none
Audit report for Deleted files

    Question

  • Hi All,

    I am working on a script which would send an audit report in CSV format every 24 hours. The problem that I am facing is that when I take the report out, it has a lot of .tmp files in it which are not really relevant. I want to omit them from the result. Currently I have the following done.

    PowerShell script to capture the events and dump it in a CSV file and then send the file using VBScript.

    $events = Get-WinEvent -FilterXml ([xml](Get-Content C:\ADMIN\Temp\Audit\CustomFilter.xml))
    $Name = @{ label="Username"; Expression={$_.properties[1].value} }
    $File = @{ label="FileName"; Expression={$_.properties[6].value} }
    get-winevent -filterXML ([xml](Get-Content C:\ADMIN\Temp\Audit\CustomFilter.xml)) | select $Name,$File | export-csv C:\ADMIN\Temp\Audit\DeleteEventLog.csv
    cscript /nologo C:\ADMIN\Temp\Audit\SendMail.vbs \r\n

    Contents of the CustomFilter.xml

    <QueryList>
               <Query Id="0">
                  <Select Path="Security">
                     *[System[TimeCreated[timediff(@SystemTime) &lt;= 86400000]]]
                     and
                     *[EventData[Data[@Name='ObjectName'] and (Data!='*.tmp')]]
                     and
                     *[System[(EventID='4663')]]
                   </Select>
               </Query>
    </QueryList>

    For some reason, the data doesn't get filtered for the *.tmp files.

    I have also tried using the following, but it still doesn't work.

    Get-WinEvent -FilterHashTable @{logname='security'; ID=4663} | where {$_.properties[6] -notlike "*tmp"}

    Some please help !

    Thursday, February 16, 2012 5:24 AM

Answers

  • sorry, use instead the:

    $_.Properties[6].Value

    just to show you my investigation process - some quick investigation yields the following (note that I have switched to another event type as I do not have object access auditing enabled):

    a) limit the number of events to speed the testing up (-MaxEvents 5), extract the first event from the list ([0])

    (Get-WinEvent -FilterHashTable @{logname='security'; ID=4634} -MaxEvent 5)[0]

    TimeCreated              ProviderName                                   Id Message
    -----------              ------------                                   -- -------
    23.2.2012 10:30:46       Microsoft-Windows-Sec...                     4634 An account was logged...

    b) get the .Properties field with

    (Get-WinEvent -FilterHashTable @{logname='security'; ID=4634} -MaxEvent 5)[0].Properties

    Value
    -----
    S-1-5-21-26348455-1143353252-1947177519-1003
    AD2$
    JCU
    564342642
    3

    c) from the previous output you can see there is the "Value" column. So we proceed with a single value selection:

    (Get-WinEvent -FilterHashTable @{logname='security'; ID=4634} -MaxEvent 5)[0].Properties[1]

    Value
    -----
    FS1$

    d) from the previous output you can see that the Value field is still there. So the final result is

    (Get-WinEvent -FilterHashTable @{logname='security'; ID=4634} -MaxEvent 5)[0].Properties[1].Value

    FS1$

    which gets just the string.

    ondrej.

    • Marked as answer by Shishir Garde Tuesday, February 28, 2012 4:47 AM
    Thursday, February 23, 2012 9:36 AM

All replies

  • Can someone please help with this?
    Friday, February 17, 2012 1:38 AM
  •  

    Hi Shishir,

    Here is an article about the XML filtering in Event Viewer.

    Advanced XML filtering in the Windows Event Viewer

    http://blogs.technet.com/b/askds/archive/2011/09/26/advanced-xml-filtering-in-the-windows-event-viewer.aspx

    Meanwhile, as this problem is related to script, I suggest that you create a new post in the Official Scripting Guys Forum to get further support there. They are the best resource for scripting related problems.

    The Official Scripting Guys Forum!

    http://social.technet.microsoft.com/Forums/en-US/ITCG/threads

    Thanks for your understanding.

    Regards,

    Bruce

    Forum Support

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, February 17, 2012 8:59 AM
  • have you tried $_.Properties[6].ToString(), sometimes the value is not string directly.

    o.

