Announcement

Collapse
No announcement yet.

file deletion/ eventID 4660

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • file deletion/ eventID 4660

    Hi

    i have a test server 2012 r2 set up with auditing enabled for the deletion of any files or folders, set up in the local policy and on the folder

    i have a powershell script that will trigger in task scheduler on event ID 4660 (object deleted)

    script is:-

    $pcName = "GHSVR2012"
    $Event = Get-Eventlog -log security | where {$_.eventID -eq 4663} | Sort-Object index -Descending | Select-Object -First 1
    $User = $Event.ReplacementStrings[1]
    $Domain = $Event.ReplacementStrings[2]
    $File = $Event.ReplacementStrings[6]
    $MailSubject = "A File has been deleted in the G Drive:"
    $MailBody = "The account Name is :- " + $Domain + "\" + $User + "`r`n" + "The flie deleted was from :" + $File + "`r`n" + "Time: " + $Event.TimeGenerated
    $SmtpClient = New-Object system.net.mail.smtpClient
    $SmtpClient.host = "smtp.xxxxxxxxxxxxxx"
    $MailMessage = New-Object system.net.mail.mailmessage
    $MailMessage.from = "xxxxxxxxxxxxxxxxxx"
    $MailMessage.To.add("xxxxxxxxxxxxxxxx
    $MailMessage.IsBodyHtml = 0
    $MailMessage.Subject = $MailSubject
    $MailMessage.Body = $MailBody
    $SmtpClient.Send($MailMessage)


    I have everything working apart from one thing:-

    if I delete, say 5 files, called, file 1, file 2, file 3, file 4, file 5,

    the eventlog ID triggers the script to be sent and it will send 5 emails but wont name each file that has been deleted instead it will just give the first file it finds

    e.g the email i receive below:-
    The account Name is :- Domain\User1
    The file deleted was from :C:\Users\User1\Documents\file 1
    Time: 11/17/2014 11:49:35

    any ideas welcome

    cheers
    Gavin

  • #2
    Re: file deletion/ eventID 4660

    for-each loop ?
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

    Comment

    Working...
    X