Author Posts

September 24, 2015 at 6:12 am

This doesn't work, obviously, was hoping I could be pointed in the right direction.
On a side note happy the site is back up!

Get-EventLog -LogName security -ComputerName sql -InstanceId 5145 -Newest 5 | %{ 

   
    $_.TimeGenerated.DateTime
    $_.ReplacementStrings[1]
    $_.ReplacementStrings[5]
    $_.ReplacementStrings[9]
    ($_.ReplacementStrings[10]).Replace.Value( "0x100000", "Write Access (Synchronize)" ` -replace "0x80000", "Change Ownership" ` -replace "0x40000", "Modify Security" ` -replace "0x20000", "Read Access (Security)" ` -replace "0x10000", "Delete operation" ` -replace "0x100", "Write Access (Attributes)" ` -replace "0x80", "Read Access (Attributes)" ` -replace "0x40","Delete operation" ` -replace "0x20", "Read operation" ` -replace "0x10", "Write operation (Attributes)" ` -replace "0x8", "Read operation (Attributes)" ` -replace "0x4", "Write operation (Append)" ` -replace "0x2", "Write operation" ` -replace "0x1", "Write operation" ` -replace "0x0", "Read operation" )
    }  

September 24, 2015 at 6:50 am

 
Get-EventLog -LogName security -ComputerName sql -InstanceId 5145 -Newest 5 | %{ 

   
    $_.TimeGenerated.DateTime
    $_.ReplacementStrings[1]
    $_.ReplacementStrings[4]
    $_.ReplacementStrings[5]
    $_.ReplacementStrings[8]
    $_.ReplacementStrings[9]
    $_.ReplacementStrings[10]
    }

I want to replace the value of string 10 against this code

( "0x100000", "Write Access (Synchronize)" -replace "0x80000", "Change Ownership" -replace "0x40000", "Modify Security" -replace "0x20000", "Read Access (Security)" -replace "0x10000", "Delete operation" -replace "0x100", "Write Access (Attributes)" -replace "0x80", "Read Access (Attributes)" -replace "0x40","Delete operation" -replace "0x20", "Read operation" -replace "0x10", "Write operation (Attributes)" -replace "0x8", "Read operation (Attributes)" -replace "0x4", "Write operation (Append)" -replace "0x2", "Write operation" -replace "0x1", "Write operation" -replace "0x0", "Read operation" )

September 24, 2015 at 7:23 am

"I want to replace the value of string 10 against this code"

What does that mean? Are expecting to replace it in the event log, or what?

September 24, 2015 at 7:33 am

So replacement string 10 returns the access code value. The code is basically a Key to what the access code value in string 10 returns ,The "code" is really a key to make sense of the hexa access code. I am trying to make a file audit "script" that will log changes on a server that host our users share. Hope that makes sense

September 24, 2015 at 7:37 am

I want make a File Change/delete/create report that runs daily. We had a few instances of I didn't delete that. I want the report to say the ip, account name, parent dir, file, and access code and time of the event created. I would probally convert this to a csv or an html when done.

September 24, 2015 at 7:43 am

Get-Eventlog -ComputerName sql -LogName Security  -InstanceId 5145 -Newest 100  | %{ 

   
    $_.TimeGenerated.DateTime
    $_.ReplacementStrings[1]
    $_.ReplacementStrings[4]
    $_.ReplacementStrings[5]
    $_.ReplacementStrings[8]
    $_.ReplacementStrings[9]
    $_.ReplacementStrings[10] `
   -Replace "0x100000", "Write Access (Synchronize)" `
   -Replace "0x80000", "Change Ownership" `
   -Replace "0x40000", "Modify Security" `
   -Replace "0x20000", "Read Access (Security)" `
   -Replace "0x10000", "Delete operation" `
   -Replace "0x100", "Write Access (Attributes)" `
   -Replace "0x80", "Read Access (Attributes)" `
   -Replace "0x40","Delete operation" `
   -Replace "0x20", "Read operation" `
   -Replace "0x10", "Write operation (Attributes)" `
   -Replace "0x8", "Read operation (Attributes)" `
   -Replace "0x4", "Write operation (Append)" `
   -Replace "0x2", "Write operation" `
   -Replace "0x1", "Write operation" `
   -Replace "0x0", "Read operation"
    } 

This makes it work! now when I try to convert to a csv or html I get wonky data. What am i missing?!?

I presume I need to run a for-each loop against each instance of the event id?