How to audit changed / deleted files - ver 1.25

Audit changed or deleted files on your Windows file server. This script makes a daily report in HTML, featuring search-as-you-type results.

 
 
 
 
 
5 Star
(7)
7,469 times
Add to favorites
9/13/2015
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question


  • It fails run on Win 10 Ent
    2 Posts | Last post March 04, 2017
    • Even I define to get the event ID 4656,4659,4660,4663,4658 into report.
      CSV file is empty.
    • is there a need to define to get the event ID? 
      
      The script should supposedly help you to get the event IDs automatically instead 
  • unable to tracked MOVED files
    1 Posts | Last post March 04, 2017
    • hi everyone, i am still unable to track moved files even within the same drive (eg.C:\), anyone has the walk through which can done it?
      
      i am using window 2012 R2 to test the functions
      
      thanks you so much! cheers
  • Long processing time
    1 Posts | Last post February 02, 2017
    • All configured as per instructions, the scripts takes a day to process around 10 1GB evtx files (2008R2).
      Is there any way to reduce the time to produce the daily reports?
  • Monitor-File-Server-Activity-Log
    1 Posts | Last post December 27, 2016
    • Hi Jeremy
      
      I have an issue. What shoul I do?
      
      PS C:\Audit> TerminatingError(): "Exception calling "Substring" with "2" argument(s): "Index and length must refer to a location within the string.
      Parameter name: length""
      >> TerminatingError(Draw_Conclusions): "Exception calling "Substring" with "2" argument(s): "Index and length must refer to a location within the string.
      Parameter name: length""
      No events found
      No events found
      No events found
      No events found
      
  • mail server change
    1 Posts | Last post August 08, 2016
    • Hi, recently we update our mail server to office 365, i try to update the script but it failed. Seems like my powershell skill not enough.
      
      can u help me to update the script to send to office365
  • How to use this script to format Archived .evtx files?
    1 Posts | Last post July 14, 2016
    • I have used your script to audit files but this only audits the live Security Events of the server. What if we already have archived security .evtx files and I want to run your script on them. Can you please guide how can I run your script over archived files (i have 260+ files) 
  • report delete files/folders
    2 Posts | Last post July 12, 2016
    • Jeremy very good, but I have problems in the report. A report view files / folders deleted as created / modified.
      
      Can I help me?
    • Here's an informative article which covers step-wise instructions to enable auditing and track every critical changes made on file server - https://community.spiceworks.com/how_to/122828-how-to-enable-file-and-folder-access-auditing-on-windows-server-2008-and-2008-r2
  • Hello Jeremy
    1 Posts | Last post March 21, 2016
    • Thank you for great explanation,
      I've spent two weeks to find some deleted file,It did not make sense.
      Deleted file was not deleted, sombody in Microsoft had to be drung when created this log structure. But now I have to apply your script on existing (archive) log. Has anybody an Idea the quickest way to cahnge script. KR, Marcel
  • 7za.exe and report problem
    1 Posts | Last post March 15, 2016
    • Windows Server 2008 R2.
      -Turning on the advanced auditing don't register any folder deletion or creation. 
      -Turning on the legacy audit works but the script dont return any event when i'm testing delete and create folders.
      
      - I have the 7za.exe in the event_logs folder (Loghpath set) but don't zip the file and I keep receiveing warning of 7za missing.
      
      I would really apreciate you help for this script register folder deletion and creation.
      
      Thank you very much.
  • "Unable to convert an event to XML"
    1 Posts | Last post March 11, 2016
    • I am also seeing this error ("Unable to convert an event to XML") on server 2012 R2. Auditing applied to specific 'Shared' folder and its subdirectories. I can see the events accumulating in the Security log, but there seems to be a breakdown when producing the report. 
      
21 - 30 of 36 Items