Announcement

Collapse
No announcement yet.

Event Security Log Export

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Event Security Log Export

    Hello folks,

    Just wondering if there is a way to export the security log descriptions to a csv file?

    Thanks in advance -

    yellow_doh

  • #2
    Re: Event Security Log Export

    Yellow_doh,

    Did you even try anything??

    If you right click on the security file and then select "Export List" and then select the type as ".csv"

    Michael
    Michael Armstrong
    www.m80arm.co.uk
    MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

    ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

    Comment


    • #3
      Re: Event Security Log Export

      Hello,

      I apologize for the lack of 411...yes exported to csv but found out that the "descriptions" of the events dont export as well. Filtering events will allow me to isolate security incidents to those that I want but still no "descriptions". What I really need is object access info...in particular deletion of files in a AD group volume.

      Cheers

      Yellow_doh

      Comment


      • #4
        Re: Event Security Log Export

        Try saving the log instead. You get a little bit more information.

        Right click on event log and select "Save log file as" and change the type as .csv

        Give that a try and let us know what it's like

        Michael
        Michael Armstrong
        www.m80arm.co.uk
        MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

        ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

        Comment


        • #5
          Re: Event Security Log Export

          Hi all,

          Sorry for the spotty comms.. that works up to a point. I dont have the full path to the files in question though. Funny, I tried that before and didnt even see the column. Guess I just didnt scroll far along enough.

          Thanks for the help...but like most of the googling I have done so far says: Mr Gates seems to have decided that the event logs dont need tweaking.

          Regards,
          yellow_doh

          Comment


          • #6
            Re: Event Security Log Export

            Maybe a VBscript can help?

            Code:
            'Retrieve *Audit Failures, Warnings, and Errors* from the EventLog files
            On Error Resume Next
            strComputer = "."
            
            Set objWMIService = GetObject("winmgmts:" _
                & "{(Security)}\\" & strComputer & "\root\cimv2")
            
                'EventType Value = Meaning
                '        1  = Error
                '        2  = Warning
                '        3  = Information
                '        4  = Security Success
                '        5  = Security Failure
                '        8  = Security audit success
                '        16 = Security audit failure
            
            Set colLoggedEvents = objWMIService.ExecQuery _
                ("Select * From Win32_NTLogEvent Where EventType <> 4 AND EventType <> 8")
            
            Set FileSystem = WScript.CreateObject("Scripting.FileSystemObject")
            Set oFile = FileSystem.CreateTextFile("EventsSearch.csv", True)
            
                ' Event properties are:
                '  objEvent.
                '          Category
                '          CategoryString
                '          ComputerName
                '          Data
                '          EventCode
                '          EventIdentifier
                '          EventType
                '          InsertionStrings
                '          Logfile
                '          Message  = DESCRIPTION
                '          RecordNumber
                '          SourceName
                '          TimeGenerated
                '          TimeWritten
                '          Type
                '          User
            
            For Each objEvent in colLoggedEvents
            oFile.WriteLine (objEvent.Logfile & "," & objEvent.EventCode & "," & chr(34) & Trim( Replace( objEvent.Message, vbCrLf, " ")) & chr(34))
            
            Next
            
            Wscript.Echo "Done!!"
            
            wscript.quit
            ??

            \Rem
            Last edited by Rems; 24th January 2007, 20:28.

            This posting is provided "AS IS" with no warranties, and confers no rights.

            __________________

            ** Remember to give credit where credit's due **
            and leave Reputation Points for meaningful posts

            Comment


            • #7
              Re: Event Security Log Export

              To speedup the process you can limit the search to only the Security logfile.

              There for replace the corresponding lines whith these code lines;
              Code:
              Set objWMIService = GetObject("winmgmts:" _
                  & "{impersonationLevel=impersonate,(Security)}!\\" & _
                      strComputer & "\root\cimv2")
              Code:
              Set colLoggedEvents = objWMIService.ExecQuery _
                  ("Select * From Win32_NTLogEvent Where Logfile = 'Security' AND EventType <> 4 AND EventType <> 8")
              After 'Where' you add the query-options (filter) if you want you can customize your query here.

              -----------------
              B.t.w
              If you want the date and time in the output csv-file in seperate column, add this little function at the bottom of the script (below the "wscript.quit" line):
              Code:
              Function evtdatetime(evttime)
              	Dim tmGen, dtPart,tmPart
              	tmGen =  Left(evttime,14)
              	dtPart = Left(tmGen,8)
              	tmPart = Right(tmGen,6)
              	evtdatetime = Left(dtPart,4) & "/" & Mid(dtPart,5,2) & "/" & Right(dtPart,2) &","& _
              		      Left(tmPart,2) & ":" & Mid(tmPart,3,2) & ":" & Right(tmPart,2)
              End Function
              Now you can replace these corresponding lines whith these code:
              Code:
              For Each objEvent in colLoggedEvents
              oFile.WriteLine (evtdatetime(objEvent.TimeGenerated) &","& objEvent.Logfile &","& objEvent.Type &","& _
                               objEvent.EventCode &","& chr(34) & Trim( Replace( objEvent.Message, vbCrLf, " ")) & chr(34))
              Next
              The objEvent.TimeGenerated field is now added to the EventsSearch.csv file. It uses the extra evtdatetime-function to convert the value to a date field and a time field.

              Only the values from objEvent.TimeGenerated, objEvent.TimeWritten and in objEvent.Message needs a little bit of correction. You can easily add other fields from the 'event properties list' to the output file. Separare each included field with &","& to make them 'comma seperated'.


              \Rem
              Last edited by Rems; 26th January 2007, 17:57. Reason: added a date and time option to the script

              This posting is provided "AS IS" with no warranties, and confers no rights.

              __________________

              ** Remember to give credit where credit's due **
              and leave Reputation Points for meaningful posts

              Comment


              • #8
                Re: Event Security Log Export

                I bow to the wisdom of the maestros

                yellow_doh

                Comment


                • #9
                  Re: Event Security Log Export

                  Originally posted by yellow_doh View Post
                  I bow to the wisdom of the maestros

                  yellow_doh
                  Or, alternatively, you could THANK them...


                  Tom
                  For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                  Anything you say will be misquoted and used against you

                  Comment

                  Working...
                  X