Closed wemener closed 5 years ago
PrzemyslawKlys
commented
5 years ago I'll take a look at it during the weekend and test that. But generally, it should just work. Can you provide which ID's are you seeing in your Event Log that is not returned by my module? Also, can you provide output from Find-Events along with what you're actually using with -Verbose parameter in place? Of course please sanitize it from your company data. But the more output you provide the better.
wemener
commented
5 years ago I am looking specifically for 5136-37, and 5141. I can for sure see them in the Event logs on my DC. I am using the following command:
$Events = Find-Events -Report $Reports -DatesRange Last7days -Servers 'DC1', 'DC2' -Verbose Dashboard -FilePath $PSScriptRoot\AD-Events.html -Name 'Dashimo - FindEvents' -Show
This is the output that I get. Seems like it is finding everything but no data showing for the Group Policy tab or the Logs tab.
Thanks again for your help.
PrzemyslawKlys
commented
5 years ago Group Policy is special case. Here's a definition for it. For example event 5136,5137 and 5141 can exists and still be filtered out as not useful. It's really hard to get GPO changes but it should work in limited fashion.
ADGroupPolicyChanges = [ordered] @{
Enabled = $false
'Group Policy Name Changes' = @{
Enabled = $true
Events = 5136, 5137, 5141
LogName = 'Security'
Filter = @{
# Filter is special, if there is just one object on the right side
# If there are more objects filter will pick all values on the right side and display them as required
'ObjectClass' = 'groupPolicyContainer'
#'OperationType' = 'Value Added'
'AttributeLDAPDisplayName' = $null, 'displayName' #, 'versionNumber'
}
Functions = @{
'OperationType' = 'ConvertFrom-OperationType'
}
Fields = [ordered] @{
'RecordID' = 'Record ID'
'Computer' = 'Domain Controller'
'Action' = 'Action'
'Who' = 'Who'
'Date' = 'When'
'ObjectDN' = 'ObjectDN'
'ObjectGUID' = 'ObjectGUID'
'ObjectClass' = 'ObjectClass'
'AttributeLDAPDisplayName' = 'AttributeLDAPDisplayName'
#'AttributeSyntaxOID' = 'AttributeSyntaxOID'
'AttributeValue' = 'AttributeValue'
'OperationType' = 'OperationType'
'OpCorrelationID' = 'OperationCorelationID'
'AppCorrelationID' = 'OperationApplicationCorrelationID'
'DSName' = 'DSName'
'DSType' = 'DSType'
'Task' = 'Task'
'Version' = 'Version'
# Common Fields
'ID' = 'Event ID'
'GatheredFrom' = 'Gathered From'
'GatheredLogName' = 'Gathered LogName'
}
SortBy = 'Record ID'
Descending = $false
IgnoreWords = @{
}
}
'Group Policy Edits' = @{
Enabled = $true
Events = 5136, 5137, 5141
LogName = 'Security'
Filter = @{
# Filter is special, if there is just one object on the right side
# If there are more objects filter will pick all values on the right side and display them as required
'ObjectClass' = 'groupPolicyContainer'
#'OperationType' = 'Value Added'
'AttributeLDAPDisplayName' = 'versionNumber'
}
Functions = @{
'OperationType' = 'ConvertFrom-OperationType'
}
Fields = [ordered] @{
'RecordID' = 'Record ID'
'Computer' = 'Domain Controller'
'Action' = 'Action'
'Who' = 'Who'
'Date' = 'When'
'ObjectDN' = 'ObjectDN'
'ObjectGUID' = 'ObjectGUID'
'ObjectClass' = 'ObjectClass'
'AttributeLDAPDisplayName' = 'AttributeLDAPDisplayName'
#'AttributeSyntaxOID' = 'AttributeSyntaxOID'
'AttributeValue' = 'AttributeValue'
'OperationType' = 'OperationType'
'OpCorrelationID' = 'OperationCorelationID'
'AppCorrelationID' = 'OperationApplicationCorrelationID'
'DSName' = 'DSName'
'DSType' = 'DSType'
'Task' = 'Task'
'Version' = 'Version'
# Common Fields
'ID' = 'Event ID'
'GatheredFrom' = 'Gathered From'
'GatheredLogName' = 'Gathered LogName'
}
SortBy = 'Record ID'
Descending = $false
IgnoreWords = @{
}
}
'Group Policy Links' = @{
Enabled = $true
Events = 5136, 5137, 5141
LogName = 'Security'
Filter = @{
# Filter is special, if there is just one object on the right side
# If there are more objects filter will pick all values on the right side and display them as required
'ObjectClass' = 'domainDNS'