    Sunday, February 19, 2012 5:58 AM
  • I have not tried that Ondrej, assuming that it is already a string ... but that is a good point ... I would try that and post here ... thanks a lot !
    Sunday, February 19, 2012 6:03 AM
  •  

    Hi,

    I’d like to confirm the current status of this problem. If there is any update, please let us know.

    Have a nice day!

    Wednesday, February 22, 2012 7:05 AM
  • Hi Bruce, the problem is still the same.

    Ondrej, unfortunately $_.Properties[6].ToString() gives me the same result. It still does not read the contents of the string i guess.

    Completely stuck with this !

    Thursday, February 23, 2012 6:27 AM
  • sorry, use instead the:

    $_.Properties[6].Value

    just to show you my investigation process - some quick investigation yields the following (note that I have switched to another event type as I do not have object access auditing enabled):

    a) limit the number of events to speed the testing up (-MaxEvents 5), extract the first event from the list ([0])

    (Get-WinEvent -FilterHashTable @{logname='security'; ID=4634} -MaxEvent 5)[0]

    TimeCreated              ProviderName                                   Id Message
    -----------              ------------                                   -- -------
    23.2.2012 10:30:46       Microsoft-Windows-Sec...                     4634 An account was logged...

    b) get the .Properties field with

    (Get-WinEvent -FilterHashTable @{logname='security'; ID=4634} -MaxEvent 5)[0].Properties

    Value
    -----
    S-1-5-21-26348455-1143353252-1947177519-1003
    AD2$
    JCU
    564342642
    3

    c) from the previous output you can see there is the "Value" column. So we proceed with a single value selection:

    (Get-WinEvent -FilterHashTable @{logname='security'; ID=4634} -MaxEvent 5)[0].Properties[1]

    Value
    -----
    FS1$

    d) from the previous output you can see that the Value field is still there. So the final result is

    (Get-WinEvent -FilterHashTable @{logname='security'; ID=4634} -MaxEvent 5)[0].Properties[1].Value

    FS1$

    which gets just the string.

    ondrej.

    • Marked as answer by Shishir Garde Tuesday, February 28, 2012 4:47 AM
    Thursday, February 23, 2012 9:36 AM
  • sorry, use instead the:

    $_.Properties[6].Value

    just to show you my investigation process - some quick investigation yields the following (note that I have switched to another event type as I do not have object access auditing enabled):

    a) limit the number of events to speed the testing up (-MaxEvents 5), extract the first event from the list ([0])

    (Get-WinEvent -FilterHashTable @{logname='security'; ID=4634} -MaxEvent 5)[0]

    TimeCreated              ProviderName                                   Id Message
    -----------              ------------                                   -- -------
    23.2.2012 10:30:46       Microsoft-Windows-Sec...                     4634 An account was logged...

    b) get the .Properties field with

    (Get-WinEvent -FilterHashTable @{logname='security'; ID=4634} -MaxEvent 5)[0].Properties

    Value
    -----
    S-1-5-21-26348455-1143353252-1947177519-1003
    AD2$
    JCU
    564342642
    3

    c) from the previous output you can see there is the "Value" column. So we proceed with a single value selection:

    (Get-WinEvent -FilterHashTable @{logname='security'; ID=4634} -MaxEvent 5)[0].Properties[1]

    Value
    -----
    FS1$

    d) from the previous output you can see that the Value field is still there. So the final result is

    (Get-WinEvent -FilterHashTable @{logname='security'; ID=4634} -MaxEvent 5)[0].Properties[1].Value

    FS1$

    which gets just the string.

    ondrej.


    Thanks a lot for this Ondrej ... I had been struglling with this since a long time. Now just have to look at getting the values in the tabular format :)
    Tuesday, February 28, 2012 4:48 AM
  • Shishir, can you share with us the complete script??? include the sendmail vbs

    Thank you!


    Gustavo Valle | http://grvalle.com
    LinkedInWordPressTwitter

    Wednesday, March 27, 2013 8:22 PM