Hello everyone,

I would like to be able to have PowerShell extract information from the security log running on my file server. Specifically, I would like it to pull errors with the event ID 4663 and show me which users caused the log entry. I would then like to have PowerShell dump the information out into a .xls file. I looked over this (http://www.powershellpro.com/powers...mi-part3/) and found something similar to what I want (scroll down until you see the Excel spreadsheet example). I would like the rows to contain the Date and User that caused the error. I am fairly new to PowerShell, but I come with a programming background (Java and C#), so I do not think learning PowerShell will be too difficult.

Thank you.

Your easiest way to get EventLog info is with the Get-EventLog cmdlet in PoSh 2.0 and export to a CSV:

get-eventlog security -ComputerName "." | ? {$_.EventID -eq 4663} | Select TimeGenerated,UserName | Export-CSV -Path "FileName.csv" -NoTypeInformation

Replace "." with the remote computer name you want to query or leave it for local.

Hello and thanks for the response.

The output of the CSV file is almost on track with what I am looking for, but there are still a few problems I need help ironing out:

The entries for TimeGenerated appear as #######. If I hover my mouse over them only then will it show the correct format.

Nothing shows up under UserName

I do not know if I am doing something wrong or not. I tried downloading PowerShell 2.0, but the update I downloaded from Microsoft did not seem to do it (right clicking PowerShell and viewing the properties is showing that it is still v1.0).

Thank you.

The ### is because the cell is to narrow for the data in it. Expand the cell and you'll see numbers.

I don't have that event log in my security log, so could you run this directly on one of the servers and past back the results.

get-eventlog security | ? {$_.EventID -eq 4663} | Select * -First 1

We are having a problem with users moving folders around in a network share. I am auditing the folder(s) to see who is moving them. Windows recognizes a drag and drop as a DELETE. The EventID generated when a folder/file is deleted is 4663. I think the reason that nothing is showing up for UserName is because if you see the output below, there is nothing listed next to UserName. There is something listed next to Account Name in the message. How would I go about being able to extract specific information from the message? I would like to extract the Account Name, Object Name, and Accesses if possible.

Thank you.

EventID            : 4663
MachineName        : PermissionsDC.mockdomain.local
Data               : {}
Index              : 93068
Category           : (12800)
CategoryNumber     : 12800
EntryType          : SuccessAudit
Message            : An attempt was made to access an object.
                     
                     Subject:
                         Security ID:        S-1-5-21-3977503587-203478664-1076
                     914379-1106
                         Account Name:        johndoe
                         Account Domain:        MOCKDOMAIN
                         Logon ID:        0x251942
                     
                     Object:
                         Object Server:    Security
                         Object Type:    File
                         Object Name:    C:\Clients\Clients\Client 18
                         Handle ID:    0xa18
                     
                     Process Information:
                         Process ID:    0x4
                         Process Name:    
                     
                     Access Request Information:
                         Accesses:    %%1537
                                 
                         Access Mask:    0x10000
Source             : Microsoft-Windows-Security-Auditing
ReplacementStrings : {S-1-5-21-3977503587-203478664-1076914379-1106, johndoe, M
                     OCKDOMAIN, 0x251942...}
InstanceId         : 4663
TimeGenerated      : 3/6/2010 1:52:33 PM
TimeWritten        : 3/6/2010 1:52:33 PM
UserName           : 
Site               : 
Container          : 

So, it looks like the username is left blank in this event. We can pull the data from the ReplacementStrings property tho. It does take a few more lines of code:

$data = @()

$events = get-eventlog security -ComputerName "." | ? {$_.EventID -eq 4663} | Select TimeGenerated,ReplacementStrings

foreach ($event in $events) {
$row = "" | Select TimeGenerated,UserName
$row.TimeGenerated = $event.TimeGenerated
$row.UserName = $event.ReplacementStrings[2] + "\" + $event.ReplacementStrings[1]
$data += $row
}

$data

Thank you very much! That seems to do the trick. How would I go about getting the Object Name and Accesses?

Thank you.

FYI, instead of getting the event log data you want like this:

Get-EventLog Security -ComputerName "." | ? {$_.EventId -eq 4663} ...

I strongly recommend you do it like this:

Get-EventLog Security -InstanceId 4663 -ComputerName "." ...

That lets the Get-EventLog cmdlet do the filtering internally instead of getting all entries and filtering in PowerShell.

Object Name and Accesses are both in the ReplacementStrings property. If you want to add those you will need to run the oneliner below and count up from 0 to reach them add a new property for them.

get-eventlog security -InstanceId 4663 | Select ReplacementStrings -First 1 | fl

To add a new property add the desired name at the end to $row = "" | Select TimeGenerated,UserName. Then add to give it a value use $row.NewPropertyNameHere = $event.ReplacementStrings[NumberFrom0]

This may look a bit messy, but let me know if you need more help.

Thx Poshoholic. I had forgotton about the -InstanceID

Thank you both for the replies. I do not think I am doing it right; I receive the error "cannot index null array". Is the code example you posted new code or code to add on to the code in your previous response?