#'OperationType' = 'Value Added'
#'AttributeLDAPDisplayName' = 'versionNumber'
}
Functions = @{
'OperationType' = 'ConvertFrom-OperationType'
}
Fields = [ordered] @{
'RecordID' = 'Record ID'
'Computer' = 'Domain Controller'
'Action' = 'Action'
'Who' = 'Who'
'Date' = 'When'
'ObjectDN' = 'ObjectDN'
'ObjectGUID' = 'ObjectGUID'
'ObjectClass' = 'ObjectClass'
'AttributeLDAPDisplayName' = 'AttributeLDAPDisplayName'
#'AttributeSyntaxOID' = 'AttributeSyntaxOID'
'AttributeValue' = 'AttributeValue'
'OperationType' = 'OperationType'
'OpCorrelationID' = 'OperationCorelationID'
'AppCorrelationID' = 'OperationApplicationCorrelationID'
'DSName' = 'DSName'
'DSType' = 'DSType'
'Task' = 'Task'
'Version' = 'Version'
# Common Fields
'ID' = 'Event ID'
'GatheredFrom' = 'Gathered From'
'GatheredLogName' = 'Gathered LogName'
}
SortBy = 'Record ID'
Descending = $false
IgnoreWords = @{
}
}
}At first sight it seems I've broken the "Filtering" option. I'll take a look.
PrzemyslawKlys
commented
5 years ago Found an error. It's fixed, but doing some testing for other small things. Should be released before Monday. Thank you
wemener
commented
5 years ago Amazing. Can't wait for the update.
PrzemyslawKlys
commented
5 years ago Released. Feel free to reopen if there's still an issue. If you find anything else let me know.
wemener
commented
5 years ago Still not showing up for me on my end. I ran just the group policy piece by itself and still showing up as empty even though it can find an event. I create a brand new test group policy and it seems to be picking that up but not showing up in the Dashimo HTML.
PrzemyslawKlys
commented
5 years ago Can you get me this?
Get-Module -ListAvailable PSWinReportingV2 Script 2.0.11 PSWinReportingV2 {Add-EventsDefinitions, Add-WinTaskScheduledForwarder, F... Script 2.0.10 PSWinReportingV2 {Add-EventsDefinitions, Add-WinTaskScheduledForwarder, F... Script 2.0.8 PSWinReportingV2 {Add-EventsDefinitions, Add-WinTaskScheduledForwarder, F...
PrzemyslawKlys
commented
5 years ago and you did restart PowerShell after installation right?
Seems to work here:
wemener
commented
5 years ago I did restart Powershell. I get the same output as yourself but when I use Dashimo it does not display anything. I guess the issue is with the Dashimo module and not this one.
Dashboard -FilePath $PSScriptRoot\group-policy.html -Name 'Dashimo - FindEvents' -Show {
Tab -Name 'Group Policy Changes' {
Section -Name 'ADGroupPolicyChanges' {
Table -DataTable $Events.ADGroupPolicyChanges
}}}That is the rest of the script that I use.
PrzemyslawKlys
commented
5 years ago Ok well, this will not work for one reason... The output of Find-Events is done in 2 ways. If you ask for one report you get the output of Array, but if you ask for 2 or more reports you get hashtable of arrays.
Having that in mind, if you ask for only GPO:
$Events = Find-Events -Report Report1 -DateRange...
Dashboard -FilePath $PSScriptRoot\group-policy.html -Name 'Dashimo - FindEvents' -Show {
Tab -Name 'Group Policy Changes' {
Section -Name 'ADGroupPolicyChanges' {
Table -DataTable $Events
}}}if you ask for multiple reports:
$Events = Find-Events -Report Report1,Report2,Report3 ...
Dashboard -FilePath $PSScriptRoot\group-policy.html -Name 'Dashimo - FindEvents' -Show {
Tab -Name 'Group Policy Changes' {
Section -Name 'ADGroupPolicyChanges' {
Table -DataTable $Events.ADGroupPolicyChanges
}}}Apologies for not noticing that. Seems like the previous fix that you made did fix the issue. I edited my script for just the group policy items and it works. The larger script that I have combined your modules now works. Thank you again for your help and for making this.
I opened up a reddit thread on this here:
https://www.reddit.com/r/sysadmin/comments/butx09/help_with_group_policy_auditing/
Taking a look at it and running just the group policy events do not give any kind of output. Not sure if others are seeing this put all the other parts of the module are working correctly. Any ideas?