-Warning "Unable to match request and response headers"
@@ -382,7 +385,7 @@ function Write-ADFSEventsSummary
         $row.CorrelationID = $Event.CorrelationID
         $row.Machine = $Event.MachineName
         $row.Log = $Event.LogName
-        $row.Level = $Event.LevelDisplayName
+	$row.Level = $Event.LevelDisplayName
 
         #Add the row to the table
         $table.Rows.Add($row)    
@@ -496,6 +499,11 @@ function Get-ADFSEvents
         foreach($Event in $Events)
         {
             $ID = [string] $Event.CorrelationID
+
+            if($CorrelationID -ne "" -and $CorrelationID -ne $ID)
+            {
+                continue #Unrelated event mentioned correlation id in data blob
+            }
                 
             if(![string]::IsNullOrEmpty($ID) -and $HashTable.Contains($ID)) #Add event to exisiting list
             {
@@ -545,4 +553,4 @@ function Get-ADFSEvents
    
 }
 Export-ModuleMember -Function Get-ADFSEvents
-Export-ModuleMember -Function Write-ADFSEventsSummary
+Export-ModuleMember -Function Write-ADFSEventsSummary

Original file line number	Diff line number	Diff line change
`@@ -273,7 +273,9 @@ function GetHTTPRequestInformation`
`273`	`273`	`[System.Management.Automation.Runspaces.PSSession]$Session)`
`274`	`274`
`275`	`275`	`#Retreive 403 (Request) and 404 (Response) events along with corresponding 510's from security log`
`276`		`- $RequestAndResponseEvents = Get403And404Events -CorrID $CorrID -Session $Session`
	`276`	`+ $RequestAndResponseEvents = @()`
	`277`	`+ $RequestAndResponseEvents += Get403And404Events -CorrID $CorrID -Session $Session`
	`278`	`+`
`277`	`279`	`$HeaderEvents = @()`
`278`	`280`	`foreach($Event in $RequestAndResponseEvents)`
`279`	`281`	`{`
`@@ -289,6 +291,7 @@ function GetHTTPRequestInformation`
`289`	`291`	`{`
`290`	`292`	`$CurrentID = $RequestAndResponseEvents[$I].ID`
`291`	`293`
	`294`	`+`
`292`	`295`	`if($CurrentID -eq 403)`
`293`	`296`	`{`
`294`	`297`	`$HeaderObject.QueryString = $RequestAndResponseEvents[$I].RemoteProperties[4] + $RequestAndResponseEvents[$I].RemoteProperties[5] + $RequestAndResponseEvents[$I].RemoteProperties[6]`
`@@ -308,7 +311,7 @@ function GetHTTPRequestInformation`
`308`	`311`	`$HeaderObject = CreateHeaderObject #Clear object for next iteration of loop`
`309`	`312`	`}`
`310`	`313`
`311`		`- if(($I % 2 -eq 0 -and $CurrentID -eq 404) -or ($I %2 -eq 1 -and $CurrentID -eq 403))`
	`314`	`+ if(($I % 2 -eq 0 -and $CurrentID -eq 404) -or ($I %2 -eq 1 -and $CurrentID -eq 403) -or ($CurrentID -eq 403 -and $I -eq $RequestAndResponseEvents.length-1) )`
`312`	`315`	`{`
`313`	`316`	`#Expecting each 403 to be followed by a 404. Each 403 should have an even index and each 404 should have an odd index in the list.`
`314`	`317`	`Write-Warning "Unable to match request and response headers"`
`@@ -382,7 +385,7 @@ function Write-ADFSEventsSummary`
`382`	`385`	`$row.CorrelationID = $Event.CorrelationID`
`383`	`386`	`$row.Machine = $Event.MachineName`
`384`	`387`	`$row.Log = $Event.LogName`
`385`		`- $row.Level = $Event.LevelDisplayName`
	`388`	`+ $row.Level = $Event.LevelDisplayName`
`386`	`389`
`387`	`390`	`#Add the row to the table`
`388`	`391`	`$table.Rows.Add($row)`
`@@ -496,6 +499,11 @@ function Get-ADFSEvents`
`496`	`499`	`foreach($Event in $Events)`
`497`	`500`	`{`
`498`	`501`	`$ID = [string] $Event.CorrelationID`
	`502`	`+`
	`503`	`+ if($CorrelationID -ne "" -and $CorrelationID -ne $ID)`
	`504`	`+ {`
	`505`	`+ continue #Unrelated event mentioned correlation id in data blob`
	`506`	`+ }`
`499`	`507`
`500`	`508`	`if(![string]::IsNullOrEmpty($ID) -and $HashTable.Contains($ID)) #Add event to exisiting list`
`501`	`509`	`{`
`@@ -545,4 +553,4 @@ function Get-ADFSEvents`
`545`	`553`
`546`	`554`	`}`
`547`	`555`	`Export-ModuleMember -Function Get-ADFSEvents`
`548`		`-Export-ModuleMember -Function Write-ADFSEventsSummary`
	`556`	`+Export-ModuleMember -Function Write-ADFSEventsSummary`