Ask : Add username in file auditing report

This topic contains 3 replies, has 2 voices, and was last updated by Profile photo of Daniel Krebs Daniel Krebs 2 weeks, 1 day ago.

  • Author
    Posts
  • #70177
    Profile photo of ynz
    ynz
    Participant

    hi guys just started to learn using powershell, and i got a very good script from some source to make a report to watch for and report file changes using powershell,

    here the script,

    # CLI params for starting and stoppping the watcher
    param (
    [switch]$start = $false,
    [switch]$stop = $false
    )

    Function Register-Watcher {
    # Folder to watch
    param ($watchdir)

    $watchdir = "C:\Users\$env:USERNAME\Documents" # Root path to monitor
    $logfile = "c:\Users\$env:USERNAME\logfile.txt"

    # Filter all files and subdirectories
    $filter = "*.*"
    $watcher = New-Object IO.FileSystemWatcher $watchdir, $filter -Property @{
    IncludeSubdirectories = $true
    EnableRaisingEvents = $true
    }

    # Create the log file if it doesn't exist
    if (!(Test-Path "$logfile")) {
    New-Item -path "$logfile" -type file | Out-Null
    }

    # Define the FS watching behvior
    $action = {
    $path = $Event.SourceEventArgs.FullPath
    $name = $Event.SourceEventArgs.Name
    $changeType = $Event.SourceEventArgs.ChangeType
    $timeStamp = $Event.TimeGenerated
    #$console_message = "The file '$name' was '$changeType' at '$timeStamp'"
    #Write-Host $console_message
    $log_message = "$name, $changeType, $timeStamp"
    Out-File "C:\Users\$env:USERNAME\logfile.txt" -Append -InputObject $log_message
    }

    # Register the FS watcher
    Register-ObjectEvent $watcher Created -SourceIdentifier Created -Action $action
    Register-ObjectEvent $watcher Changed -SourceIdentifier Changed -Action $action
    Register-ObjectEvent $watcher Deleted -SourceIdentifier Deleted -Action $action
    Register-ObjectEvent $watcher Renamed -SourceIdentifier Renamed -Action $action

    }

    # Unregister the FS watcher
    Function Unregister-Watcher() {
    Unregister-Event Created
    Unregister-Event Changed
    Unregister-Event Deleted
    Unregister-Event Renamed
    }

    Function Main() {

    # Start the watcher
    if ($start) {
    Write-Host "Starting FS watcher" -fore green
    Register-Watcher $watchdir
    }
    # Stop the watcher
    elseif ($stop) {
    Write-Host "Stopping FS watcher" -fore red
    Unregister-Watcher
    }
    # Otherwise error
    else {
    Write-Host "Invalid arguments"
    Write-Host $args.Length
    }
    }

    # Script entrypoint
    Main

    the thing is, the report is didn't show the user who do the file change,
    can all you help what command need to use so the report also show the username who did the change to the file please.

    thank in advance

  • #70185
    Profile photo of Daniel Krebs
    Daniel Krebs
    Moderator

    You'll need to enable NTFS file system auditing to get user details. Once enabled you can get the information from the Windows Security event log and forward it to a central log collector to analyse. Much more reliable than running a file system watcher via PowerShell or C# because NTFS file system auditing is embedded into the NTFS file system driver of Windows.

    https://technet.microsoft.com/en-us/library/cc771070(v=ws.11).aspx

  • #70279
    Profile photo of ynz
    ynz
    Participant

    hi daniel,
    i've allready set the file auditing that your said, so event log show me if there a change in some directory,
    but i want to make a report and save it into .txt file,

    here the example when i run script above
    report in txt

    but in that file is there is no username who did the audit.
    can you give an advice how to do that please?

  • #70288
    Profile photo of Daniel Krebs
    Daniel Krebs
    Moderator

    You'll need to extract the SubjectUserName and SubjectDomainName in the XML data of the event log entry.

You must be logged in to reply to this topic.