Hi All,
I am working on a script which would send an audit report in CSV format every 24 hours. The problem that I am facing is that when I take the report out, it has a lot of .tmp files in it which are not really relevant. I want to omit them from the result. Currently I have the following done.
PowerShell script to capture the events and dump it in a CSV file and then send the file using VBScript.
$events = Get-WinEvent -FilterXml ([xml](Get-Content C:\ADMIN\Temp\Audit\CustomFilter.xml))
$Name = @{ label="Username"; Expression={$_.properties[1].value} }
$File = @{ label="FileName"; Expression={$_.properties[6].value} }
get-winevent -filterXML ([xml](Get-Content C:\ADMIN\Temp\Audit\CustomFilter.xml)) | select $Name,$File | export-csv C:\ADMIN\Temp\Audit\DeleteEventLog.csv
cscript /nologo C:\ADMIN\Temp\Audit\SendMail.vbs \r\n
Contents of the CustomFilter.xml
<QueryList>
<Query Id="0">
<Select Path="Security">
*[System[TimeCreated[timediff(@SystemTime) <= 86400000]]]
and
*[EventData[Data[@Name='ObjectName'] and (Data!='*.tmp')]]
and
*[System[(EventID='4663')]]
</Select>
</Query>
</QueryList>
For some reason, the data doesn't get filtered for the *.tmp files.
I have also tried using the following, but it still doesn't work.
Get-WinEvent -FilterHashTable @{logname='security'; ID=4663} | where {$_.properties[6] -notlike "*tmp"}
Some please help !