Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Windows Security Log Export

Posted on 2013-06-06
4
Medium Priority
?
1,620 Views
Last Modified: 2013-06-06
Hello,

I am trying to export the last 30 days of the Security log but only event ID 4663. I've got a working command to do so:
wevtutil epl Security auditlog.evtx /q:"*[System[(EventID=4663) and TimeCreated[timediff(@SystemTime)<=2592000000]]]"

Open in new window

However, I really want the log file to be created with a name based on the current date (e.g. - 06-06-2013.evtx), but the wevtutil command cannot parse variables for the name, or so it seems. Does anyone know how this can be accomplished as part of a batch script?

Thanks!
0
Comment
Question by:ipremise
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 44

Expert Comment

by:Amit
ID: 39226571
0
 
LVL 1

Author Comment

by:ipremise
ID: 39226726
I can see how that can be a handy PS tool, but it does not seem to provide a method to directly export the data. The output can be piped into a CSV file, but then the lines get truncated and it is not as easy to sort through. I really want to keep the .evtx format. Any other ideas?
0
 
LVL 85

Accepted Solution

by:
oBdA earned 1060 total points
ID: 39226772
You can "hack" a date/time stamp from the variables %Date% and %Time%, but the format of these depends on system locale, user settings, and OS.
The script below retrieves the time using WMI and sets the environment variables, so that you can put together your custom time stamp:
@echo off
setlocal enabledelayedexpansion
set /a Line=0
for /f "tokens=1-9" %%a in ('wmic Path Win32_LocalTime Get Day^,DayOfWeek^,Hour^,Minute^,Month^,Quarter^,Second^,WeekInMonth^,Year ^| find /v ""') do (
  set /a Line += 1
  if "!Line!"=="1" (set VarA=%%a&set VarB=%%b&set VarC=%%c&set VarD=%%d&set VarE=%%e&set VarF=%%f&set VarG=%%g&set VarH=%%h&set VarI=%%i)
  if "!Line!"=="2" (set !VarA!=%%a&set !VarB!=%%b&set !VarC!=%%c&set !VarD!=%%d&set !VarE!=%%e&set !VarF!=%%f&set !VarG!=%%g&set !VarH!=%%h&set !VarI!=%%i)
)
for %%a in (Month Day Hour Minute Second) do (if !%%a! LSS 10 set %%a=0!%%a!)
REM *** At this point, the variables Day, DayOfWeek, Hour, Minute, Month, Quarter, Second, WeekInMonth, and Year are set.
REM *** Month, Day, Hour, Minute, Second have leading zeros if less than 10.
set TimeStamp=%Year%-%Month%-%Day%
wevtutil epl Security auditlog-%TimeStamp%.evtx /q:"*[System[(EventID=4663) and TimeCreated[timediff(@SystemTime)<=2592000000]]]"

Open in new window

0
 
LVL 1

Author Comment

by:ipremise
ID: 39227500
Thanks, oBdA! That works perfectly!
0

Featured Post

New benefit for Premium Members - Upgrade now!

Ready to get started with anonymous questions today? It's easy! Learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question