report highlighting with ad in german language

[Secarius]

Hello,

thank you for this wonderful PS Module.

I have a small question:

as my dc language is german, i have no highlightning in the reports. i think, thats because you use trigger words like "changed" "added" ...

Further down, ill attach some screenshots. Is it possible to configure those triggers in the config file?

Kind Regards Felix

[PrzemyslawKlys]

Which version are you using?

[Secarius]

I just installed the modules via PowerShellGallery and used the config from: https://evotec.xyz/hub/scripts/pswinreporting-powershell-module/

[Secarius]

I did the following install:

Install-Module PSWinReporting Install-Module PSWriteColor Install-Module PSEventViewer Install-Module PSWriteExcel Install-Module PSSharedGoods

[PrzemyslawKlys]

Then changing colors here will fix it no?

    Colors                 = @{
        # case sensitive
        Red   = 'removed', 'deleted', 'locked out', 'lockouts', 'disabled', 'Domain Admins', 'was cleared'
        Blue  = 'changed', 'changes', 'change', 'reset'
        Green = 'added', 'enabled', 'unlocked', 'created'
    }

[Secarius]

thx i think i am blind 🙈 ill test it tomorrow

[Secarius]

ive change the settings like this

    Colors                 = @{
        # case sensitive
        Red   = 'removed', 'deleted', 'locked out', 'lockouts', 'disabled', 'Domain Admins', 'was cleared', 'gelöscht', 'entfernt', 'gesperrt', 'deaktiviert', 'gelöscht', 'zurückzusetzen'
        Blue  = 'changed', 'changes', 'change', 'reset', 'geändert'
        Green = 'added', 'enabled', 'unlocked', 'created', 'aktiviert', 'erstellt'
    }

But it will not work with words containing ä ö ü

and it doesent work with "aktiviert" and "deaktiviert" deaktiviert is now multicolor

[PrzemyslawKlys]

Try using " aktiviert".

[Secarius]

    Colors                 = @{
        # case sensitive
        Red   = 'removed', 'deleted', 'locked out', 'lockouts', 'disabled', 'Domain Admins', 'was cleared', 'gelöscht', 'entfernt', 'gesperrt', 'deaktiviert', 'aktiviert', 'gelöscht', 'zurückzusetzen'
        Blue  = 'changed', 'changes', 'change', 'reset', 'geändert'
        Green = 'added', 'enabled', 'unlocked', 'created', 'aktiviert', 'erstellt'
    }

still gives

[PrzemyslawKlys]

I mean use space to make sure it's treated as a separate word.

[Secarius]

That worked 👍

Do you have a solution (escapeing) for the ö ü ä ?

[PrzemyslawKlys]

Save HTML that you have in email to desktop, open the file up, search for the word and see if it's not written in HTML equivalent rather then how you wrote it. Use that instead.

[Secarius]

that did the trick: 'zurückzusetzen',

thank you.

[Secarius]

Do you have a idea how to fix this? Warnings: Security log on ** doesn't cover whole date range requested. Oldest event 07/06/2021 16:43:02** while requested 07/06/2021 00:00:00.

I have the log set to 4gb

[PrzemyslawKlys]

Either you have high amount of logs and things keep overwritting or something is not right. What domain size you have?

[Secarius]

Whats do you mean with domain size? around 40 clients and 30server i get a lot of 4662 IDs Object read mostly the server asking for its access group

[PrzemyslawKlys]

Maybe you should revisit what logs you have enabled in AD and adjust it. Some logs are not worth gathering. Alternatively you can se up pswinreporting in forwarding mode and choose events it monitors and use a single server for gahering logs from all dcs

[Secarius]

Do you have a example, wich logs are good to be enabled?

[PrzemyslawKlys]

• https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations
• https://activedirectorypro.com/audit-policy-best-practices/