How to audit changed / deleted files - ver 1.25

Audit changed or deleted files on your Windows file server. This script makes a daily report in HTML, featuring search-as-you-type results.

 
 
 
 
 
5 Star
(7)
7,482 times
Add to favorites
9/13/2015
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question


  • Converting device to drive letter
    1 Posts | Last post January 30, 2018
    • Am having a slight issue with the filepath not appearing.  In the script logs I have;
      PS>TerminatingError(Get-Item): "The running command stopped because the preference variable "ErrorActionPreference" or common parameter is set to Stop: Cannot find path 'C:\Device\HarddiskVolume93\Scans\scans' because it does not exist."
      With in the event log the object name is displayed as: \Device\HarddiskVolume93\Scans\scans\2000010002ap1b.pdf
      Am not sure where or why it's deciding to put a C: in front?  Any ideas?  Apart from that, working great!
  • No data in table / No events found
    2 Posts | Last post November 22, 2017
    • Windows Server 2008r2
      
      I finally got the auditing setup, and the script scheduled, but every time the reports say there's no data, yet I can see a ton of Event ID 4663 with Access Mask 0x80 in the Event Logs.
      
      Not sure why it doesn't see the events?
      
      Event Log:
      An attempt was made to access an object.
      
      Subject:
      	Security ID:		CORP\jblow
      	Account Name:		jblow
      	Account Domain:		CORP
      	Logon ID:		0x46584918c
      
      Object:
      	Object Server:	Security
      	Object Type:	File
      	Object Name:	D:\Scan_Data
      	Handle ID:	0x5158
      
      Process Information:
      	Process ID:	0x4
      	Process Name:	
      
      Access Request Information:
      	Accesses:	ReadAttributes
      				
      	Access Mask:	0x80
      
      ---------------------------------------------------------
      
      File-Audit-Reports:
      
      No data available in table
      
      Showing 0 to 0 of 0 entries Previous Next
      
      This report lists files/folders that were created/modified, renamed, moved, or deleted on Wednesday, November 15, 2017
      
      Tested on servers running 2008 R2, 2012, 2012 R2 with clients running Windows 7 and 8.1.
      
      The Windows Security Event Logs underlying this script are compressed and retained for 90 days by default.
      
      Processed 226 events in 0.1 minutes (2260 events per minute).
      
    • This turned out to be problems with the Auditing. I had set it on the top folder, but it didn't properly cascade down to all the sub-folders. I went to each 2nd level folder, and set Auditing Without checking either "Include inheritable auditing..." or the "Replace all existing inheritable..." boxes, and making sure that it said Apply onto "This folder, subfolders files". Also did Not check the "Apply these auditing entries to objects..." Now the report data is showing up. 
  • i am getting this error on server 2016
    4 Posts | Last post October 10, 2017
    • I am running windows server 2016 i am getting this error 
      
      PS C:\audit> C:\Audit\Monitor-File-Server-Activity.ps1
      Transcript started, output file is C:\Windows\Temp\Monitor-File-Server-Activity-Log.txt
      You cannot call a method on a null-valued expression.
      At C:\Audit\Monitor-File-Server-Activity.ps1:16 char:1
      + $Security_log.BackupEventlog($Truncated_Log_Path)
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : InvalidOperation: (:) [], ParentContainsErrorRecordException
          + FullyQualifiedErrorId : InvokeMethodOnNull
       
      
      PS C:\audit> 
    • and this error on CMD 
      
      C:\Audit>Powershell.exe -executionpolicy remotesigned -File C:\Audit\Monitor-File-Server-Activity.ps1
      Start-Transcript : Transcription cannot be started.
      At C:\Audit\Monitor-File-Server-Activity.ps1:5 char:1
      + Start-Transcript -path C:\Windows\Temp\Monitor-File-Server-Activity-L ...
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : InvalidOperation: (:) [Start-Transcript], PSInvalidOperationException
          + FullyQualifiedErrorId : CannotStartTranscription,Microsoft.PowerShell.Commands.StartTranscriptCommand
      
      
      
      __GENUS          : 2
      __CLASS          : __PARAMETERS
      __SUPERCLASS     :
      __DYNASTY        : __PARAMETERS
      __RELPATH        :
      __PROPERTY_COUNT : 1
      __DERIVATION     : {}
      __SERVER         :
      __NAMESPACE      :
      __PATH           :
      ReturnValue      : 3
      PSComputerName   :
      
