PoshCode Archive  Artifact [91fc40fe93]

Check-ins Using Download Hex

Artifact 91fc40fe93d2a3e2706a3674047952d195cad635b11e1a693124783add4aa650:

  • File Event-Log-SOX-audit.ps1 — part of check-in [80eca8ecc4] at 2018-06-10 13:21:26 on branch trunk — SarbanesOxley (SOX) compliance auditing often requires proof of review of the Windows Security Log and Remote Connections. This script captures Server 2008’s event logging and sends it to a csv for review and/or longterm archiving. The Security filter below encompasses the Account Management, Audit Policy CHanges, Failed Logins, and Audit Cleared filters. I left them for possible granular reporting in the future. (user: DrDrewl size: 3057) 
# encoding: ascii
# api: powershell
# title: Event Log SOX audit
# description: Sarbanes–Oxley (SOX) compliance auditing often requires proof of review of the Windows Security Log and Remote Connections. This script captures Server 2008’s event logging and sends it to a csv for review and/or longterm archiving. The Security filter below encompasses the Account Management, Audit Policy CHanges, Failed Logins, and Audit Cleared filters. I left them for possible granular reporting in the future.
# version: 0.1
# author: DrDrewl
# license: CC0
# x-poshcode-id: 3162
# x-archived: 2014-11-21T19:10:23
# x-published: 2014-01-13T11:58:00
#
#
$s = "Server01", "Server02", "Server03"
foreach($server in $s) {$server

#$computername = Get-Content env:computername

$filter_Security = '<QueryList> <Query Id="0" Path="Security">
	<Select Path="Security">(*[System[Provider[@Name="Microsoft-Windows-Security-Auditing"] and 
	(Task = 13824 or Task = 13825 or Task = 13826 or Task = 13827 or Task = 13828 or Task = 13829 or
	Task = 13568 or Task = 13569 or Task = 13570 or Task = 13571 or Task = 13572) or
	(Task = 12544 and (band(Keywords,4503599627370496)))]]) or (*[System[Provider[@Name="Microsoft-Windows-Eventlog"] and Task = 104]])
	</Select></Query></QueryList>'

$filter_AcctManagement  = '<QueryList> <Query Id="0" Path="Security">
	<Select Path="Security">*[System[Provider[@Name="Microsoft-Windows-Security-Auditing"] and 
	(Task = 13824 or Task = 13825 or Task = 13826 or Task = 13827 or Task = 13828 or Task = 13829)]]
	</Select></Query></QueryList>'
	
$filter_AuditPolicyChanges  = '<QueryList> <Query Id="0" Path="Security">
	<Select Path="Security">*[System[Provider[@Name="Microsoft-Windows-Security-Auditing"] and 
	(Task = 13568 or Task = 13569 or Task = 13570 or Task = 13571 or Task = 13572 or Task = 13573)]]
	</Select></Query></QueryList>'
	
$filter_FailedLogins  = '<QueryList> <Query Id="0" Path="Security">
	<Select Path="Security">*[System[Provider[@Name="Microsoft-Windows-Security-Auditing"] and 
	(Task = 12544 and (band(Keywords,4503599627370496)))]]
	</Select></Query></QueryList>'
	
$filter_AuditCleared  = '<QueryList> <Query Id="0" Path="Security">
	<Select Path="Security">*[System[Provider[@Name="Microsoft-Windows-Eventlog"] and Task = 104]]
	</Select></Query></QueryList>'
	
$filter_RDP  = '<QueryList> <Query Id="0" Path="Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational">
	<Select Path="Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational">*[System[Provider[@Name="Microsoft-Windows-TerminalServices-RemoteConnectionManager"] and (EventID=1149)]]
	</Select></Query></QueryList>'	

Get-WinEvent -computername $server -FilterXml $filter_RDP | Export-Csv \\networkpath\$server.RDP.csv
Get-WinEvent -computername $server -FilterXml $filter_Security | Select-Object -Property 'Message','ID','Task','RecordID','LogName','ProcessID','ThreadID','MachineName','TimeCreated','TaskDisplayName' | Export-Csv \\networkpath\$server.Security.csv
Fossil 2.20 [0d61fd2310] 2022-10-28 19:48:33
This page was generated in about 0.016s