Public/Get-LMAuditLogs.ps1

<#
.SYNOPSIS
Retrieves audit logs from LogicMonitor.

.DESCRIPTION
The Get-LMAuditLogs function retrieves audit logs from LogicMonitor based on the specified parameters. It supports retrieving logs by ID, by date range, or by applying filters.

.PARAMETER Id
Specifies the ID of the audit log to retrieve. This parameter is mutually exclusive with the SearchString, StartDate, EndDate, and Filter parameters.

.PARAMETER SearchString
Specifies a search string to filter the audit logs. Only logs that contain the specified search string will be returned. This parameter is used in conjunction with the StartDate and EndDate parameters.

.PARAMETER StartDate
Specifies the start date of the audit logs to retrieve. Only logs that occurred on or after the specified start date will be returned. This parameter is used in conjunction with the SearchString and EndDate parameters.

.PARAMETER EndDate
Specifies the end date of the audit logs to retrieve. Only logs that occurred on or before the specified end date will be returned. This parameter is used in conjunction with the SearchString and StartDate parameters.

.PARAMETER Filter
Specifies a filter object to further refine the audit logs to retrieve. This parameter is used in conjunction with the StartDate and EndDate parameters.

.PARAMETER BatchSize
Specifies the number of audit logs to retrieve per request. The default value is 1000.

.EXAMPLE
Get-LMAuditLogs -Id "12345"
Retrieves the audit log with the specified ID.

.EXAMPLE
Get-LMAuditLogs -SearchString "login" -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date)
Retrieves audit logs that contain the search string "login" and occurred within the last 7 days.

.NOTES
This function requires a valid connection to LogicMonitor. Use Connect-LMAccount to establish a connection before running this command.
#>

Function Get-LMAuditLogs {

    [CmdletBinding(DefaultParameterSetName = 'Range')]
    Param (
        [Parameter(ParameterSetName = 'Id')]
        [String]$Id,

        [Parameter(ParameterSetName = 'Range')]
        [String]$SearchString,

        [Parameter(ParameterSetName = 'Range')]
        [Datetime]$StartDate,

        [Parameter(ParameterSetName = 'Range')]
        [Datetime]$EndDate,

        [Parameter(ParameterSetName = 'Filter')]
        [Object]$Filter,

        [ValidateRange(1,1000)]
        [Int]$BatchSize = 1000
    )
    #Check if we are logged in and have valid api creds
    If ($Script:LMAuth.Valid) {
        
        #Build header and uri
        $ResourcePath = "/setting/accesslogs"

        #Initalize vars
        $QueryParams = ""
        $Count = 0
        $Done = $false
        $Results = @()
        $QueryLimit = 10000 #API limit to how many results can be returned

        #Convert to epoch, if not set use defaults
        If (!$StartDate) {
            If($PSCmdlet.ParameterSetName -ne "Id"){
                Write-LMHost "[WARN]: No start date specified, defaulting to last 30 days" -ForegroundColor Yellow
            }
            [int]$StartDate = ([DateTimeOffset]$(Get-Date).AddDays(-30)).ToUnixTimeSeconds()
        }
        Else {
            [int]$StartDate = ([DateTimeOffset]$($StartDate)).ToUnixTimeSeconds()
        }

        If (!$EndDate) {
            [int]$EndDate = ([DateTimeOffset]$(Get-Date)).ToUnixTimeSeconds()
        }
        Else {
            [int]$EndDate = ([DateTimeOffset]$($EndDate)).ToUnixTimeSeconds()
        }

        #Loop through requests
        While (!$Done) {
            #Build query params
            Switch ($PSCmdlet.ParameterSetName) {
                "Range" { $QueryParams = "?filter=happenedOn%3E%3A`"$StartDate`"%2ChappenedOn%3C%3A`"$EndDate`"%2C_all~`"*$SearchString*`"&size=$BatchSize&offset=$Count&sort=+happenedOn" }
                "Id" { $resourcePath += "/$Id" }
                "Filter" {
                    #List of allowed filter props
                    $PropList = @()
                    $ValidFilter = Format-LMFilter -Filter $Filter -PropList $PropList
                    $QueryParams = "?filter=$ValidFilter&size=$BatchSize&offset=$Count&sort=+happenedOn"
                }
            }
            Try {
                $Headers = New-LMHeader -Auth $Script:LMAuth -Method "GET" -ResourcePath $ResourcePath
                $Uri = "https://$($Script:LMAuth.Portal).logicmonitor.com/santaba/rest" + $ResourcePath + $QueryParams

                

                Resolve-LMDebugInfo -Url $Uri -Headers $Headers[0] -Command $MyInvocation

                #Issue request
                $Response = Invoke-RestMethod -Uri $Uri -Method "GET" -Headers $Headers[0] -WebSession $Headers[1]

                #Stop looping if single device, no need to continue
                If ($PSCmdlet.ParameterSetName -eq "Id") {
                    $Done = $true
                    Return (Add-ObjectTypeInfo -InputObject $Response -TypeName "LogicMonitor.AuditLog" )
                }
                #Check result size and if needed loop again
                Else {
                    [Int]$Total = $Response.Total
                    [Int]$Count += ($Response.Items | Measure-Object).Count
                    $Results += $Response.Items
                    If ($Count -ge $QueryLimit) {
                        $Done = $true
                        Write-LMHost "[WARN]: Reached $QueryLimit record query limitation for this endpoint" -ForegroundColor Yellow
                    }
                    ElseIf ($Count -ge $Total -and $Total -ge 0) {
                        $Done = $true
                    }
                }
            }
            Catch [Exception] {
                $Proceed = Resolve-LMException -LMException $PSItem
                If (!$Proceed) {
                    Return
                }
            }
        }
        Return (Add-ObjectTypeInfo -InputObject $Results -TypeName "LogicMonitor.AuditLog" )
    }
    Else {
        Write-Error "Please ensure you are logged in before running any commands, use Connect-LMAccount to login and try again."
    }
}