      Get-ChildItem : Cannot find path 'C:\Event_Logs' because it does not exist.
      At C:\Audit\Monitor-File-Server-Activity.ps1:20 char:15
      + $Event_Logs = Get-ChildItem ($LogPath + "*.evtx") | ? {$_.LastWriteTi ...
      +               ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : ObjectNotFound: (C:\Event_Logs:String) [Get-ChildItem], ItemNotFoundException
          + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand
      
      
      C:\Audit>
    • Getting the same errors in 2012R2. 
    • Hi Bassem Morcos,
      Have you found the answer yet?
      
      I am getting the same error, too.
      
      PS F:\Audit> F:\Audit\Monitor-File-Server-Activity.ps1
      Transcript started, output file is C:\Windows\Temp\Monitor-File-Server-Activity-Log.txt
      You cannot call a method on a null-valued expression.
      At F:\Audit\Monitor-File-Server-Activity.ps1:16 char:1
      + $Security_log.BackupEventlog($Truncated_Log_Path)
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : InvalidOperation: (:) [], ParentContainsErrorRecordException
          + FullyQualifiedErrorId : InvokeMethodOnNull
       
      
      
  • Sending HTML to multiple email addresses
    2 Posts | Last post August 03, 2017
    • Hey team, 
      
      The $Email_To variable can have multiple email addresses separated by comma, or should I be adding other email addresses under a new $Email_To variable?
      
      Example:
      
      $Email_To = "xyz.@domain.com,abc@domain.com"
      
      OR
      
      $Email_To = "xyz.@domain.com"
      $Email_To = "abc.@domain.com"
    • $Email_To = "xyz.@domain.com","abc@domain.com"
      
      it works in this way
  • Can you set it to monitor one specific folder rather than everything?
    1 Posts | Last post July 25, 2017
    • Can you set this script to monitor one specific folder instead of everything? I need to monitor one folder and report what has changed...
  • HTMLs and CSVs are blank
    2 Posts | Last post June 06, 2017
    • Hi Jeremy,
      
      I followed the steps religiously, but I'm getting blank HTML. It just says as below. Not sure what I'm missing here. A little help needed :
      
      This report lists files/folders that were created/modified, renamed, moved, or deleted on Tuesday, 6 June 2017
      
      Tested on servers running 2008 R2, 2012, 2012 R2 with clients running Windows 7 and 8.1.
      
      The Windows Security Event Logs underlying this script are compressed and retained for 90 days by default.
      
      Processed 458 events in 0.07 minutes (6543 events per minute).
    • Sorry, it was just me being silly about Audit logs permission. Get it fixed. It's a great script. Thanks mate.
  • Server 2012 R2 New file creation/move
    6 Posts | Last post June 05, 2017
    • Great script Jeremy! I've been testing on Windows Server 2012R2 and notice that when creating a file in an audited directory and then running the script, it throws an error "New-TimeSpan : Cannot bind parameter 'Start' to the target. Exception setting "Start": "Object reference not set to an instance of an object.".
      
      Also, if the only action taken is moving a file into the audited directory, the script gives no output of this event.
      
      Do you have any plans to implement these actions? Thanks.
    • The script is boring , but I have the same problem as you.
      I test the script on Windows Server 2012.
      Thanks
    • I think I have this resolved on my 2012 R2 system. Edit Line 51 of the Functions.ps1 to be
      
      $TimeSpan = -((New-TimeSpan -Start $time -End $Pending_Delete[$Key].TimeCreated).TotalSeconds)
      
      Note the lowercase t in $time
    • Hi Spencer_RedRock, may i know how u resolved the audit of 'moved' files? 
      i cant get it right on my 2012 r2 systems, can you able to move files from different drives or even copy to user desktop logged and tracked? 
    • i have tested the move actions but within the same folder move, anyone can able to audit the whole drive (eg. D drive) tracked files moved within the drive? 
    • "New-TimeSpan : Cannot bind parameter 'Start' to the target. Exception setting "Start": "Object reference not set to an instance of an object.".
      
