If you are looking to filter certain events in the Event Log the traditional approach is to use the filter option with the right click "Filter current event log" as below which should be familiar to anyone working with event logs:
However you also get the XML tab which at the moment is greyed out as you can see below:
If you then tick the box "Edit query manually" you will get a warning dialogue that tells you that you cannot use the "modify controls" from earlier, you need to accept this with a Yes:
If you then tick the box "Edit query manually" you will get a warning dialogue that tells you that you cannot use the "modify controls" from earlier, you need to accept this with a Yes:
Then you have the option to use XML to query the Event Log, which means you can be way more granular than the graphical version with your commands.
XML : View Modification to Active Directory by a certain Employee
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[(EventID=5136)]]
and
*[EventData[Data[@Name='SubjectUserName'] and (Data='perpetrator')]]
</Select>
</Query>
</QueryList>
XML : View Modifications to Active Directory Group Policy by a certain employee
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[(EventID=5136 or EventID=5137 or EventID=5141)]]
and
*[EventData[Data[@Name='ObjectClass'] and (Data='groupPolicyContainer')]]
and
*[EventData[Data[@Name='SubjectUserName'] and (Data='perpetrator')]]
</Select>
</Query>
</QueryList>
XML : View any modifications on that server with Auditing enabled
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[EventData[Data[@Name='SubjectUserName'] and (Data='perpetrator')]]
</Select>
</Query>
</QueryList>
This will give you a flavour of what can be done, however what if you need to script this to apply to all your domain controllers and then output a CSV at the end of it with all that data?
Create a file called GPOUpdateQuery.xml and add in that file place the XML you would like to run on the target servers in this case its for GPO modifications, then we need that XML file to run the script to export all the entries you require.
Script : GPOMonitorXML.ps1
Script : GPOMonitorXML.ps1
$xmlQuery | Out-File -FilePath "GPOUpdateQuery.xml"
# Get all domain controllers
$domainControllers = Get-ADDomainController -Filter * | Select-Object -ExpandProperty Hostname
# Initialize an array to store results
$results = @()
# Query each domain controller
foreach ($dc in $domainControllers) {
Write-Host "Querying $dc..."
$events = Get-WinEvent -ComputerName $dc -FilterXml (Get-Content "GPOUpdateQuery.xml")
foreach ($event in $events) {
$eventData = @{
TimeCreated = $event.TimeCreated
DomainController = $dc
EventID = $event.Id
UserName = $event.Properties[4].Value
GPOName = $event.Properties[5].Value
Action = switch ($event.Id) {
5136 { "Modified" }
5137 { "Created" }
5141 { "Deleted" }
}
}
$results += New-Object PSObject -Property $eventData
}
}
# Export results to CSV
$results | Export-Csv -Path "GPOUpdates.csv" -NoTypeInformation
Write-Host "Query complete. Results exported to GPOUpdates.csv"