Link to home
Start Free TrialLog in
Avatar of rookie_b
rookie_bFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Check Multiple EVTX archived logs events for a particular user

I need to check multiple archived evtx logs to check what files a particular user has accessed or changed. Object access auditing is enabled and logs are set to archive at a certain size, so I need a way to go through those and export all File System  audit events for that user. I was wondering if there is a way to run this against multiple logs at the same time and there probably is a better way of doing that than running  multiple ISE instances.

ASKER CERTIFIED SOLUTION
Avatar of David Johnson, CD
David Johnson, CD
Flag of Canada image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of rookie_b
rookie_b
Flag of United Kingdom of Great Britain and Northern Ireland image

ASKER

Thanks David, that is definitely checking out. I was just looking for a quick search through a dump of logs, nothing that fancy and involved. All I need is a way to use the get-winevt PS commandlet to run as multiple jobs with the right filters on, but I guess I will just read the manual.
Avatar of Seth Simmons
Seth Simmons
Flag of United States of America image
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Accept: 'David Johnson, CD' (https:#a43347553)

If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

seth2740
Experts-Exchange Cleanup Volunteer