Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 0 subscribers
  • Views 8938 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can I create a report with "Device Control Event Viewer" results?

renfrow

I would like to have a scheduled report run that has all the information provided in the "Device Control" event viewer.  Especially user name. 

But that doesn't seem to be a report option, any suggestions?

:57784


This thread was automatically locked due to age.
  • 0

    Hello renfrow,

    you can export the data from the Event Viewer but AFAIK there is no report you could schedule - Alerts and Events does not include the user and Events by user display only counts.

    Should be fairly easy to extract the information with the Sophos Reporting Interface. I've whipped up the following "bimodal" (:smileytongue::smileywink:) script as an example. Save it as whatevername.cmd or .bat , it writes to whatevername.txt in the same directory.

    GOTO TheScript /*
:TheScript
@ECHO OFF
REM --- Select today and the last _int days (EventTime is UTC)
SET _int=7
REM --- change instance and databse name if necessary
SQLCMD -E -S .\SOPHOS -d SOPHOS521 -o %~n0.txt -u -i %~f0 -v Interval=%_int%
Exit /b 0
*/

TheScript:
DECLARE @Since INT = $(Interval)

SELECT 
  d.EventTime,
  c.Name AS ComputerName,
  d.UserName,
  d.ReportingName,
  d.DeviceTypeName,
  d.Model,
  d.DeviceID
  FROM [Sophos Reporting Interface].[vEventsDeviceControlData] AS d
    INNER JOIN dbo.ComputersAndDeletedComputers AS c 
          ON d.ComputerID = c.ID
          WHERE d.EventTime > DATEADD(DAY,-@Since,GETUTCDATE())
    ORDER BY SUBSTRING(d.UserName,CHARINDEX('\',d.USerName),256),
          d.UserName,
          d.EventTime

    HTH

    Christian

    :57793
Unfiltered HTML