none
Search event logs for file system access RRS feed

  • Question

  • I'm looking to create a script that will allow me to search Windows 2012 security event logs for access to specific folders.  Ideally it would allow the granularity to search for read access events (4663) and specify specific users to view.  One example would be to show events for drive F:\ where the folder name is JSmith (including subfolders) and the username is not JSmith.

    I've tried something like this, but can't see how to filter.

    Get-EventLog security | ? {$_.Message.contains("F:\JSmith")}

    Thursday, April 23, 2015 3:21 PM

Answers

  • Here is a more explicit example:

    $userid='jsmith'
    $xpath="*[System[EventID=4663] and EventData[Data[@Name='SubjectUserName']='$userid']]"
    Get-WinEvent -LogName Security -FilterXPath $xpath |
         Select-Object @{N='SubjectUserName';E={$_.Properties[1].Value}},
                                @{N='FileName';E={$_.Properties[6].Value}}


    \_(ツ)_/



    • Edited by jrv Tuesday, April 28, 2015 1:40 PM
    • Marked as answer by m.siib Tuesday, April 28, 2015 5:58 PM
    Tuesday, April 28, 2015 1:39 PM

All replies

  • Better use Get-WinEvent

    get-winevent -FilterHashtable  @{LogName="Security"} | ?{$_.message -match "something"}


    Regards Chen V [MCTS SharePoint 2010]

    Thursday, April 23, 2015 3:40 PM
  • Is the match explicit?  How can I use wildcard?  How can I exclude events?
    Thursday, April 23, 2015 3:42 PM
  • More like this:

    Get-WinEvent -FilterHashTable  @{LogName='Security';ID=4663;Data=@('something','other','thing')}


    \_(ツ)_/


    • Edited by jrv Thursday, April 23, 2015 5:29 PM
    Thursday, April 23, 2015 5:26 PM
  • You can use wildcards but you will have to use FilterXPath for that.


    \_(ツ)_/

    Thursday, April 23, 2015 5:29 PM
  • I'm having trouble with the syntax.  I can't find any examples of FilterXPath with wildcards.  Trying something like this, just to start.

    Get-WinEvent -LogName Security -FilterXPath "*[EventData[Data[@Name='ObjectName']='F:\JSmith*']]"

    Thursday, April 23, 2015 8:26 PM
  • If you do not pick a specific event id you will get nothing but errors.


    \_(ツ)_/

    Thursday, April 23, 2015 9:17 PM
  • Here is an example using the logon records:

    $userid='jsmith'
    $xpath="*[System[EventID=4624 and TimeCreated[timediff(@SystemTime) <= 86400000]] and EventData[Data[@Name='TargetUserName']!='$userid']]"
    Get-WinEvent -LogName Security -FilterXPath $xpath
    


    \_(ツ)_/

    Thursday, April 23, 2015 9:50 PM
  • Had to change to the following, but it gets results.  Now how can I control the output?  I'd like to output only SubjectUserName

    $userid='jsmith'
    $xpath="*[System[EventID=4663 and TimeCreated[timediff(@SystemTime) <= 86400000] and EventData[Data[@Name='SubjectUserName']!='$userid']]"
    Get-WinEvent -LogName Security -FilterXPath $xpath

    Adding | Select SubjectUserName gives blank results.  Even if I use | Export-csv file.csv, it doesn't show the SubjectUserName.

    Friday, April 24, 2015 12:38 AM
  • Add "Select -expand properties"

    One of the properties will be the name.


    \_(ツ)_/

    Friday, April 24, 2015 12:49 AM
  • That appears to give the info, but it spits it out as one column.  Is there a way to get it to separate into columns?  Tried Export-csv, but doesn't work.
    Friday, April 24, 2015 1:20 AM
  • Just use calculated properties.


    \_(ツ)_/

    Friday, April 24, 2015 1:32 AM
  • Shouldn't something like this work?

    $userid='jsmith'
    $xpath="*[System[EventID=4663 and TimeCreated[timediff(@SystemTime) <= 86400000]] and EventData[Data[@Name='SubjectUserName']!='$userid']]"
    Get-WinEvent -LogName Security -FilterXPath $xpath | Select -expand properties | Select-Object SubjectUserName,ObjectName

    Friday, April 24, 2015 1:42 AM
  • I'm still having trouble with this.  Is Log Parser a good tool to get this done?
    Monday, April 27, 2015 4:42 PM
  • You have to extract the XML or use a calculated property referenceing the property you want.

    $userid='jsmith'
    $xpath="*[System[EventID=4663 and TimeCreated[timediff(@SystemTime) <= 86400000]] and EventData[Data[@Name='SubjectUserName']!='$userid']]"
    Get-WinEvent -LogName Security -FilterXPath $xpath |
         Select-Object @{N='SubjectUserName';E={$_.Properties[3]}


    I don't have auditing turned on so I cannot tell you which property has the name.  Just look for it and count the array.


    \_(ツ)_/


    • Edited by jrv Monday, April 27, 2015 6:05 PM
    Monday, April 27, 2015 6:05 PM
  • Maybe I should reframe the question.  How are people doing this?  If you're logging file access, how can you see the following:

    1. Who accessed a specific file
    2. Who accessed any file within a specific folder
    3. What files has X user accessed in a time period

    Tuesday, April 28, 2015 1:08 PM
  • That is completely different from your question.  You asked how to get the data from an event in the event log.  We showed you.  If you have a different question then you will have to start a new topic.

    A quick pointer is that you have to enable auditing on files and  retrieve the information from the event log.  If you want that report you will have to write a script or purchase a third party tool to give you the report.  There is no single command to do what you want.

    The last script example I posted will give you the information if you actually do what I suggested.


    \_(ツ)_/

    Tuesday, April 28, 2015 1:18 PM
  • Since I wasn't able to get the suggestions to work, I figured I'd dumb down the question.  I'll search elsewhere.  Thanks for the help.
    Tuesday, April 28, 2015 1:25 PM
  • Here is a more explicit example:

    $userid='jsmith'
    $xpath="*[System[EventID=4663] and EventData[Data[@Name='SubjectUserName']='$userid']]"
    Get-WinEvent -LogName Security -FilterXPath $xpath |
         Select-Object @{N='SubjectUserName';E={$_.Properties[1].Value}},
                                @{N='FileName';E={$_.Properties[6].Value}}


    \_(ツ)_/



    • Edited by jrv Tuesday, April 28, 2015 1:40 PM
    • Marked as answer by m.siib Tuesday, April 28, 2015 5:58 PM
    Tuesday, April 28, 2015 1:39 PM
  • I can use this.  Thanks.
    Tuesday, April 28, 2015 5:58 PM