Welcome ladies and gentlemen! At the forum a brand new, but I look there are people in the know … can anyone help?
The essence of that is the … wrote a script on powershell, which grabs the opening event print server id = id = 307 and 805. Next there is a problem with samaccountname, which pulled out of the id = 307 priter server, as well of the most active directory was taken the value = office … and the same log is recorded in accordance with samaccountname. The question … is it possible to do this and, if not difficult, no one will tell - how ??
The script:
$a3 = Measure-Command -Expression {
$workpath = “C:\parslog\logs\work”
$logname = “306EV%”
$logname3 = “805EV%”
$logname5 = “printlog%”
$logname1 = [System.Web.HttpUtility]::UrlEncode($logname)
$logname2 = [System.Web.HttpUtility]::UrlEncode($logname3)
$logname4 = [System.Web.HttpUtility]::UrlEncode($logname5)
$Now = [System.DateTime]::Now
$filedate = $Now.ToString(“yyyy.MM.dd_HH mm”)
$out_evt_file = “$workpath$logname1-$filedate.evtx”
$out_evt_file1 = “$workpath$logname2-$filedate.evtx”
$out_csv_file = “$workpath$logname1-$filedate.csv”
$out_csv_file1 = “$workpath$logname2-$filedate.csv”
$out_csv_filetogether = “$workpath$logname5-$filedate.csv”
#wevtutil.exe cl $logname /BU:$out_evt_file /uni:true
#wevtutil.exe cl Microsoft-Windows-PrintService/Operational /BU:c:\install\printaudit\work\filedate.evtx /uni:true
wevtutil.exe Export-Log Microsoft-Windows-PrintService/Operational C:\parslog\logs\work\filedate.evtx /ow:true
wevtutil.exe Export-Log Microsoft-Windows-PrintService/Operational C:\parslog\logs\work\filedate1.evtx /ow:true
$query = “[System[(Level=4 or Level=0) and (EventID=307)]]"
$query1 = "[System[(Level=4 or Level=0) and (EventID=805)]]”
#$Events = wevtutil.exe query-events $out_evt_file /lf:true /q:$query /f:XML /locale:ru /uni:true
$Events = wevtutil.exe query-events C:\parslog\logs\work\filedate.evtx /c:50/rd:true /lf:true /q:$query /f:XML /locale:ru /uni:true
$Events2 = wevtutil.exe query-events C:\parslog\logs\work\filedate1.evtx /c:50 /rd:true /lf:true /q:$query1 /f:XML /locale:ru /uni:true
$Events1=$Events |
% { [xml]$_ } |
% {
if ($_.Event.UserData.DocumentPrinted.Param7 -is [array] ) {
New-Object PSObject -Property @{
JobID = $_.Event.UserData.DocumentPrinted.Param1;
user = $_.Event.UserData.DocumentPrinted.Param3;
comp = $_.Event.UserData.DocumentPrinted.Param4;
printer = $_.Event.UserData.DocumentPrinted.Param5;
port = $_.Event.UserData.DocumentPrinted.Param6;
kolvo_str = [int]$_.Event.UserData.DocumentPrinted.Param7[0];
size = [int]$_.Event.UserData.DocumentPrinted.Param7[1];
Date = $filedate;
}
} else {
New-Object PSObject -Property @{
JobID = $_.Event.UserData.DocumentPrinted.Param1;
user = $_.Event.UserData.DocumentPrinted.Param3;
comp = $_.Event.UserData.DocumentPrinted.Param4;
printer = $_.Event.UserData.DocumentPrinted.Param5;
port = $_.Event.UserData.DocumentPrinted.Param6;
kolvo_str = [int]$_.Event.UserData.DocumentPrinted.Param7;
size = [int]$_.Event.UserData.DocumentPrinted.Param8;
Date = $filedate;
}
}
}
$Events1 | export-csv -Path $out_csv_file -NoTypeInformation -Encoding Unicode
$a3
}
$Events3=$Events2|
% { [xml]$_ } |
% {
New-Object PSObject -Property @{
date = $.Event.System.TimeCreated.SystemTime;
# time = $.Event.System.TimeCreated.SystemTime;
JobID = $.Event.UserData.RenderJobDiag.Jobid;
copies = $.Event.UserData.RenderJobDiag.Copies;
}
}
$Events3 | export-csv -Path $out_csv_file1 -NoTypeInformation -Encoding Unicode
$a3
$hash = @{}
#Import-CSV $out_csv_file | Foreach {$hash[$.JobID] = $.user, $.comp, $.printer, $.size, $.kolvo_str}
Import-CSV $out_csv_file | Foreach {$hash[$.JobID] = $.user, $.comp, $.printer, $.kolvo_str, $.size}
$f2 = Import-CSV $out_csv_file1
#$f2 | Foreach {if($hash[$.JobID]) { $obj = “” | Select date, time, user, comp, printer, kolvo_str, size, copies
$f2 | Foreach {if($hash[$.JobID]) { $obj = “” | Select date, time, user, comp, printer, size, kolvo_str, copies
$obj.date = Get-Date $_.date -uformat "%d.%m.%Y"
$obj.time = Get-Date $_.date -uformat "%H:%M:%S"
$obj.user = $hash[$_.JobID][0]
$obj.comp = $hash[$_.JobID][1]
$obj.printer = $hash[$_.JobID][2]
#$obj.port = $hash[$_.JobID][3]
$obj.size = $hash[$_.JobID][3]
$obj.kolvo_str = $hash[$_.JobID][4]
$obj.copies= $_.copies
$obj
}
}|Export-CSV -NoType $out_csv_filetogether -Delimiter “;”
Remove-Item C:\parslog\logs\work*.evtx -Recurse
Remove-Item $out_csv_file -Recurse ; Write-Host -f ‘green’ ‘green’
Remove-Item $out_csv_file1 -Recurse ; Write-Host -f ‘blue’ ‘blue’
-______________________________________________________
Here the value of user = $ _. Event.UserData.DocumentPrinted.Param3 (opening event of the 307 print server log) is essentially samaccountname.
How to put this log is also setting office not quite imagine.
There are some general idea of what you need to do something like that -
Set Variable … something like this -
Import-Module ActiveDirectory
$ Z = Get-ADUser -Filter * -SearchBase `’OU = rzkoren, OU = Users, OU = rzkoren, OU = Oren, OU = Regions, DC = rzk, DC = local’ -SearchScope` Subtree -Properties samaccountname, office | select samaccountname, office
It was then as it is tied to variable user = $ _. Event.UserData.DocumentPrinted.Param3 …
… I do not understand how to make that impression with the user, which is essentially samaccountname uploaded to this general print log is also the value of office, directly from AD …
Writing in the opening event is as follows:
Document 169, Printing a document owned Rodrigis.VI on Oren-Rodrigis, was printed in the Oren-M525 port oren2-hp5. The size in bytes: 101494. Pages printed: 1. The user action is required.
Help meeeee pls!