Audit report for Deleted files
-
Thursday, February 16, 2012 5:24 AM
Hi All,
I am working on a script which would send an audit report in CSV format every 24 hours. The problem that I am facing is that when I take the report out, it has a lot of .tmp files in it which are not really relevant. I want to omit them from the result. Currently I have the following done.
PowerShell script to capture the events and dump it in a CSV file and then send the file using VBScript.
$events = Get-WinEvent -FilterXml ([xml](Get-Content C:\ADMIN\Temp\Audit\CustomFilter.xml))
$Name = @{ label="Username"; Expression={$_.properties[1].value} }
$File = @{ label="FileName"; Expression={$_.properties[6].value} }
get-winevent -filterXML ([xml](Get-Content C:\ADMIN\Temp\Audit\CustomFilter.xml)) | select $Name,$File | export-csv C:\ADMIN\Temp\Audit\DeleteEventLog.csv
cscript /nologo C:\ADMIN\Temp\Audit\SendMail.vbs \r\nContents of the CustomFilter.xml
<QueryList>
<Query Id="0">
<Select Path="Security">
*[System[TimeCreated[timediff(@SystemTime) <= 86400000]]]
and
*[EventData[Data[@Name='ObjectName'] and (Data!='*.tmp')]]
and
*[System[(EventID='4663')]]
</Select>
</Query>
</QueryList>For some reason, the data doesn't get filtered for the *.tmp files.
I have also tried using the following, but it still doesn't work.
Get-WinEvent -FilterHashTable @{logname='security'; ID=4663} | where {$_.properties[6] -notlike "*tmp"}
Some please help !
All Replies
-
Friday, February 17, 2012 1:38 AMCan someone please help with this?
-
Friday, February 17, 2012 8:59 AMModerator
Hi Shishir,
Here is an article about the XML filtering in Event Viewer.
Advanced XML filtering in the Windows Event Viewer
Meanwhile, as this problem is related to script, I suggest that you create a new post in the Official Scripting Guys Forum to get further support there. They are the best resource for scripting related problems.
The Official Scripting Guys Forum!
http://social.technet.microsoft.com/Forums/en-US/ITCG/threads
Thanks for your understanding.
Regards,
Bruce
Forum Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
-
Sunday, February 19, 2012 5:58 AM
have you tried $_.Properties[6].ToString(), sometimes the value is not string directly.
o.
-
Sunday, February 19, 2012 6:03 AMI have not tried that Ondrej, assuming that it is already a string ... but that is a good point ... I would try that and post here ... thanks a lot !
-
Wednesday, February 22, 2012 7:05 AMModerator
Hi,
I’d like to confirm the current status of this problem. If there is any update, please let us know.
Have a nice day!
-
Thursday, February 23, 2012 6:27 AM
Hi Bruce, the problem is still the same.
Ondrej, unfortunately $_.Properties[6].ToString() gives me the same result. It still does not read the contents of the string i guess.
Completely stuck with this !
-
Thursday, February 23, 2012 9:36 AM
sorry, use instead the:
$_.Properties[6].Value
just to show you my investigation process - some quick investigation yields the following (note that I have switched to another event type as I do not have object access auditing enabled):
a) limit the number of events to speed the testing up (-MaxEvents 5), extract the first event from the list ([0])
(Get-WinEvent -FilterHashTable @{logname='security'; ID=4634} -MaxEvent 5)[0]
TimeCreated ProviderName Id Message
----------- ------------ -- -------
23.2.2012 10:30:46 Microsoft-Windows-Sec... 4634 An account was logged...b) get the .Properties field with
(Get-WinEvent -FilterHashTable @{logname='security'; ID=4634} -MaxEvent 5)[0].Properties
Value
-----
S-1-5-21-26348455-1143353252-1947177519-1003
AD2$
JCU
564342642
3c) from the previous output you can see there is the "Value" column. So we proceed with a single value selection:
(Get-WinEvent -FilterHashTable @{logname='security'; ID=4634} -MaxEvent 5)[0].Properties[1]
Value
-----
FS1$d) from the previous output you can see that the Value field is still there. So the final result is
(Get-WinEvent -FilterHashTable @{logname='security'; ID=4634} -MaxEvent 5)[0].Properties[1].Value
FS1$
which gets just the string.
ondrej.
- Marked As Answer by Shishir Garde Tuesday, February 28, 2012 4:47 AM
-
Tuesday, February 28, 2012 4:48 AM
sorry, use instead the:
$_.Properties[6].Value
just to show you my investigation process - some quick investigation yields the following (note that I have switched to another event type as I do not have object access auditing enabled):
a) limit the number of events to speed the testing up (-MaxEvents 5), extract the first event from the list ([0])
(Get-WinEvent -FilterHashTable @{logname='security'; ID=4634} -MaxEvent 5)[0]
TimeCreated ProviderName Id Message
----------- ------------ -- -------
23.2.2012 10:30:46 Microsoft-Windows-Sec... 4634 An account was logged...b) get the .Properties field with
(Get-WinEvent -FilterHashTable @{logname='security'; ID=4634} -MaxEvent 5)[0].Properties
Value
-----
S-1-5-21-26348455-1143353252-1947177519-1003
AD2$
JCU
564342642
3c) from the previous output you can see there is the "Value" column. So we proceed with a single value selection:
(Get-WinEvent -FilterHashTable @{logname='security'; ID=4634} -MaxEvent 5)[0].Properties[1]
Value
-----
FS1$d) from the previous output you can see that the Value field is still there. So the final result is
(Get-WinEvent -FilterHashTable @{logname='security'; ID=4634} -MaxEvent 5)[0].Properties[1].Value
FS1$
which gets just the string.
ondrej.
Thanks a lot for this Ondrej ... I had been struglling with this since a long time. Now just have to look at getting the values in the tabular format :) -
Wednesday, March 27, 2013 8:22 PM
Shishir, can you share with us the complete script??? include the sendmail vbs
Thank you!
Gustavo Valle | http://grvalle.com
.png)
