Print server – enable auditing and log gathering script – Event ID: 307


I was asked by my friend to install print server to his environment (Windows Server 2008 R2 SP1), enable auditing of print jobs and create report on weekly basis.

  • To install print server there is very nice video: on youtube
  • After printers are installed and deployed we should enable audit of PrinterService event. logs. On the print server Open Server Manager -> Diagnostics -> Event Logs -> Applications and services Logs -> Microsoft -> Windows -> PrintService

server_manager

  • Expand PrintService event. logs -> Right click Operational
  • Make sure Disable Log is present (Otherwise click Enable Log)

Log Enabled

  • Print test pages
  • Run the following script and it will go through event. logs, collect event. ID 307 for last 168 hours and gather you CSV file with the most important info about printed documents (What, where, when and by whom was printed)
$dat = get-date
$name="$($dat.day)_$($dat.month)_$($dat.year)"
start-transcript c:\scripts\printaudit_logs\log_$name.log
#print audit script
$pserv = "PrintServerName"
$AuFileRaw = "c:\scripts\printaudit_logs\Audit.csv"
$AuFileLRD = "c:\scripts\printaudit_logs\last_run.csv"
################################# Test mode - uncomment
$dat | Out-File $AuFileLRD 
############################################################################################################################################
#read_event_log daily from current
$a = Get-WinEvent -ProviderName "Microsoft-Windows-PrintService" -ComputerName $pserv |  where {(($_.id -eq 307) -and ($_.timecreated -ge $dat.addhours(-168)))} | select Message,TimeCreated

#read event from file
#$a = Get-WinEvent -Path 'C:\Scripts\PrintAudit_logs\system log.evtx' |  where {(($_.id -eq 307))} | | select Message,TimeCreated

$lr = "DocName;user;IP;Printer;IP Port;size;pages;Date"
$lr  | Out-File $AuFileLRD -Append
foreach ($rec in $a) {
$r = $rec.message -replace " owned by ",";"
$r = $r -replace " was printed on ",";"
$r = $r -replace " on ",";"
$r = $r -replace " through port ",";"
$r = $r -replace "  Size in bytes: ",";"
$r = $r -replace ". Pages printed: ",";"
$r = $r -replace ". No user action is required.",""
$r
$out = "$($r);$($rec.timecreated)"
#saving to raw file
$out | Out-File $AuFileRaw -Append
$out | Out-File $AuFileLRD -Append
}

#saving to raw file
#generate reports
#sending mail
Stop-Transcript

Update: I made new version of the script gathering print reports for selected period. It is also faster, because I have added additional conditions to not include empty lines in reports. Here is the new version. Blue lines are subject to change to alter period, logs placement and print server name:

#Version 1.1
$dat = get-date
$name="$($dat.day)_$($dat.month)_$($dat.year)"
start-transcript c:\scripts\printaudit_logs\log_$name.log
#print audit script
$pserv = "OPHQMS01"
$AuFileRaw = "c:\scripts\printaudit_logs\Audit.csv"
$AuFileLRD = "c:\scripts\printaudit_logs\last_run.csv"
$AuFileRep = "c:\scripts\printaudit_logs\Audit_$name.html"
$smtpserver = "smtp.domain.local"
$adminrecip = "zbynek.salon@salonovi.cz"
$month = $dat.addmonths(-1) | select month
################################# Test mode - uncomment
#$dat | Out-File $AuFileLRD 
############################################################################################################################################
#read_event_log daily from current
$b = @()
$a = Get-WinEvent -ProviderName "Microsoft-Windows-PrintService" -ComputerName $pserv | select id,Message,TimeCreated
#$a = Get-WinEvent -Path 'C:\scripts12013-082013.evtx' | select id,Message,TimeCreated
foreach ($line in $a){
$b += $line |  where {(($line.id -eq 307) -and ($line.timecreated.month -eq $month.month))} | select Message,TimeCreated
}

#read event from file
$lastm = "_$($dat.addmonths(-1).month)_$($dat.year)"
#creating folder structure
Remove-Item -Recurse -Force "c:\scripts\printaudit_logs\stats$($lastm)"
new-item -ItemType Directory -path "c:\scripts\printaudit_logs\stats$($lastm)" -erroraction SilentlyContinue
new-item -ItemType Directory -path "c:\scripts\printaudit_logs\stats$($lastm)\uzivatelske" -erroraction SilentlyContinue
new-item -ItemType Directory -path "c:\scripts\printaudit_logs\stats$($lastm)\tiskarny" -erroraction SilentlyContinue

$lr = "Dokument;Uživatel;IP;Tiskárna;IPPort;Velikost;Stran;Datum"
$lr  | Out-File $AuFileLRD
$lr  | Out-File $AuFileRaw
foreach ($rec in $b) {
if ( $rec.message -notlike $null) {
	$r = $rec.message -replace " owned by ",";"
	$r = $r -replace " was printed on ",";"
	$r = $r -replace " on ",";"
	$r = $r -replace " through port ",";"
	$r = $r -replace "  Size in bytes: ",";"
	$r = $r -replace ". Pages printed: ",";"
	$r = $r -replace ". No user action is required.",""
	$out = "$($r);$($rec.timecreated)"
#saving to raw file
	$out | Out-File $AuFileRaw -Append
	$out | Out-File $AuFileLRD -Append
	}
}

#saving to raw file

#generate reports
$Rep = Import-Csv $AuFileLRD -Delimiter ";"
$psum = @()
$usum = @()
$printers = $rep | group tiskárna | select name
$users = $rep | group uživatel | select name

# user stats
foreach ($us in $users){
$uout = "c:\scripts\printaudit_logs\stats$($lastm)\uzivatelske\$($us.name)$($lastm).csv"
$x = @(); $x +=$Rep | where {$_.uživatel -like "$($us.name)"}
$usum += $x | group uživatel,tiskárna,stran | select name,count
$x | select * -excludeproperty uživatel,ip,velikost,ipport |  Export-Csv $uout -Encoding unicode -Delimiter ";"
}
# printer stats
foreach ($pr in $printers){
$prout = "c:\scripts\printaudit_logs\stats$($lastm)\tiskarny\$($pr.name)$($lastm).csv"
$x = @(); $x +=$Rep | where {$_.tiskárna -like "$($pr.name)"}
$psum += $x | group tiskárna,stran | select name,count
$x | select * -excludeproperty tiskárna,ip,velikost,ipport | Export-Csv $prout -Encoding unicode -Delimiter ";"
}
$psum =  $rep | group tiskárna | sort count -Descending | select name,count
$usum =  $rep | group uživatel,tiskárna | sort count -Descending | select name,count
#sending mail
$body = "Zdravím,

Statistiky za měsíc $($lastm) naleznete v \\ophqms01\printaudit_logs .

S pozdravem
Admin" send-mailmessage -From zbynek.salon@domain.local -To $adminrecip -Subject "Print audit" -Body $body -BodyAsHtml -Encoding ([System.Text.Encoding]::unicode) -smtpserver $smtpserver Stop-Transcript
Advertisements

2 thoughts on “Print server – enable auditing and log gathering script – Event ID: 307

  1. Thanks for the info and example. BTW: you can “enable” the log also in Powershell:
    $x = Get-WinEvent -Listlog ‘Microsoft-Windows-PrintService/Operational’
    $x.IsEnabled = $True
    $x.SaveChanges()

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s