Audit my Hyper-V Servers (Digital Forensics)

Schnell Solutions
Schnell Solutions used Ask the Experts™
on
HyperV Audit

I Can notice that the event viewer shows most of the administrative tasks completed in a Hyper-V Server, but it does not specify the user performing the action. (i.e. Event Viewer \ Applications and Services Logs \ Microsoft \ Windows \ Hyper-V-*)

Considering a default installation (No additional software added, no settings modified to the default debugging level). How can I track which one of my administrators performed specific administrative actions in Hyper-V?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Exec Consultant
Distinguished Expert 2018
Commented:
Hyper-V's built-in event system does not trap the user account that initiated a VM action. It will be the ID of the virtual machine. "Get-VM | select Name, ID" will show the same match. Also Hyper-V (by itself) does not do any audit style logging of change.  And it does not track change. This is where something like SCVMM or another 3rd party adds value in providing that.
https://blog.netwrix.com/2011/05/10/scvmm-monitoring/
I believe Powershell should surface more info, and here is example of some script and it even translated SID into account used.
https://www.altaro.com/hyper-v/monitoring-hyper-v-operational-and-admin-event-logs/
btanExec Consultant
Distinguished Expert 2018

Commented:
Fot consideration

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial