Windows Event Viewer Filter
-
In the year 2018 Microsoft Event Viewer is unable to filter events by username.
Seriously, what the fuck?- Enable file auditing for a folder to find out who is deleting stuff.
- Go to Event Viewer>Security -- oh there are a bunch of Detailed File Share events now, that is exactly what i want. Open one, see a username, the file they opened/changed/deleted, good.
- Action Pane > Filter Current Log > Username field, type in username of a user that is listed in one of the Detailed File Share events. 0 results returned. Check with a different, valid username. 0 results returned.
- Rage and Rant here.
-
Yeah. . . the Event Viewer leaves a lot to be desired from time to time. I recall doing this at one of my first jobs in IT and saying the same thing.
Why have event auditing. . . if you have to read every event? Filter to the thing that is critical!
-
@momurda said in Windows Event Viewer Filter:
In the year 2018 Microsoft Event Viewer is unable to filter events by username.
Seriously, what the fuck?- Enable file auditing for a folder to find out who is deleting stuff.
- Go to Event Viewer>Security -- oh there are a bunch of Detailed File Share events now, that is exactly what i want. Open one, see a username, the file they opened/changed/deleted, good.
- Action Pane > Filter Current Log > Username field, type in username of a user that is listed in one of the Detailed File Share events. 0 results returned. Check with a different, valid username. 0 results returned.
- Rage and Rant here.
Yeah, that's why I have been using Netwrix or the one below:
https://www.isdecisions.com/products/fileaudit/Otherwise is a nightmare
https://blogs.technet.microsoft.com/mspfe/2013/08/26/auditing-file-access-on-file-servers/ -
@dbeato said in Windows Event Viewer Filter:
Otherwise is a nightmare
https://blogs.technet.microsoft.com/mspfe/2013/08/26/auditing-file-access-on-file-servers/I'd rather just buy some software to do that lol. . .
-
@dustinb3403 I knew it was an issue 10 years ago, at that time we bought Netwrix File Audit.
10+ GD years later this problem still exists. -
@momurda said in Windows Event Viewer Filter:
@dustinb3403 I knew it was an issue 10 years ago, at that time we bought Netwrix File Audit.
10+ GD years later this problem still exists.10+ years later and Microsoft has this listed as a feature. . .
-
@momurda said in Windows Event Viewer Filter:
@dustinb3403 I knew it was an issue 10 years ago, at that time we bought Netwrix File Audit.
10+ GD years later this problem still exists.Me thinks is time to move on to Linux
-
@momurda said in Windows Event Viewer Filter:
In the year 2018 Microsoft Event Viewer is unable to filter events by username.
Seriously, what the fuck?- Enable file auditing for a folder to find out who is deleting stuff.
- Go to Event Viewer>Security -- oh there are a bunch of Detailed File Share events now, that is exactly what i want. Open one, see a username, the file they opened/changed/deleted, good.
- Action Pane > Filter Current Log > Username field, type in username of a user that is listed in one of the Detailed File Share events. 0 results returned. Check with a different, valid username. 0 results returned.
- Rage and Rant here.
Yeah, there's a lot to be desired in the built-in Event Viewer.
The events contain all the data, but you can't search for it.
Even in PowerShell you can't search for usernames. You're still basically limited to what you can filter in Event Viewer.
You need a 3rd party program to do it right... one that tracks through it and indexes the stuff you actually want to search for.
-
@tim_g
Maybe that can be a mini PHP project for me later one!A simple database+PHP web app... you feed it an event log, and it stashes the data appropriately in the database... and allows you to search it.
It sounds fun.
-
@tim_g @dbeato @DustinB3403
Perhaps i could point these at graylog and be able to actually do something with the information. -
@momurda said in Windows Event Viewer Filter:
@tim_g @dbeato @DustinB3403
Perhaps i could point these at graylog and be able to actually do something with the information.Possible, would be interesting to see what you do with them. I really only use windows event logs to find BSOD issues.
User issues I correct with a bat. . .
-
@dustinb3403 I only want to find out who is accidentally deleting invoices.
-
@momurda said in Windows Event Viewer Filter:
@dustinb3403 I only want to find out who is "accidentally" deleting invoices.
I've ftfy.
-
@momurda said in Windows Event Viewer Filter:
@dustinb3403 I only want to find out who is accidentally deleting invoices.
If you have the file name, you can opne the event log and "Find" that file.
You can filter just for deletion events, and use find to find the file or user.
-
@momurda said in Windows Event Viewer Filter:
@tim_g @dbeato @DustinB3403
Perhaps i could point these at graylog and be able to actually do something with the information.Yes, you could. https://marketplace.graylog.org/addons/750b88ea-67f7-47b1-9a6c-cbbc828d9e25
-
Are these PDF copies of your invoices? Why isn't your invoicing system keeping record of these?
-
@dbeato said in Windows Event Viewer Filter:
@momurda said in Windows Event Viewer Filter:
@tim_g @dbeato @DustinB3403
Perhaps i could point these at graylog and be able to actually do something with the information.Yes, you could. https://marketplace.graylog.org/addons/750b88ea-67f7-47b1-9a6c-cbbc828d9e25
This doesn't appear to be for File events, more AD events on the user and group side of things rather than the share side of things.
-
@tim_g said in Windows Event Viewer Filter:
@momurda said in Windows Event Viewer Filter:
@dustinb3403 I only want to find out who is accidentally deleting invoices.
If you have the file name, you can opne the event log and "Find" that file.
You can filter just for deletion events, and use find to find the file or user.
Honestly you should be able to "find" events by the user who they are generated about.
-
@dustinb3403 said in Windows Event Viewer Filter:
@dbeato said in Windows Event Viewer Filter:
@momurda said in Windows Event Viewer Filter:
@tim_g @dbeato @DustinB3403
Perhaps i could point these at graylog and be able to actually do something with the information.Yes, you could. https://marketplace.graylog.org/addons/750b88ea-67f7-47b1-9a6c-cbbc828d9e25
This doesn't appear to be for File events, more AD events on the user and group side of things rather than the share side of things.
You are right, let's see this one then
https://marketplace.graylog.org/addons/f42b42f3-c269-45e3-8fc8-923f2194001b
he can check all of them here
https://marketplace.graylog.org/addons?tag=Windows -
@dustinb3403 said in Windows Event Viewer Filter:
Are these PDF copies of your invoices? Why isn't your invoicing system keeping record of these?
Invoicing system, what is that?
These pdfs are generated sales orders in CRM that the finance people turn into invoices to send out to customers. They use QB to do that currently, but we are implementing an ERP which hopefully will automate this 1960s workflow.
