Solved

Windows Security Log Export

Posted on 2013-06-06
4
1,479 Views
Last Modified: 2013-06-06
Hello,

I am trying to export the last 30 days of the Security log but only event ID 4663. I've got a working command to do so:
wevtutil epl Security auditlog.evtx /q:"*[System[(EventID=4663) and TimeCreated[timediff(@SystemTime)<=2592000000]]]"

Open in new window

However, I really want the log file to be created with a name based on the current date (e.g. - 06-06-2013.evtx), but the wevtutil command cannot parse variables for the name, or so it seems. Does anyone know how this can be accomplished as part of a batch script?

Thanks!
0
Comment
Question by:ipremise
  • 2
4 Comments
 
LVL 41

Expert Comment

by:Amit
ID: 39226571
0
 
LVL 1

Author Comment

by:ipremise
ID: 39226726
I can see how that can be a handy PS tool, but it does not seem to provide a method to directly export the data. The output can be piped into a CSV file, but then the lines get truncated and it is not as easy to sort through. I really want to keep the .evtx format. Any other ideas?
0
 
LVL 83

Accepted Solution

by:
oBdA earned 265 total points
ID: 39226772
You can "hack" a date/time stamp from the variables %Date% and %Time%, but the format of these depends on system locale, user settings, and OS.
The script below retrieves the time using WMI and sets the environment variables, so that you can put together your custom time stamp:
@echo off
setlocal enabledelayedexpansion
set /a Line=0
for /f "tokens=1-9" %%a in ('wmic Path Win32_LocalTime Get Day^,DayOfWeek^,Hour^,Minute^,Month^,Quarter^,Second^,WeekInMonth^,Year ^| find /v ""') do (
  set /a Line += 1
  if "!Line!"=="1" (set VarA=%%a&set VarB=%%b&set VarC=%%c&set VarD=%%d&set VarE=%%e&set VarF=%%f&set VarG=%%g&set VarH=%%h&set VarI=%%i)
  if "!Line!"=="2" (set !VarA!=%%a&set !VarB!=%%b&set !VarC!=%%c&set !VarD!=%%d&set !VarE!=%%e&set !VarF!=%%f&set !VarG!=%%g&set !VarH!=%%h&set !VarI!=%%i)
)
for %%a in (Month Day Hour Minute Second) do (if !%%a! LSS 10 set %%a=0!%%a!)
REM *** At this point, the variables Day, DayOfWeek, Hour, Minute, Month, Quarter, Second, WeekInMonth, and Year are set.
REM *** Month, Day, Hour, Minute, Second have leading zeros if less than 10.
set TimeStamp=%Year%-%Month%-%Day%
wevtutil epl Security auditlog-%TimeStamp%.evtx /q:"*[System[(EventID=4663) and TimeCreated[timediff(@SystemTime)<=2592000000]]]"

Open in new window

0
 
LVL 1

Author Comment

by:ipremise
ID: 39227500
Thanks, oBdA! That works perfectly!
0

Featured Post

Why spend so long doing email signature updates?

Do you spend loads of your time carrying out email signature updates? Not very interesting are they? Don’t let signature updates get you down. Let Exclaimer Cloud - Signatures for Office 365 make managing email signatures a breeze.

Join & Write a Comment

Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
This article was inspired by a question here at Experts Exchange (http://www.experts-exchange.com/Software/Photos_Graphics/Images_and_Photos/Q_28629170.html). The requirements stated in that question are (1) reduce the file size of a large number of…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now