#requires -version 3
#Alan dot Kaplan at va dot gov
#alan at akaplan dot com
# 2/10/16
<#
.Synopsis
  This will get the oldest event from a Windows computer
.DESCRIPTION
   This script will help you determine the rollover time for a security log by
   returning the oldest event from a Windows computer. It returns the age of the record and the timecreated.
   Optionally you can return the entire oldest record with the age as an added member.
   The default computer is localhost, and the default event log is security
.Parameter ComputerName
The name of the computer.  The default is $env:computername

.Parameter eLog
The event log to query.  The choices are Security, System, Application.  The default is Security

.Parameter ReturnAll
This optional switch allows you to return the entire oldest event of the selected log, with the calculated age.

.EXAMPLE
Get the time created and age for the oldest event in the Security log of this computer. (Must RunAs Administrator)
   Get-OldestEvent
.EXAMPLE
Get the time created and age for the oldest event in the Application log of this computer. (Must RunAs Administrator)
   Get-OldestEvent -eLog Application
.EXAMPLE
Get the oldest event from the Security log on MyServerName, plus Age of event
   Get-OldestEvent -ComputerName MyServerName -eLog security -ReturnAll

.NOTES
#>

function Get-OldestEvent
{
    [CmdletBinding()]
    Param
    (
        # Computer Name 
        [Parameter()]
        [string]$ComputerName= $env:COMPUTERNAME,

        # eLog Event Log Name
        [Parameter()]
        [ValidateSet("Security", "System", "Application")]
        [string]$eLog= 'Security',


        # Return All Propoperties
        [Parameter()]
        [switch]$ReturnAll
    )

  Begin{ 
        $OldestEvent = ''
        $Identity = [System.Security.Principal.WindowsIdentity]::GetCurrent()
        $Principal = New-Object System.Security.Principal.WindowsPrincipal($Identity)
        $IsAdministrator =$Principal.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)
        if ((!($IsAdministrator)) -and ($computername -match $env:COMPUTERNAME)){
            Write-Warning "You must be an administrator to view event logs, quitting."
            Exit
        }
  }

  Process{
    Try{
        $oldestEvent = Get-WinEvent -ComputerName $computername -LogName $elog -Oldest -MaxEvents 1 -ErrorAction Stop
        }Catch{
            Write-Warning $Error[0].Exception.Message
            Exit
        }
  }
  
  End{
    $OldestEvent = add-member -InputObject $OldestEvent -Name 'Age' -MemberType ScriptProperty {New-TimeSpan $OldestEvent.timecreated} -PassThru -Force
    $props = @("age")

    if ($ReturnAll){$props = "*"}ELSE{$props += "Timecreated"}
   
    $OldestEvent = $OldestEvent | select $props
    return $OldestEvent     
}
}