none
help with looking for more then than 1 eventID RRS feed

  • Question

  • Hi

    i have a test server 2012 r2 set up with auditing enabled for the deletion of any files or folders, set up in the local policy and on the folder

    i have a powershell script that will trigger in task scheduler on event ID 4660 (object deleted)

    script is:-

    $pcName = "GHSVR2012"
    $Event = Get-Eventlog -log security | where {$_.eventID -eq 4663} | Sort-Object index -Descending | Select-Object -First 1
    $User = $Event.ReplacementStrings[1]
    $Domain = $Event.ReplacementStrings[2]
    $File = $Event.ReplacementStrings[6]
    $MailSubject = "A File has been deleted in the G Drive:"
    $MailBody = "The account Name is :- " + $Domain + "\" + $User + "`r`n" + "The flie deleted was from :" + $File + "`r`n" + "Time: " + $Event.TimeGenerated
    $SmtpClient = New-Object system.net.mail.smtpClient
    $SmtpClient.host = "smtp.xxxxxxxxxxxxxx"
    $MailMessage = New-Object system.net.mail.mailmessage
    $MailMessage.from = "xxxxxxxxxxxxxxxxxx"
    $MailMessage.To.add("xxxxxxxxxxxxxxxx
    $MailMessage.IsBodyHtml = 0
    $MailMessage.Subject = $MailSubject
    $MailMessage.Body = $MailBody
    $SmtpClient.Send($MailMessage)


    I have everything working apart from one thing:-

    if I delete, say 5 files at the same time, called, file 1, file 2, file 3, file 4, file 5,

    the eventlog ID triggers the script to be sent and it will send 5 emails but wont name each file that has been deleted instead it will just give the first file it finds

    e.g the email i receive look like the below and this comes through 5 times:-
    The account Name is :- Domain\User1
    The file deleted was from :C:\Users\User1\Documents\file 1
    Time: 11/17/2014 11:49:35

    any advice grateful

    Gavin

    Monday, November 17, 2014 4:14 PM

Answers

  • Because you are only asking for one to be returned:

    $event=Get-Eventlog -log security -InstanceID 4663$events.count

    $mailBody=@'
    The account Name is :- {0}\{1} 
    The flie deleted was from :{2}
    Time:{3}
    '@
    
    $pcName = "GHSVR2012"
    $mailProps=@{
        Subject = 'A File has been deleted in the G Drive:'
        SmtpServer='smtp.xxxxxxxxxxxxxx'
        From='xxxxxxxxxxxxxxxxxx'
        To='xxxxxxxxxxxxxxxx'
        BodyAsHtml=$true
    }
    
    $events=Get-Eventlog -log security | where {$_.eventID -eq 4663} | Sort-Object index -Descending | Select-Object -First 1
    foreach($e in $events){
        $mailBody -f $e.ReplacementStrings[1],$e.ReplacementStrings[2],$e.ReplacementStrings[6],$e.TimeGenerated
        Send-MailMessage @mailProps -Body $mailBody
    }


    ¯\_(ツ)_/¯

    Monday, November 17, 2014 5:02 PM

All replies

  • Because you are only asking for one to be returned:

    $event=Get-Eventlog -log security -InstanceID 4663$events.count

    $mailBody=@'
    The account Name is :- {0}\{1} 
    The flie deleted was from :{2}
    Time:{3}
    '@
    
    $pcName = "GHSVR2012"
    $mailProps=@{
        Subject = 'A File has been deleted in the G Drive:'
        SmtpServer='smtp.xxxxxxxxxxxxxx'
        From='xxxxxxxxxxxxxxxxxx'
        To='xxxxxxxxxxxxxxxx'
        BodyAsHtml=$true
    }
    
    $events=Get-Eventlog -log security | where {$_.eventID -eq 4663} | Sort-Object index -Descending | Select-Object -First 1
    foreach($e in $events){
        $mailBody -f $e.ReplacementStrings[1],$e.ReplacementStrings[2],$e.ReplacementStrings[6],$e.TimeGenerated
        Send-MailMessage @mailProps -Body $mailBody
    }


    ¯\_(ツ)_/¯

    Monday, November 17, 2014 5:02 PM
  • hi,

    many thanks for your reply, i am new to all this so all help welcome 

    i have tried what you said and return the attached errors

    $mailBody=@'
    The account Name is :- {0}\{1} 
    The flie deleted was from :{2}
    Time:{3}
    '@

    $pcName = "GHSVR2012"
    $mailProps=@{
        Subject = A File has been deleted in the G Drive:
        SmtpServer = 'smtp.xxxxxxxxxxx'
        From = 'xxxxxxxxxxxxk'
        To = 'xxxxxxxxxxx'
        BodyAsHtml=$true
    }

    $events=Get-Eventlog -log security -InstanceID 4663$events.count
    foreach($e in $events){
        $mailBody -f $e.ReplacementStrings[1],$e.ReplacementStrings[2],$e.ReplacementStrings[6],$e.TimeGenerated
        Send-MailMessage @mailProps -Body $mailBody

    //////////////////////////////////////

    could i not just add in bold below

    $pcName = "GHSVR2102"
    $Event = Get-Eventlog -log security | -InstanceID 4663$Event.count
    $User = $Event.ReplacementStrings[1]
    $Domain = $Event.ReplacementStrings[2]
    $File = $Event.ReplacementStrings[6]
    $MailSubject = "A File has been deleted in the G Drive:"
    $MailBody = "The account Name is :- " + $Domain + "\" + $User + "`r`n" + "The file deleted was from :" + $File + "`r`n" + "Time: " + $Event.TimeGenerated
    $SmtpClient = New-Object system.net.mail.smtpClient
    $SmtpClient.host = "smtp.xxxxxxxxxxx"
    $MailMessage = New-Object system.net.mail.mailmessage
    $MailMessage.from = "ixxxxxxxxxxxxxx"
    $MailMessage.To.add("xxxxxxxxxxxxk")
    $MailMessage.IsBodyHtml = 0
    $MailMessage.Subject = $MailSubject
    $MailMessage.Body = $MailBody
    $SmtpClient.Send($MailMessage)

    Tuesday, November 18, 2014 11:17 AM
  • No and don't use send mail.  Use Send-Mailmessage.  THe code youcoppied is from PowerShell V1 which si not no longer supported.

    You need to learn the new PowerShell. It is pretty much an admin requirement going forward.


    ¯\_(ツ)_/¯

    Tuesday, November 18, 2014 12:21 PM
  • how do you return more than one value on the old powershell til i get around to the newer version?

    cheers

    GAvin

    Wednesday, November 19, 2014 2:03 PM
  • The same code works on all current versions of PowerShell.

    Get-EventLog works the same on all versions of PowerShell.


    ¯\_(ツ)_/¯

    Wednesday, November 19, 2014 2:06 PM
  • thanks for the prompt reply

    am I missing some thing? thats the code that returns 1 value even if I delete 4 files together 

    $Event = Get-Eventlog -log security | where {$_.eventID -eq 4663} | Sort-Object index -Descending | Select-Object -First 1

    it would just email me 4 times with the same file name and not name all the files that have been deleted

    Wednesday, November 19, 2014 2:11 PM
  • Because that is not the code that I posted.  Your code won't work like that.

    Start here: "HELP Get-EventLog -full"

    or http://technet.microsoft.com/library/b4985b11-82bf-487d-928d-becd96fc0419(v=wps.630).aspx


    ¯\_(ツ)_/¯

    Wednesday, November 19, 2014 2:14 PM