Eventtriggering based on folder auditing

Hi experts.

I am trying to create a trigger for a scheduled task. The task should run, when a file is placed in some folder or one of its subfolders.
So I setup auditing and of course it works and events are coming in which should be used as task triggers.

Problem with the trigger is: I cannot use wildcards that would parse the events for the existence of that path being watched.
To illustrate: I'd like to watch c:\test and its subfolders. When I write a file "file1" to c:\test, the eventlog will reflect that. But there's no way I see to setup a trigger that looks for c:\test\* or something to catch all the matching events.

Though I can script this folder watching in powershell or vbs, I see no way to create a task trigger that does the same. This seems to be due to the limited options that Xpath 1.0 is offering.

Can anyone confirm this (or even better even refute it)?
LVL 60
McKnifeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Bob LearnedCommented:
How many folders are you talking about?  With PowerShell, you can tap into the .NET framework, and use a FileSystemWatcher.  It can be bogged down by a lot of events and a lot of folders.
0
McKnifeAuthor Commented:
Hi.

Bob, I am looking for an event trigger and a confirmation (or refution) that it cannot be done.
I know how to do it in powershell, like I wrote.
0
footechCommented:
The only thing I've read that I think might fit your situation is here.
http://blogs.technet.com/b/otto/archive/2011/08/24/trigger-a-powershell-script-from-a-windows-event.aspx

I haven't actually worked through the example (didn't have a need at the time), but it holds some promise in that it's passing some information about the event into the script.  I find myself wondering what other values can be passed besides the mentioned:
     <ValueQueries>
        <Value name="eventChannel">Event/System/Channel</Value>
        <Value name="eventRecordID">Event/System/EventRecordID</Value>
        <Value name="eventSeverity">Event/System/Level</Value>
      </ValueQueries>
It'd be nice if the followup Get-WinEvent command were not needed.  Perhaps something along the lines of
<Value name="FilePath">Event/EventData/Data[@Name='FilePath']</Value>

By the way, I ran across the above link while going through comments of this page, http://blogs.technet.com/b/ashleymcglone/archive/2013/08/28/powershell-get-winevent-xml-madness-getting-details-from-event-logs.aspx#pi57261=2 (which I have gone through, and improved).

This is far from a complete answer, but it seems to be a path that holds some promise.
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

McKnifeAuthor Commented:
Hi.

Look, I am not looking for triggering some powershell script.
I am looking right for this: http://quickdevtips.blogspot.de/2012/12/how-to-monitor-folder-and-trigger.html - problem is, the information is wrong. The xpath 1.0 syntax which is what task scheduler talks, does not understand &gt (which means > ,i.e greater than) when used with strings, it seems it only works with numbers. This is what I'd like to see comments on from insiders.

This is not about powershell syntax but only about the custom task trigger syntax.
0
footechCommented:
Well, my thinking was that if you passed the information along to a PS script, the script could then do the checking on the path with much greater control of the criteria of whether to act or not.  Your selection of topics led to this suggestion.

Anyway, if the only solution you're looking for is the XPath syntax, I can confirm that the post you mentioned works.  Here's an example (working) of a task trigger taken from my Win7 machine.
<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4663)]]
and *[EventData[Data[@Name='ObjectName'] and (Data&gt;='K:\test')]]
and *[EventData[Data[@Name='ProcessName'] and (Data='C:\Windows\System32\notepad.exe')]]
</Select>
  </Query>
</QueryList>

Open in new window

0
McKnifeAuthor Commented:
It does not work. Please confirm your error by writing to some other folder that is being audited. The task will launch again, although you did not write to k:\test.
0
footechCommented:
You're right, thanks for pointing out my error.
Given what I've read, Windows Event Log only supports a subset of XPath 1.0.  It seems the proper way would be to use contains() or starts-with(), but those aren't supported.  Thinking about it, it does make sense that >= doesn't work with strings.  You get weird results if you also try <, <=, >.
0
McKnifeAuthor Commented:
Ok. What I'd accept as solution and what would lead me to closing this, is some MS statement "wildcards are not possible in any way for something like objectname which is a string". I got information pointing in that direction already, but no official statement and that's why I didn't let my hope die, yet.

Using an event watcher script is possible (tried it, works), but it opens other cans of worms which I'd like to avoid.
0
footechCommented:
0
McKnifeAuthor Commented:
Yes, I know that one and found it useless, when it comes to wildcards. Will use workarounds, closing.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
McKnifeAuthor Commented:
No real progress was made. Thanks for participating.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Scripting Languages

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.