Skip to content

DefenderK/GetBHELogs

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

36 Commits
GetBHESupportLogsTool.ps1
GetBHESupportLogsTool.ps1
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

BHE Logs Collector

Collector tool to gather: Windows event logs, BloodHound Enterprise (BHE) SharpHound and/or AzureHound service artifacts, and/or a Performance monitor trace into an output zip.
Designed for support and troubleshooting.

What it does

  • Exports Application and System event logs (.evtx; falls back to XML if needed).
  • Collects BHE artifacts from the SharpHound service account profile:
    • BloodHoundEnterprise/log_archive/
    • BloodHoundEnterprise/service.log
    • BloodHoundEnterprise/settings.json
  • When AzureHound is selected, in addition to the event logs, collects azurehound.log from C:\Program Files\AzureHound Enterprise\azurehound.log if present.
  • Shows per-item status and a final summary.
  • Creates a timestamped folder and zip in the chosen output directory (Desktop by default).
  • When using -All, collects all logs simultaneously: SharpHound, AzureHound, and Windows event logs.
  • When using -AllPlusPerf, it additionally creates a Performance Monitor Data Collector Set and starts the trace. It creates the output blg file in C:\PerfLogs
  • When using -GetCompStatus, analyzes a compstatus.csv file to provide troubleshooting insights about system availability and permission issues.

Requirements

  • Windows PowerShell 5.1+ (PowerShell 7+ also works).
  • Recommended: Run as Administrator (for event log export and access to service profiles).
  • Output folder (-OutputRoot) must exist and be writable. Defaults to the logged-on user's Desktop.

Quick Start

  1. Download the script to your target system (or git clone)
  2. Open PowerShell as Administrator
  3. Navigate to the script directory
  4. Unblock the file (required for downloaded scripts): 
    Unblock-File -Path ".\GetBHESupportLogsTool.ps1"
  5. Run the script: 
    .\GetBHESupportLogsTool.ps1
  6. Follow prompts to collect logs
  7. Review the generated zip file and folder

For automated collection:

.\GetBHESupportLogsTool.ps1 -All

Alternative: Execution Policy

If you continue to have issues, you may need to adjust the PowerShell execution policy:

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser

Note: This is a security setting change. Only use if the Unblock-File method doesn't work.

Usage

From an elevated PowerShell prompt in the scripts directory:

# Run the script directly (defaults to interactive mode)
.\GetBHESupportLogsTool.ps1

Interactive flow

  • Displays an ASCII banner.
  • Prompts: Press Enter to collect logs, or Q to quit.
  • Displays output log location.
  • Prompts for: Select collection target: (S)harpHound or (A)zureHound Choice [S/A]:
  • Displays per-item status as logs and files are collected.
  • Prints a summary and offers: Press O to open output folder, Z to open at zip, or any other key to exit.
  • When using -All, all logs are collected regardless of interactive target selection.

Note: The script is interactive by default for selective collection. Use -All or -AllPlusPerf to collect everything automatically without user input, or run without parameters for selective collection.

Examples

Basic Collection

# Interactive collection (default)
.\GetBHESupportLogsTool.ps1

# Automated collection of all logs
.\GetBHESupportLogsTool.ps1 -All

# Collection with custom output location
.\GetBHESupportLogsTool.ps1 -OutputRoot "C:\Temp"

Configuration Management

# Set SharpHound logging levels and restart service
.\GetBHESupportLogsTool.ps1 -SetLogLevel Debug -SetEnumerationLogLevel Trace -RestartDelegator

# Set AzureHound verbosity and restart
.\GetBHESupportLogsTool.ps1 -SetAzureVerbosity 2 -RestartAzureHound

Selective Collection

# Skip Event Logs and settings.json
.\GetBHESupportLogsTool.ps1 -ExcludeEventLogs -ExcludeSettings

# Limit log archive collection
.\GetBHESupportLogsTool.ps1 -LogArchiveNumber 10

# Performance monitoring only
.\GetBHESupportLogsTool.ps1 -GetBHEPerfmon

CompStatus Analysis

# Analyze compstatus.csv file for troubleshooting
.\GetBHESupportLogsTool.ps1 -GetCompStatus 'C:\path\to\compstatus.csv'

Help & Information

# Display help
.\GetBHESupportLogsTool.ps1 -Help

Configuration-only mode

  • When using only configuration/service parameters (-SetLogLevel, -SetEnumerationLogLevel, -RestartDelegator, -SetAzureVerbosity, -RestartAzureHound), the script skips the collection options entirely.
  • Only makes the requested changes and shows verification of what was updated.
  • Useful for troubleshooting when you need to change settings but don't want to collect logs yet.
  • Example: .\GetBHESupportLogsTool.ps1 -SetAzureVerbosity 2 -RestartAzureHound will only change verbosity and restart the service.

