Solved

Windows Security Log Export

Posted on 2013-06-06
4
1,514 Views
Last Modified: 2013-06-06
Hello,

I am trying to export the last 30 days of the Security log but only event ID 4663. I've got a working command to do so:
wevtutil epl Security auditlog.evtx /q:"*[System[(EventID=4663) and TimeCreated[timediff(@SystemTime)<=2592000000]]]"

Open in new window

However, I really want the log file to be created with a name based on the current date (e.g. - 06-06-2013.evtx), but the wevtutil command cannot parse variables for the name, or so it seems. Does anyone know how this can be accomplished as part of a batch script?

Thanks!
0
Comment
Question by:ipremise
  • 2
4 Comments
 
LVL 42

Expert Comment

by:Amit
ID: 39226571
0
 
LVL 1

Author Comment

by:ipremise
ID: 39226726
I can see how that can be a handy PS tool, but it does not seem to provide a method to directly export the data. The output can be piped into a CSV file, but then the lines get truncated and it is not as easy to sort through. I really want to keep the .evtx format. Any other ideas?
0
 
LVL 83

Accepted Solution

by:
oBdA earned 265 total points
ID: 39226772
You can "hack" a date/time stamp from the variables %Date% and %Time%, but the format of these depends on system locale, user settings, and OS.
The script below retrieves the time using WMI and sets the environment variables, so that you can put together your custom time stamp:
@echo off
setlocal enabledelayedexpansion
set /a Line=0
for /f "tokens=1-9" %%a in ('wmic Path Win32_LocalTime Get Day^,DayOfWeek^,Hour^,Minute^,Month^,Quarter^,Second^,WeekInMonth^,Year ^| find /v ""') do (
  set /a Line += 1
  if "!Line!"=="1" (set VarA=%%a&set VarB=%%b&set VarC=%%c&set VarD=%%d&set VarE=%%e&set VarF=%%f&set VarG=%%g&set VarH=%%h&set VarI=%%i)
  if "!Line!"=="2" (set !VarA!=%%a&set !VarB!=%%b&set !VarC!=%%c&set !VarD!=%%d&set !VarE!=%%e&set !VarF!=%%f&set !VarG!=%%g&set !VarH!=%%h&set !VarI!=%%i)
)
for %%a in (Month Day Hour Minute Second) do (if !%%a! LSS 10 set %%a=0!%%a!)
REM *** At this point, the variables Day, DayOfWeek, Hour, Minute, Month, Quarter, Second, WeekInMonth, and Year are set.
REM *** Month, Day, Hour, Minute, Second have leading zeros if less than 10.
set TimeStamp=%Year%-%Month%-%Day%
wevtutil epl Security auditlog-%TimeStamp%.evtx /q:"*[System[(EventID=4663) and TimeCreated[timediff(@SystemTime)<=2592000000]]]"

Open in new window

0
 
LVL 1

Author Comment

by:ipremise
ID: 39227500
Thanks, oBdA! That works perfectly!
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question