      Happens when the code looks for the specific ID for create/modify. If there aren't any it will halt. I got around this by just tossing $ErrorActionPreference = "SilentlyContinue" at the top of functions.ps1
  • Integration with SQL Server
    2 Posts | Last post April 26, 2017
    • Is it possible insert the results of the logs in a database using sql server?
      
      I'm new with the powershell. Can you help me?
    • Yes, take a look at this.
      
      https://blog.netnerds.net/2013/03/importing-windows-forwarded-events-into-sql-server-using-powershell/
      
      
  • Hogging Server Resources
    5 Posts | Last post March 23, 2017
    • Love the concept what you have done although I am still waiting for a result after 9 and a half hours of running. Therefore some suggestions
      1. First move any archived log files to another server (Server2) with a scheduled task every 30 minutes.
      2. Implement script to run every hour (instead of daily) on Server2 to extract logs in the same way. 
      
      This will ensure resources on file server remains optimal and allow you to see who deleted a file today instead of having to wait until tomorrow.
      
      
      
    • Hi GTEM, mind sharing how u performed the audit move actions? 
      Did you modify the .ps1 powershell which Mr Jeremy has created?
      
      I have only managed to insert a powershell function which copy the .html & .csv files over to another server location for storage of all logs
      
      Appreciated ! 
    • Hi Supersen2002. 
      Nope I have not done it yet, just a suggestion at this stage and I have started working on it.
      
      I had to cancel scheduled task that was setup in Jeremy's instructions. When I looked at the log it created I realised it had several failures because it was trying to access the files in the same location users were accessing them and from the file server this is not the same location as what it is when it is mapped for the user.
      
      Also wondering Jeremy is using an entire days worth of logs for good reason. Seems like he is looking at several events (not just one at a time) to write his csv file. So might not work running this every hour.
      
      # This job moves the Archived Security Event Logs from C: drive to U drive and then deleted all logs older than one week
      $source = "C:\Windows\System32\winevt\Logs\Archive-Security-*.*"
      $destination = "U:\TandUEventSecurityAudit\*"
      $movehours = 1
      $deletedays = 1
      # Move-Item -Path $source -Destination $destination
      get-childitem -Path $source -include Archive-Security-*.evtx | where-object {$_.LastWriteTime -lt (get-date).Addhours(-$movehours)} | move-item -destination $destination
      # Delete files older than the $deletedays
      Get-ChildItem -Path $destination -include Archive-Security-*.evtx -Recurse -Force | Where-Object { !$_.PSIsContainer -and $_.LastWriteTime -lt (get-date).Adddays(-$deletedays) } | Remove-Item -Force
      
    • HI Thanks GTEM for the script, do let us know if you also managed to solved for the audit 'move' actions in window 2012 r2 server
    • Wel I have now been struggling to try and debug this script for several days on several machines but I guess this is just beyond my ability at the moment. I have been unable to get any results using this script. Supersen2003, seems like we are the only two currently interested in this script that seems to be somewhat dated.
      
      I am very surprised that it is so complex trying to get such essential and what I would say should be simple information from a Microsoft system. If anybody else has this working I would be interested to hear from you. 
      
      I am now going to stop working on this and instead look for another solution.
  • Getting null Valued expression message on: $Security_log.BackupEventlog($Truncated_Log_Path)
    2 Posts | Last post March 04, 2017
    • Hi, I am facing this issue while running the script on File Server, Windows Server 2012 R2. Kindly suggest may be i am doing something wrong in there.
      
      PS C:\Event_Logs> C:\Audit\Monitor-File-Server-Activity.ps1
      Transcript started, output file is C:\Windows\Temp\Monitor-File-Server-Activity-Log.txt
      You cannot call a method on a null-valued expression.
      At C:\Audit\Monitor-File-Server-Activity.ps1:16 char:1
      + $Security_log.BackupEventlog($Truncated_Log_Path)
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : InvalidOperation: (:) [], ParentContainsErrorRecordException
          + FullyQualifiedErrorId : InvokeMethodOnNull
      
    • you cant run the script off powershell directly, u need to create a .bat file to call it
      
      create a notepad and save as .bat file with the following codes:
      Powershell.exe -executionpolicy remotesigned -File C:\Audit\Monitor-File-Server-Activity.ps1
      
      
      check your logs at C:\windows\temp\Monitor-File-Server-Activity-log.txt
      
      
      
11 - 20 of 36 Items