⚠️ Note: Log level changes and service restarts are controlled only via parameters.

All Parameters

Collection Control

  • -OutputRoot [string] — Root folder where the output directory and zip are created. Defaults to Desktop.
  • -All [switch] — Collect all logs: SharpHound, AzureHound, and Windows event logs simultaneously. Automated execution - no user input required.
  • -AllPlusPerf [switch] — Do everything -All does and also ensure a BHE perfmon trace is set up. Automated execution - no user input required.
  • -LogArchiveNumber [int] — Copy only the N most recent files from the log_archive folder.

Exclusion Options

  • -ExcludeEventLogs [switch] — Skip exporting Windows Application/System event logs.
  • -ExcludeSettings [switch] — Skip copying settings.json from the BHE folder.

SharpHound Configuration Management

  • -SetLogLevel [Trace|Debug|Information] — Update LogLevel in settings.json before collection.
  • -SetEnumerationLogLevel [Trace|Debug|Information] — Update EnumerationLogLevel in settings.json.
  • -RestartDelegator [switch] — Automatically restart the Delegator service (useful after log level changes).

AzureHound Configuration Management

  • -SetAzureVerbosity [0|1|2] — Set AzureHound service log verbosity in C:\ProgramData\azurehound\config.json (0=Default, 1=Debug, 2=Trace).
  • -RestartAzureHound [switch] — Restart the AzureHound Windows service (useful after log level changes).

Performance Monitoring

  • -GetBHEPerfmon [switch] — Perfmon-only mode. If the Data Collector Set is running, you'll be prompted to stop it and then the trace files in C:\PerfLogs are zipped to Desktop as <COMPUTERNAME>_PerfTrace.zip. If it isn't present, the Data Collector Set is created and started with recommended counters.
  • -DeleteBHEPerfmon [switch] — Stop and delete the Data Collector Set.

Analysis Tools

  • -GetCompStatus [string] — Analyze a compstatus.csv file to provide troubleshooting insights. Shows status pivot tables, failure analysis, unreachable systems on port 445/TCP, subnet analysis, and permission issues.

Utility

  • -Help [switch] — Display command line parameters and examples, then exit.

CompStatus Analysis

The script can analyze compstatus.csv files to provide troubleshooting insights about BloodHound Enterprise collection status. This feature helps identify:

  • Status Overview: Pivot tables showing task completion status (excluding GetMembersInAlias tasks)
  • Failure Analysis: Detailed breakdown of failed tasks and their status codes
  • Network Connectivity: Systems unreachable on port 445/TCP (SMB)
  • Subnet Analysis: IPv4 /24 and /16 subnet groupings of unreachable systems
  • Permission Issues: Systems with access denied errors

Usage

# Analyze a compstatus.csv file
.\GetBHESupportLogsTool.ps1 -GetCompStatus 'C:\path\to\compstatus.csv'

Sample Output

CompStatus Analysis Mode

=== Status Pivot Table (Excluding GetMembersInAlias) ===
Task                    Status      Count
----                    ------      -----
ComputerAvailability    Success     150
ComputerAvailability    PortNotOpen 25
GetDomainUsers          Success     120
GetDomainUsers          ERROR_ACCESS_DENIED 5

=== Failures Only ===
Task                    Status              Count
----                    ------              -----
ComputerAvailability    PortNotOpen        25
GetDomainUsers          ERROR_ACCESS_DENIED 5

=== Systems Unreachable on 445/TCP ===
ComputerName    IPAddress    Task                Status
------------    ---------    ----                ------
SERVER01        192.168.1.10 ComputerAvailability PortNotOpen
SERVER02        192.168.1.11 ComputerAvailability PortNotOpen

=== IPv4 /24 Subnets Unreachable on 445/TCP ===
Name        Count
----        -----
192.168.1.0/24  15
192.168.2.0/24  10

=== Systems Missing Permissions ===
ComputerName    Task          Status
------------    ----          ------
SERVER03        GetDomainUsers ERROR_ACCESS_DENIED

Performance Monitor tracing

The script can manage a lightweight performance monitor trace using Windows logman:

