Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Windows Security Log Export

Posted on 2013-06-06
4
Medium Priority
?
1,658 Views
Last Modified: 2013-06-06
Hello,

I am trying to export the last 30 days of the Security log but only event ID 4663. I've got a working command to do so:
wevtutil epl Security auditlog.evtx /q:"*[System[(EventID=4663) and TimeCreated[timediff(@SystemTime)<=2592000000]]]"

Open in new window

However, I really want the log file to be created with a name based on the current date (e.g. - 06-06-2013.evtx), but the wevtutil command cannot parse variables for the name, or so it seems. Does anyone know how this can be accomplished as part of a batch script?

Thanks!
0
Comment
Question by:ipremise
  • 2
4 Comments
 
LVL 44

Expert Comment

by:Amit
ID: 39226571
0
 
LVL 1

Author Comment

by:ipremise
ID: 39226726
I can see how that can be a handy PS tool, but it does not seem to provide a method to directly export the data. The output can be piped into a CSV file, but then the lines get truncated and it is not as easy to sort through. I really want to keep the .evtx format. Any other ideas?
0
 
LVL 85

Accepted Solution

by:
oBdA earned 1060 total points
ID: 39226772
You can "hack" a date/time stamp from the variables %Date% and %Time%, but the format of these depends on system locale, user settings, and OS.
The script below retrieves the time using WMI and sets the environment variables, so that you can put together your custom time stamp:
@echo off
setlocal enabledelayedexpansion
set /a Line=0
for /f "tokens=1-9" %%a in ('wmic Path Win32_LocalTime Get Day^,DayOfWeek^,Hour^,Minute^,Month^,Quarter^,Second^,WeekInMonth^,Year ^| find /v ""') do (
  set /a Line += 1
  if "!Line!"=="1" (set VarA=%%a&set VarB=%%b&set VarC=%%c&set VarD=%%d&set VarE=%%e&set VarF=%%f&set VarG=%%g&set VarH=%%h&set VarI=%%i)
  if "!Line!"=="2" (set !VarA!=%%a&set !VarB!=%%b&set !VarC!=%%c&set !VarD!=%%d&set !VarE!=%%e&set !VarF!=%%f&set !VarG!=%%g&set !VarH!=%%h&set !VarI!=%%i)
)
for %%a in (Month Day Hour Minute Second) do (if !%%a! LSS 10 set %%a=0!%%a!)
REM *** At this point, the variables Day, DayOfWeek, Hour, Minute, Month, Quarter, Second, WeekInMonth, and Year are set.
REM *** Month, Day, Hour, Minute, Second have leading zeros if less than 10.
set TimeStamp=%Year%-%Month%-%Day%
wevtutil epl Security auditlog-%TimeStamp%.evtx /q:"*[System[(EventID=4663) and TimeCreated[timediff(@SystemTime)<=2592000000]]]"

Open in new window

0
 
LVL 1

Author Comment

by:ipremise
ID: 39227500
Thanks, oBdA! That works perfectly!
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question