Use Goverlan Scope Actions to look for specific event log entries on your workstations and servers.
If you have never created a Scope Action before, please refer to the below video and the Scope Action Creation Basics article for more information.
Use Goverlan Scope Actions to search the Windows Event Logs. This technique is very useful and has several applications. Here are some examples:
- File System Auditing
- Active Directory Object Auditing
- BSOD detection
- User Profile Loading issues
- Network Firewall Monitoring
In this tutorial we will be using the Win32_NTLogEvent WMI Class to query for Windows Events.
The following properties are available in the Win32_NTLogEvent class.
We will use the Win32_NTLogEvent class with different queries to gather the appropriate log entries. The queries will filter for specific Event IDs.
Here are a few resources for finding the Event IDs that you may want to query.
Common Event IDs
File System Auditing – Event ID 4663
Active Directory Object Auditing – See Link Above
BSOD Detection – Event ID 6008
Roaming Profile Loading Issues – Event ID 1521
Network Firewall Monitoring – Event ID 5031
In this example we will be looking for file access audit logs on a file server.
In order to configure File Object Access auditing, please follow these directions.
Once Access Object Auditing is configured, your server will begin showing the following Events in the security log.
These events will show the Object (File or Folder Name in this example), and the Account Name of the Subject (the user who accessed the file).
All this data will be in the Message property of the Win32_NTLogEvent class.
Step 1 – Adding the WMI Query to a Goverlan Action Module
The scope target will be a file server.
The first step is to add the appropriate WMI Query to Goverlan.
The following query will be used to find File Object Access events:
Select * From Win32_NTLogEvent Where EventIdentifier = 4648 AND Logfile = ‘Security’
Adding the query to your Action Module configuration
Enter this query using the following Action Module menu item
- Add \ Remove –> Report Computer Property –> WMI Objects –> Manage WMI Objects
- Choose “Use a separate list” and click the Manage Custom List link.
- Click the + and select “Add new query Object”
- Give the query a meaning full name. For this example we used “File System Access – Event ID 4663”
- Enter the query into the Query field and click OK.
Step 2 – Selecting the report columns
Now that the query is added to your configuration, the fields can now be selected using the Add \ Remove button:
Add \ Remove –> Report Computer Property –> WMI Objects –> File System Access – Event ID 4663
Choose the following columns for ease of readability:
- Event Identifier
- Type Event
- Time Generated
The important data will be in the Message property.
Step 3 – Specifying a condition to filter your results
Use the “Only if the following is true” section to search for specific data such as user names, or specific files.
Using the Add \ Remove button:
Add \ Remove –> Set Computer Condition –> WMI Objects –> File System Access – Event ID 4663 –> Message
Set the condition to “Contains” and enter the desired value.
For example, the desired value could be a folder or file path, or a user name.
Step 4 – Running the report
This action module can be used in a Custom Action to be run on demand or placed in a scope action to run on a schedule. It is important to note that the Scope Action schedule should match up with your event log rotation schedule. This will ensure that you do not miss events due to the logs being rotated.
The best way to view the report is through the HTML – Data Sheet model. This view can also be used to quickly find and filter additional data by using the SEARCH box in the report. Simply type in a user name or file/folder name to filter in those events.
The Message column will contain the relevant information regarding the access log.
Use the more>> link to display the full message.
In this example we can see the administrator account was used to access the C:\TestAudit folder using Explorer.exe.