  • Data Collector Set name: BloodHound_System_Overview_Lite
  • Location: C:\PerfLogs
  • Format: binary circular log (bincirc), 512 MB max, 30s sample interval
  • Counters included: "\Process(*)\*" "\PhysicalDisk(*)\*" "\Processor(*)\*" "\Memory\*" "\Network Interface(*)\*" "\System\System Up Time"
  • Note: You can also run logman query to check if the Data Collector Set is already setup and trace is running, example output below: 
    PS C:\Users\administrator.DEFENDERK\Desktop> logman query

Data Collector Set                      Type                          Status
-------------------------------------------------------------------------------
BloodHound_System_Overview_Lite         Counter                       Running

Typical flows

  • Start or check the Data Collector Set, and if the trace is already running choose to stop and zip:

    .\GetBHESupportLogsTool.ps1 -GetBHEPerfmon
# If running: press Y to stop and zip to Desktop as <COMPUTERNAME>_PerfTrace.zip
# Press Q to leave it running; any other key cancels

  • Collect all logs and also ensure the Data Collector Set is set up (automated execution, does not stop/zip automatically):

    .\GetBHESupportLogsTool.ps1 -AllPlusPerf
# Runs automatically without user input
# Later, run -GetBHEPerfmon and choose Y to stop and zip

  • Delete the Data Collector Set:

    .\GetBHESupportLogsTool.ps1 -DeleteBHEPerfmon

Notes

  • Privacy: Event logs may contain PII; settings.json may contain endpoints or config. Use -ExcludeEventLogs and/or -ExcludeSettings if needed.

Output example

  • Folder: BHE_SupportLogs_YYYYMMDD_HHMMSS
  • Zip: BHE_SupportLogs_YYYYMMDD_HHMMSS.zip
  • Perf Zip: <COMPUTERNAME>_PerfTrace.zip
  • Tool Collector Transcript: collectorlogs.log inside the folder

Troubleshooting

  • If EVTX export fails, the script falls back to XML export via Get-WinEvent.
  • If BHE files are NotFound, ensure the SHDelegator or AzureHound service is installed and running, and that your account has permissions to access the service profile.

Demo Output Example

Startup (Standard Mode)

========================================
        BHE Logs Collector v.2.10       
========================================
WARNING: This collection will include the below data!
-------> Windows Application and System event logs will be collected; use -ExcludeEventLogs to skip.
-------> settings.json will be collected; use -ExcludeSettings to skip.
Press Enter to collect logs, or Q to quit

Collection Progress

[INFO] Output folder: C:\Users\AdminUser\Desktop\BHE_SupportLogs_20250821_092237
[INFO] Using service 'SHDelegator' (DisplayName: 'SharpHoundDelegator') running as 'DOMAIN\svc_sharphound'
[INFO] Resolved service profile path: C:\Users\svc_sharphound
Collecting Windows Event Logs...
[INFO] Exporting Application and System event logs...
  - Application Event Log ... Collected - EVTX
  - System Event Log ... Collected - EVTX
Collecting BloodHoundEnterprise files...
  - BHE log_archive ... Collected
  - BHE service.log ... Collected
  - BHE settings.json ... Collected

[INFO] Creating zip archive...
  - Zip Archive ... Created
Collection complete.
Folder: C:\Users\AdminUser\Desktop\BHE_SupportLogs_20250821_092237
Zip:    C:\Users\AdminUser\Desktop\BHE_SupportLogs_20250821_092237.zip

Summary

Collected:
  - Application Event Log -> C:\Users\AdminUser\Desktop\BHE_SupportLogs_20250821_092237\Application.evtx
  - System Event Log -> C:\Users\AdminUser\Desktop\BHE_SupportLogs_20250821_092237\System.evtx
  - BHE log_archive -> C:\Users\AdminUser\Desktop\BHE_SupportLogs_20250821_092237\BloodHoundEnterprise\log_archive
  - BHE service.log -> C:\Users\AdminUser\Desktop\BHE_SupportLogs_20250821_092237\BloodHoundEnterprise\service.log
  - BHE settings.json -> C:\Users\AdminUser\Desktop\BHE_SupportLogs_20250821_092237\BloodHoundEnterprise\settings.json
  - Zip Archive -> C:\Users\AdminUser\Desktop\BHE_SupportLogs_20250821_092237.zip

Output folder: C:\Users\AdminUser\Desktop\BHE_SupportLogs_20250821_092237
Zip archive:  C:\Users\AdminUser\Desktop\BHE_SupportLogs_20250821_092237.zip

Press O to open output folder, Z to open at zip, or any other key to exit.
Choice:

License

This project is licensed under the MIT License. You are free to use, modify, and distribute it with attribution. See the LICENSE file for details.


---

About

Collect Windows event logs and BloodHound Enterprise (BHE) service artifacts into a single zip.

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages