Improve company productivity with a Business Account.Sign Up

x
?
Solved

Windows Security Log Export

Posted on 2013-06-06
4
Medium Priority
?
1,752 Views
Last Modified: 2013-06-06
Hello,

I am trying to export the last 30 days of the Security log but only event ID 4663. I've got a working command to do so:
wevtutil epl Security auditlog.evtx /q:"*[System[(EventID=4663) and TimeCreated[timediff(@SystemTime)<=2592000000]]]"

Open in new window

However, I really want the log file to be created with a name based on the current date (e.g. - 06-06-2013.evtx), but the wevtutil command cannot parse variables for the name, or so it seems. Does anyone know how this can be accomplished as part of a batch script?

Thanks!
0
Comment
Question by:ipremise
  • 2
4 Comments
 
LVL 45

Expert Comment

by:Amit
ID: 39226571
0
 
LVL 1

Author Comment

by:ipremise
ID: 39226726
I can see how that can be a handy PS tool, but it does not seem to provide a method to directly export the data. The output can be piped into a CSV file, but then the lines get truncated and it is not as easy to sort through. I really want to keep the .evtx format. Any other ideas?
0
 
LVL 86

Accepted Solution

by:
oBdA earned 1060 total points
ID: 39226772
You can "hack" a date/time stamp from the variables %Date% and %Time%, but the format of these depends on system locale, user settings, and OS.
The script below retrieves the time using WMI and sets the environment variables, so that you can put together your custom time stamp:
@echo off
setlocal enabledelayedexpansion
set /a Line=0
for /f "tokens=1-9" %%a in ('wmic Path Win32_LocalTime Get Day^,DayOfWeek^,Hour^,Minute^,Month^,Quarter^,Second^,WeekInMonth^,Year ^| find /v ""') do (
  set /a Line += 1
  if "!Line!"=="1" (set VarA=%%a&set VarB=%%b&set VarC=%%c&set VarD=%%d&set VarE=%%e&set VarF=%%f&set VarG=%%g&set VarH=%%h&set VarI=%%i)
  if "!Line!"=="2" (set !VarA!=%%a&set !VarB!=%%b&set !VarC!=%%c&set !VarD!=%%d&set !VarE!=%%e&set !VarF!=%%f&set !VarG!=%%g&set !VarH!=%%h&set !VarI!=%%i)
)
for %%a in (Month Day Hour Minute Second) do (if !%%a! LSS 10 set %%a=0!%%a!)
REM *** At this point, the variables Day, DayOfWeek, Hour, Minute, Month, Quarter, Second, WeekInMonth, and Year are set.
REM *** Month, Day, Hour, Minute, Second have leading zeros if less than 10.
set TimeStamp=%Year%-%Month%-%Day%
wevtutil epl Security auditlog-%TimeStamp%.evtx /q:"*[System[(EventID=4663) and TimeCreated[timediff(@SystemTime)<=2592000000]]]"

Open in new window

0
 
LVL 1

Author Comment

by:ipremise
ID: 39227500
Thanks, oBdA! That works perfectly!
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Understanding the various editions available is vital when you decide to purchase Windows Server 2012. You need to have a basic understanding of the features and limitations in each edition in order to make a well-informed decision that best suits …
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

584 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question