win-eventlog-triagelisted

# Windows Event Log Triage > Targets **Windows servers** over **PowerShell Remoting (WinRM)**. The bundled script `scripts/Invoke-EventLogTriage.ps1` collects + groups events and emits JSON; **the agent (you) writes the triage narrative.** The script never calls an LLM. `SCRIPT` = this skill's `scripts/Invoke-EventLogTriage.ps1`. It **requires PowerShell 7+** (`pwsh`) and WinRM enabled on the targets. ## Credentials (important) The script **always prompts** for a tier-admin credential via `Get-Credential` — held in memory for that run only, reused across all servers, never written to disk. The user's normal account does not need server access; the prompted credential authenticates the remoting session. Do **not** try to pass a password on the command line. (A `-Credential` parameter exists only as a testing/automation seam.) ## How to run Always run with `pwsh`. Parse the JSON it prints on stdout. | Want | Pass | |------|------| | **One server** | `-ComputerName SRV01` | | **Several inline** | `-ComputerName SRV01,SRV02,SRV03` | | **A list from a file** | `-ServerListFile C:\path\hosts.txt` (one host per line; `#` comments + blank lines ignored) | | **Time window** | `-Hours 24` (default) · `-Since '2026-06-08T00:00'` · `-From <dt> -To <dt>` | | **Severity** | default Critical+Error · `-IncludeWarning` · `-Level 1,2,3` | | **More logs** | default System+Application · `-IncludeSecurity` · `-Logs System,Application,'Microsoft-Windows-...'` | | **Noise control** | `-Suppr