1. Support
  2. Tutorials
  3. Scope Action – Windows Event Log Reporting

Scope Action – Windows Event Log Reporting

Use Goverlan Scope Actions to look for specific event log entries on your workstations and servers.

Disclaimer:

**These tutorials are for demonstration purposes. Please test all Scope Actions before deploying them into production.**

If you have never created a Scope Action before, please refer to the below video and the Scope Action Creation Basics article for more information.

Information

Use Goverlan Scope Actions to search the Windows Event Logs. This technique is very useful and has several applications. Here are some examples:

  • File System Auditing
  • Active Directory Object Auditing
  • BSOD detection
  • User Profile Loading issues
  • Network Firewall Monitoring
Note:

It may be necessary to enable the appropriate level of auditing in order to catch the required events.

https://technet.microsoft.com/en-us/library/dn319056.aspx

https://technet.microsoft.com/en-us/library/dn319078.aspx

In this tutorial we will be using the Win32_NTLogEvent WMI Class to query for Windows Events.
The following properties are available in the Win32_NTLogEvent class.

We will use the Win32_NTLogEvent class with different queries to gather the appropriate log entries. The queries will filter for specific Event IDs.

Here are a few resources for finding the Event IDs that you may want to query.

http://social.technet.microsoft.com/wiki/contents/articles/15232.active-directory-services-audit-document-references.aspx
http://blogs.technet.com/b/mspfe/archive/2013/08/27/auditing-file-access-on-file-servers.aspx

Common Event IDs

File System Auditing – Event ID 4663
Active Directory Object Auditing – See Link Above
BSOD Detection – Event ID 6008
Roaming Profile Loading Issues – Event ID 1521
Network Firewall Monitoring – Event ID 5031

In this example we will be looking for file access audit logs on a file server.

Prerequisites

In order to configure File Object Access auditing, please follow these directions.
https://technet.microsoft.com/en-us/library/cc776774%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

Once Access Object Auditing is configured, your server will begin showing the following Events in the security log.

These events will show the Object (File or Folder Name in this example), and the Account Name of the Subject (the user who accessed the file).

All this data will be in the Message property of the Win32_NTLogEvent class.

Step 1 – Adding the WMI Query to a Goverlan Action Module

The scope target will be a file server.

Action Module

The first step is to add the appropriate WMI Query to Goverlan.
The following query will be used to find File Object Access events:

Select * From Win32_NTLogEvent Where EventIdentifier = 4648 AND Logfile = ‘Security’

Adding the query to your Action Module configuration
Enter this query using the following Action Module menu item

  1. Add \ Remove –> Report Computer Property –> WMI Objects –> Manage WMI Objects
  2. Choose “Use a separate list” and click the Manage Custom List link.
  3. Click the + and select “Add new query Object”
  4. Give the query a meaning full name. For this example we used “File System Access – Event ID 4663”
  5. Enter the query into the Query field and click OK.

Step 2 – Selecting the report columns



Now that the query is added to your configuration, the fields can now be selected using the Add \ Remove button:

Add \ Remove –> Report Computer Property –> WMI Objects –> File System Access – Event ID 4663
Choose the following columns for ease of readability:

  • Event Identifier
  • Type Event
  • Message
  • Time Generated

The important data will be in the Message property.

Step 3 – Specifying a condition to filter your results



Use the “Only if the following is true” section to search for specific data such as user names, or specific files.

Using the Add \ Remove button:
Add \ Remove –> Set Computer Condition –> WMI Objects –> File System Access – Event ID 4663 –> Message
Set the condition to “Contains” and enter the desired value.

For example, the desired value could be a folder or file path, or a user name.

Step 4 – Running the report

This action module can be used in a Custom Action to be run on demand or placed in a scope action to run on a schedule. It is important to note that the Scope Action schedule should match up with your event log rotation schedule. This will ensure that you do not miss events due to the logs being rotated.

The best way to view the report is through the HTML – Data Sheet model. This view can also be used to quickly find and filter additional data by using the SEARCH box in the report. Simply type in a user name or file/folder name to filter in those events.

The Message column will contain the relevant information regarding the access log.

Use the more>> link to display the full message.
In this example we can see the administrator account was used to access the C:\TestAudit folder using Explorer.exe.

Was this article helpful?

Related Articles