Hello! What I’m writing about today concerns generating events in the Security Log on Win2008 R2 for auditing purposes. Information on this specific action is fairly scare online, from what I’ve seen, after some extensive searching.
If there were a utility that would facilitate this, that would be ideal, but I’m not seeing anything of that nature. I see that there are some APIs (e.g. AuthzReportSecurityEvent) that allow this sort of thing, but I’m not quite sure where to start with those. I pick up most programming things pretty quickly, but I’ve not done anything with C# or .NET before.
My initial thought was to use eventcreate and write a simple batch file to generate a bunch of events, but eventcreate turned out to be a dead end, since I need to audit occurrences of lots of events in the 4XXX range, like 4726.
I then tried PowerShell (New-EventLog –LogName Security –Source “TEST” thenWrite-EventLog –LogName Security –Source “TEST” –EntryType Information –EventID 1 –Message “TESTING”) but with the Security log being locked down that won’t fly.
I tried giving myself full rights on the eventlog registry key and the security key specifically, but that didn't work. Is there something obvious that I'm missing?
If I need to call the APIs with a script or application of some sort (ideally a script), I can look into that, but I’m afraid that I’m rather puzzled on how to start.
Thank you very much for your time!
If there were a utility that would facilitate this, that would be ideal, but I’m not seeing anything of that nature. I see that there are some APIs (e.g. AuthzReportSecurityEvent) that allow this sort of thing, but I’m not quite sure where to start with those. I pick up most programming things pretty quickly, but I’ve not done anything with C# or .NET before.
My initial thought was to use eventcreate and write a simple batch file to generate a bunch of events, but eventcreate turned out to be a dead end, since I need to audit occurrences of lots of events in the 4XXX range, like 4726.
I then tried PowerShell (New-EventLog –LogName Security –Source “TEST” thenWrite-EventLog –LogName Security –Source “TEST” –EntryType Information –EventID 1 –Message “TESTING”) but with the Security log being locked down that won’t fly.
I tried giving myself full rights on the eventlog registry key and the security key specifically, but that didn't work. Is there something obvious that I'm missing?
If I need to call the APIs with a script or application of some sort (ideally a script), I can look into that, but I’m afraid that I’m rather puzzled on how to start.
Thank you very much for your time!