Building a File Audit script

Welcome Forums General PowerShell Q&A Building a File Audit script

This topic contains 5 replies, has 2 voices, and was last updated by

 
Participant
3 years, 3 months ago.

  • Author
    Posts
  • #30024

    Participant
    Points: 0
    Rank: Member

    This doesn't work, obviously, was hoping I could be pointed in the right direction.
    On a side note happy the site is back up!

    Get-EventLog -LogName security -ComputerName sql -InstanceId 5145 -Newest 5 | %{ 
    
       
        $_.TimeGenerated.DateTime
        $_.ReplacementStrings[1]
        $_.ReplacementStrings[5]
        $_.ReplacementStrings[9]
        ($_.ReplacementStrings[10]).Replace.Value( "0x100000", "Write Access (Synchronize)" ` -replace "0x80000", "Change Ownership" ` -replace "0x40000", "Modify Security" ` -replace "0x20000", "Read Access (Security)" ` -replace "0x10000", "Delete operation" ` -replace "0x100", "Write Access (Attributes)" ` -replace "0x80", "Read Access (Attributes)" ` -replace "0x40","Delete operation" ` -replace "0x20", "Read operation" ` -replace "0x10", "Write operation (Attributes)" ` -replace "0x8", "Read operation (Attributes)" ` -replace "0x4", "Write operation (Append)" ` -replace "0x2", "Write operation" ` -replace "0x1", "Write operation" ` -replace "0x0", "Read operation" )
        }  
    
    
  • #30027

    Participant
    Points: 0
    Rank: Member
     
    Get-EventLog -LogName security -ComputerName sql -InstanceId 5145 -Newest 5 | %{ 
    
       
        $_.TimeGenerated.DateTime
        $_.ReplacementStrings[1]
        $_.ReplacementStrings[4]
        $_.ReplacementStrings[5]
        $_.ReplacementStrings[8]
        $_.ReplacementStrings[9]
        $_.ReplacementStrings[10]
        }
    

    I want to replace the value of string 10 against this code

    ( "0x100000", "Write Access (Synchronize)" -replace "0x80000", "Change Ownership" -replace "0x40000", "Modify Security" -replace "0x20000", "Read Access (Security)" -replace "0x10000", "Delete operation" -replace "0x100", "Write Access (Attributes)" -replace "0x80", "Read Access (Attributes)" -replace "0x40","Delete operation" -replace "0x20", "Read operation" -replace "0x10", "Write operation (Attributes)" -replace "0x8", "Read operation (Attributes)" -replace "0x4", "Write operation (Append)" -replace "0x2", "Write operation" -replace "0x1", "Write operation" -replace "0x0", "Read operation" )

  • #30030

    Participant
    Points: 0
    Rank: Member

    "I want to replace the value of string 10 against this code"

    What does that mean? Are expecting to replace it in the event log, or what?

  • #30032

    Participant
    Points: 0
    Rank: Member

    So replacement string 10 returns the access code value. The code is basically a Key to what the access code value in string 10 returns ,The "code" is really a key to make sense of the hexa access code. I am trying to make a file audit "script" that will log changes on a server that host our users share. Hope that makes sense

  • #30033

    Participant
    Points: 0
    Rank: Member

    I want make a File Change/delete/create report that runs daily. We had a few instances of I didn't delete that. I want the report to say the ip, account name, parent dir, file, and access code and time of the event created. I would probally convert this to a csv or an html when done.

  • #30035

    Participant
    Points: 0
    Rank: Member
    Get-Eventlog -ComputerName sql -LogName Security  -InstanceId 5145 -Newest 100  | %{ 
    
       
        $_.TimeGenerated.DateTime
        $_.ReplacementStrings[1]
        $_.ReplacementStrings[4]
        $_.ReplacementStrings[5]
        $_.ReplacementStrings[8]
        $_.ReplacementStrings[9]
        $_.ReplacementStrings[10] `
       -Replace "0x100000", "Write Access (Synchronize)" `
       -Replace "0x80000", "Change Ownership" `
       -Replace "0x40000", "Modify Security" `
       -Replace "0x20000", "Read Access (Security)" `
       -Replace "0x10000", "Delete operation" `
       -Replace "0x100", "Write Access (Attributes)" `
       -Replace "0x80", "Read Access (Attributes)" `
       -Replace "0x40","Delete operation" `
       -Replace "0x20", "Read operation" `
       -Replace "0x10", "Write operation (Attributes)" `
       -Replace "0x8", "Read operation (Attributes)" `
       -Replace "0x4", "Write operation (Append)" `
       -Replace "0x2", "Write operation" `
       -Replace "0x1", "Write operation" `
       -Replace "0x0", "Read operation"
        } 
    
    

    This makes it work! now when I try to convert to a csv or html I get wonky data. What am i missing?!?

    I presume I need to run a for-each loop against each instance of the event id?

The topic ‘Building a File Audit script’ is closed to new replies.