How to audit changed / deleted files - ver 1.25

Audit changed or deleted files on your Windows file server. This script makes a daily report in HTML, featuring search-as-you-type results.

5 Star
7,862 times
Add to favorites
E-mail Twitter Digg Facebook
Sign in to ask a question

  • logs son eliminados
    1 Posts | Last post May 14, 2019
    • hice la prueba y no extre los eventos sobre cambios y lo peor que elimina los eventos
  • doesn´t appear events
    1 Posts | Last post March 07, 2019
    • My fileserver saved the security's events (4656,4659,4660,4663) between others, but this week hasn´t events, just ID 512 events were saved, at moment that run the scheduled task with the Monitor-File-Server-Activity.ps1 doesn't filter, so the report CSV and HTML is empty.
      Somebody has same problem??
  • Server 2016
    4 Posts | Last post February 19, 2019
    • Hi
      I have installed this on Server2016 (test server in a test domain). It seem to be parsing the event logs correctly, but nothing shows up in the HTML reports.
      GPO settings are correctly set. 
      Any suggestions where I should start looking?
    • Hi All
      I'm able to answer my own question.
      Yes, it works on Server2k16. :) 
      However, the devil was in the email details. Ours you will need to authenticate to the SMTP server before it will accept any incoming email request. 
      On my setup, the script dutifully ran, but bombed out when it could not connect successfully to our (hosted) email server, and aborted further processing. 
      I will see if I can fix this issue (hopefully later today, if not, tomorrow) and have a working setup to report back to the author with.
      Another issue was that auditing permissions did not propagate properly, I had to manually set auditing permissions as we use a customized permissions tree (a huge PITA). 
      Kind regards
    • Hi!
      Do you fix the issue to send with authenticate SMTP? 
    • Hi Emil!
      you resolved it??
      the HTML report show none event..
  • i have a problem to generating the report file
    2 Posts | Last post February 08, 2019
    • i am getting this error in log file please help me
      Windows PowerShell Transcript Start
      Start time: 20170624113922
      Username  : th-svr\tabtree 
      Machine	  : TH-SVR (Microsoft Windows NT 6.1.7601 Service Pack 1) 
      Transcript started, output file is C:\Windows\Temp\Monitor-File-Server-Activity
      You cannot call a method on a null-valued expression.
      At C:\Audit\Monitor-File-Server-Activity.ps1:16 char:29
      + $Security_log.BackupEventlog <<<< ($Truncated_Log_Path)
          + CategoryInfo          : InvalidOperation: (BackupEventlog:String) [], Pa 
          + FullyQualifiedErrorId : InvokeMethodOnNull
      Windows PowerShell Transcript End
      End time: 20170624113927
    • I have the same problem, same error... could you resolve it??
  • Empty report
    1 Posts | Last post January 16, 2019
    • Hi all community,
      I followed the actions step by step, I have events of suppression which goes up in the newspapers, on the other hand the report is empty.
      I checked the rights are well inherited, I need help please
  • powershell : New-TimeSpan : Cannot bind parameter 'Start' to the target. Exception setting
    2 Posts | Last post December 28, 2018
    • got the following error during an attempt -2012R2 asking for your assistance in resolving it.
      At line:1 char:1
      + powershell -File C:\Audit\Monitor-File-Server-Activity.ps1
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : NotSpecified: (New-TimeSpan : ...eption setting :String) [], RemoteException
          + FullyQualifiedErrorId : NativeCommandError
      "Start": "Cannot convert null to type "System.DateTime"."
      At C:\Audit\Functions.ps1:51 char:65
      + ... $TimeSpan = ((get-date).ToString(-((New-TimeSpan -Start $Time -End $P ...
      +                                                             ~~~~~
          + CategoryInfo          : WriteError: (:) [New-TimeSpan], ParentContainsEr 
          + FullyQualifiedErrorId : ParameterBindingFailed,Microsoft.PowerShell.Comm 
    • Commented out the CleanUp 0 function.
      #CleanUp 0 --> Commented out as it was throwing an error I was unable to resolve
      Once commented out the script works as expected.
  • Audit read files
    1 Posts | Last post August 27, 2018
    • Hello,
      can we change the script to catch the Read file events ?
      I would like to know who read or copy the files.
      Thank you.
  • File Server Audit Reports to be done for archived event log files
    1 Posts | Last post August 01, 2018
    • Hello,
      we are running file server audit reports daily. now the event log file size is increased. so we have set event logs to be archive if the file size reaches to 550 MB. once .evtx file reach to 550 it creates another file.
      we are using below powershell script to run audit reports but the problem is. its processing only active .evtx file. and not processing archived files. there are 4-5 more archived files which has to be processed to get complete  file server audit reports.
      used powershell script link
      please help..
  • PSTerminatingErrors?
    1 Posts | Last post June 25, 2018
    • Hi there
      After a couple of weeks working nicely, I now get this error in the logfile : 
      PS>TerminatingError(): "Exception calling "Substring" with "2" argument(s): "Index and length must refer to a location within the string.
      Parameter name: length""
      >> TerminatingError(Draw_Conclusions): "Exception calling "Substring" with "2" argument(s): "Index and length must refer to a location within the string.
      Parameter name: length""
      No events found
      Any ideas on how to sort this error out? 
  • Audit for Specific Date or Duration of Date
    1 Posts | Last post March 13, 2018
    • What are the changes required for Audit during interval of date (like 10 march to 13 march) or specific date, Please help me.
1 - 10 of 36 Items