Building a File Audit script

This topic contains 5 replies, has 2 voices, and was last updated by  37mm 2 years, 2 months ago.

  • Author
    Posts
  • #30024

    37mm
    Participant

    This doesn't work, obviously, was hoping I could be pointed in the right direction.
    On a side note happy the site is back up!

    Get-EventLog -LogName security -ComputerName sql -InstanceId 5145 -Newest 5 | %{ 
    
       
        $_.TimeGenerated.DateTime
        $_.ReplacementStrings[1]
        $_.ReplacementStrings[5]
        $_.ReplacementStrings[9]
        ($_.ReplacementStrings[10]).Replace.Value( "0x100000", "Write Access (Synchronize)" ` -replace "0x80000", "Change Ownership" ` -replace "0x40000", "Modify Security" ` -replace "0x20000", "Read Access (Security)" ` -replace "0x10000", "Delete operation" ` -replace "0x100", "Write Access (Attributes)" ` -replace "0x80", "Read Access (Attributes)" ` -replace "0x40","Delete operation" ` -replace "0x20", "Read operation" ` -replace "0x10", "Write operation (Attributes)" ` -replace "0x8", "Read operation (Attributes)" ` -replace "0x4", "Write operation (Append)" ` -replace "0x2", "Write operation" ` -replace "0x1", "Write operation" ` -replace "0x0", "Read operation" )
        }  
    
    
  • #30027

    37mm
    Participant
     
    Get-EventLog -LogName security -ComputerName sql -InstanceId 5145 -Newest 5 | %{ 
    
       
        $_.TimeGenerated.DateTime
        $_.ReplacementStrings[1]
        $_.ReplacementStrings[4]
        $_.ReplacementStrings[5]
        $_.ReplacementStrings[8]
        $_.ReplacementStrings[9]
        $_.ReplacementStrings[10]
        }
    

    I want to replace the value of string 10 against this code

    ( "0x100000", "Write Access (Synchronize)" -replace "0x80000", "Change Ownership" -replace "0x40000", "Modify Security" -replace "0x20000", "Read Access (Security)" -replace "0x10000", "Delete operation" -replace "0x100", "Write Access (Attributes)" -replace "0x80", "Read Access (Attributes)" -replace "0x40","Delete operation" -replace "0x20", "Read operation" -replace "0x10", "Write operation (Attributes)" -replace "0x8", "Read operation (Attributes)" -replace "0x4", "Write operation (Append)" -replace "0x2", "Write operation" -replace "0x1", "Write operation" -replace "0x0", "Read operation" )

  • #30030

    Bob McCoy
    Participant

    "I want to replace the value of string 10 against this code"

    What does that mean? Are expecting to replace it in the event log, or what?

  • #30032

    37mm
    Participant

    So replacement string 10 returns the access code value. The code is basically a Key to what the access code value in string 10 returns ,The "code" is really a key to make sense of the hexa access code. I am trying to make a file audit "script" that will log changes on a server that host our users share. Hope that makes sense

  • #30033

    37mm
    Participant

    I want make a File Change/delete/create report that runs daily. We had a few instances of I didn't delete that. I want the report to say the ip, account name, parent dir, file, and access code and time of the event created. I would probally convert this to a csv or an html when done.

  • #30035

    37mm
    Participant
    Get-Eventlog -ComputerName sql -LogName Security  -InstanceId 5145 -Newest 100  | %{ 
    
       
        $_.TimeGenerated.DateTime
        $_.ReplacementStrings[1]
        $_.ReplacementStrings[4]
        $_.ReplacementStrings[5]
        $_.ReplacementStrings[8]
        $_.ReplacementStrings[9]
        $_.ReplacementStrings[10] `
       -Replace "0x100000", "Write Access (Synchronize)" `
       -Replace "0x80000", "Change Ownership" `
       -Replace "0x40000", "Modify Security" `
       -Replace "0x20000", "Read Access (Security)" `
       -Replace "0x10000", "Delete operation" `
       -Replace "0x100", "Write Access (Attributes)" `
       -Replace "0x80", "Read Access (Attributes)" `
       -Replace "0x40","Delete operation" `
       -Replace "0x20", "Read operation" `
       -Replace "0x10", "Write operation (Attributes)" `
       -Replace "0x8", "Read operation (Attributes)" `
       -Replace "0x4", "Write operation (Append)" `
       -Replace "0x2", "Write operation" `
       -Replace "0x1", "Write operation" `
       -Replace "0x0", "Read operation"
        } 
    
    

    This makes it work! now when I try to convert to a csv or html I get wonky data. What am i missing?!?

    I presume I need to run a for-each loop against each instance of the event id?

You must be logged in to reply to this topic.