Thank you.

Run this command then paste the results:

get-eventlog security -InstanceId 4663 | Select ReplacementStrings -First 1 | fl

After that I'll use it as an example to explain what I meant in the 2nd part of my previous post.

ReplacementStrings : {S-1-5-21-3977503587-203478664-1076914379-500, Administrat
or, MOCKDOMAIN, 0x3ce7e...}

ok, i gave the wrong cmdlet

get-eventlog security -InstanceId 4663 | Select ReplacementStrings -First 1 | ft *

How's this?

Result of get-eventlog security -InstanceId 4663 | Select ReplacementStrings -First 1 | ft *

ReplacementStrings : {S-1-5-21-3977503587-203478664-1076914379-500, Administrat
or, MOCKDOMAIN, 0x3ce7e...}

Gz - ok. Last one:

(get-eventlog security -InstanceId 4663 | Select -First 1).ReplacementStrings

Better?

S-1-5-21-3977503587-203478664-1076914379-500
Administrator
MOCKDOMAIN
0x3ce7e
Security
File
C:\Clients\Clients\Client 2
0xa40
%%1537

0x10000
0xe74
C:\Windows\explorer.exe

Yes! That's it. So....

The property ReplacementStrings is an array which appears to contain strings. Each string has its own place within the array (instance) starting at 0. In this instance the information you wanted was Object Name and Accesses. From looking at the input you returned below and comparing with the input from the Message we can see that Object Name is item 6 and Access is item 8 and we can access them by using ReplacmentStrings[%number%]

S-1-5-21-3977503587-203478664-1076914379-500
Administrator
MOCKDOMAIN
0x3ce7e
Security
File
C:\Clients\Clients\Client 2
0xa40
%%1537

0x10000
0xe74
C:\Windows\explorer.exe

To gather these specifically here is the script (cleaned up and streamlined also):

$events = get-eventlog security -InstanceId 4663 |`
     Select TimeGenerated,ReplacementStrings |`
     % {
         New-Object PSObject -Property @{
            TimeGenerated = $_.TimeGenerated
            UserName = $_.ReplacementStrings[2] + "\" + $_.ReplacementStrings[1]
            Object = $_.ReplacementStrings[6]
            Access = $_.ReplacementStrings[8]
        }
     }
$events

Thank you so much! I am now getting the information I need. I appreciate all the help you provided.

A million thanks,

JN

y/w. This seems like it may be good to post in my blog!

I have one more issue I would like help with (if you have the time). Now that we have a way to get the specific information I want, I need to be able to dump that information out into an excel spreadsheet. The whole point of the PowerShell script is to make finding who is moving folders around easier for administration and also create an easy to read spreadsheet for the boss so he can see who is doing what. Using the Out-file cmdlet, the data does not come out right in the spreadsheet. I would like to have it tabular, for instance:

TimeGenerated     User       Folder
____________   _____     ______

10:15 PM          johndoe   C:\SomeFolder\Someotherfolder
9:52 AM           janedoe    C:\importantfolder\importantotherfolder

This is how it is coming out right now:

http://img203.imageshack.us/img203/5096/excelb.png

Is it possible to somehow format the data so I do not have to create a macro to get the formatting right? I would really like this to be a fully automated process and eventually set up the PowerShell script to email the boss the log (which would run weekly) every Sunday night.

Thanks again for your help.

yup, that's where Export-CSV comes in.

replace the last line with this:

$events | Export-CSV FILE_NAME_HERE -NoTypeInformation -Force

where FILE_NAME_HERE is the output csv filename.

Excellent; that seems to fix it. Thanks again for all of your help!

Sorry to be using a old post but it seems closest to what I am trying and I am using code from here. I am trying to create a script that I can use to search the security log on a server 2008 r2 server for events associated with certain users but I would like to be able to search for other things also such as the IP.

Here is what I have so far and like I said its from this post just modified a bit,

I am trying to add something like where {$_.ReplacementStrings[1] -clike '*NameHere*'}#http://powershellcommunity.org/foru...fault.aspx



# replacementstring[0] = userSID
# replacementstring[1] = user name
# replacementstring[2] = domain
# replacementstring[3] = SubjectLogonID
# replacementstring[4] = ObjectType
# replacementstring[5] = ip
# replacementstring[6] = ipport
# replacementstring[7] = ShreName
# replacementstring[8] = ShareLocalPath
# replacementstring[9] = RelativeTargetName
# replacementstring[10] = AccessMask
# replacementstring[11] = Accesslist

cls
$events = get-eventlog security -ComputerName servernamehere | where {$_.ReplacementStrings[1] -clike '*usernamehere*'} | select TimeGenerated, replacementstrings |
% {
New-Object psobject -Property @{
TimeGenerated = $_.TimeGenerated
UserName = $_.Replacementstrings[1]
Domain= $_.Replacementstrings[2]
object = $_.ReplacementStrings[9]
access = $_.Replacementstrings[8]
} | ft
}

$events


Thanks for any pointers