Print server – enable auditing and log gathering script – Event ID: 307

I was asked by my friend to install print server to his environment (Windows Server 2008 R2 SP1), enable auditing of print jobs and create report on weekly basis.

  • To install print server there is very nice video: on youtube
  • After printers are installed and deployed we should enable audit of PrinterService event. logs. On the print server Open Server Manager -> Diagnostics -> Event Logs -> Applications and services Logs -> Microsoft -> Windows -> PrintService

server_manager

  • Expand PrintService event. logs -> Right click Operational
  • Make sure Disable Log is present (Otherwise click Enable Log)

Log Enabled

  • Print test pages
  • Run the following script and it will go through event. logs, collect event. ID 307 for last 168 hours and gather you CSV file with the most important info about printed documents (What, where, when and by whom was printed)
$dat = get-date
$name="$($dat.day)_$($dat.month)_$($dat.year)"
start-transcript c:\scripts\printaudit_logs\log_$name.log
#print audit script
$pserv = "PrintServerName"
$AuFileRaw = "c:\scripts\printaudit_logs\Audit.csv"
$AuFileLRD = "c:\scripts\printaudit_logs\last_run.csv"
################################# Test mode - uncomment
$dat | Out-File $AuFileLRD 
############################################################################################################################################
#read_event_log daily from current
$a = Get-WinEvent -ProviderName "Microsoft-Windows-PrintService" -ComputerName $pserv |  where {(($_.id -eq 307) -and ($_.timecreated -ge $dat.addhours(-168)))} | select Message,TimeCreated

#read event from file
#$a = Get-WinEvent -Path 'C:\Scripts\PrintAudit_logs\system log.evtx' |  where {(($_.id -eq 307))} | | select Message,TimeCreated

$lr = "DocName;user;IP;Printer;IP Port;size;pages;Date"
$lr  | Out-File $AuFileLRD -Append
foreach ($rec in $a) {
$r = $rec.message -replace " owned by ",";"
$r = $r -replace " was printed on ",";"
$r = $r -replace " on ",";"
$r = $r -replace " through port ",";"
$r = $r -replace "  Size in bytes: ",";"
$r = $r -replace ". Pages printed: ",";"
$r = $r -replace ". No user action is required.",""
$r
$out = "$($r);$($rec.timecreated)"
#saving to raw file
$out | Out-File $AuFileRaw -Append
$out | Out-File $AuFileLRD -Append
}

#saving to raw file
#generate reports
#sending mail
Stop-Transcript

Update: I made new version of the script gathering print reports for selected period. It is also faster, because I have added additional conditions to not include empty lines in reports. Here is the new version. Blue lines are subject to change to alter period, logs placement and print server name:

#Version 1.1
$dat = get-date
$name="$($dat.day)_$($dat.month)_$($dat.year)"
start-transcript c:\scripts\printaudit_logs\log_$name.log
#print audit script
$pserv = "OPHQMS01"
$AuFileRaw = "c:\scripts\printaudit_logs\Audit.csv"
$AuFileLRD = "c:\scripts\printaudit_logs\last_run.csv"
$AuFileRep = "c:\scripts\printaudit_logs\Audit_$name.html"
$smtpserver = "smtp.domain.local"
$adminrecip = "zbynek.salon@salonovi.cz"
$month = $dat.addmonths(-1) | select month
################################# Test mode - uncomment
#$dat | Out-File $AuFileLRD 
############################################################################################################################################
#read_event_log daily from current
$b = @()
$a = Get-WinEvent -ProviderName "Microsoft-Windows-PrintService" -ComputerName $pserv | select id,Message,TimeCreated
#$a = Get-WinEvent -Path 'C:\scripts12013-082013.evtx' | select id,Message,TimeCreated
foreach ($line in $a){
$b += $line |  where {(($line.id -eq 307) -and ($line.timecreated.month -eq $month.month))} | select Message,TimeCreated
}

#read event from file
$lastm = "_$($dat.addmonths(-1).month)_$($dat.year)"
#creating folder structure
Remove-Item -Recurse -Force "c:\scripts\printaudit_logs\stats$($lastm)"
new-item -ItemType Directory -path "c:\scripts\printaudit_logs\stats$($lastm)" -erroraction SilentlyContinue
new-item -ItemType Directory -path "c:\scripts\printaudit_logs\stats$($lastm)\uzivatelske" -erroraction SilentlyContinue
new-item -ItemType Directory -path "c:\scripts\printaudit_logs\stats$($lastm)\tiskarny" -erroraction SilentlyContinue

$lr = "Dokument;Uživatel;IP;Tiskárna;IPPort;Velikost;Stran;Datum"
$lr  | Out-File $AuFileLRD
$lr  | Out-File $AuFileRaw
foreach ($rec in $b) {
if ( $rec.message -notlike $null) {
	$r = $rec.message -replace " owned by ",";"
	$r = $r -replace " was printed on ",";"
	$r = $r -replace " on ",";"
	$r = $r -replace " through port ",";"
	$r = $r -replace "  Size in bytes: ",";"
	$r = $r -replace ". Pages printed: ",";"
	$r = $r -replace ". No user action is required.",""
	$out = "$($r);$($rec.timecreated)"
#saving to raw file
	$out | Out-File $AuFileRaw -Append
	$out | Out-File $AuFileLRD -Append
	}
}

#saving to raw file

#generate reports
$Rep = Import-Csv $AuFileLRD -Delimiter ";"
$psum = @()
$usum = @()
$printers = $rep | group tiskárna | select name
$users = $rep | group uživatel | select name

# user stats
foreach ($us in $users){
$uout = "c:\scripts\printaudit_logs\stats$($lastm)\uzivatelske\$($us.name)$($lastm).csv"
$x = @(); $x +=$Rep | where {$_.uživatel -like "$($us.name)"}
$usum += $x | group uživatel,tiskárna,stran | select name,count
$x | select * -excludeproperty uživatel,ip,velikost,ipport |  Export-Csv $uout -Encoding unicode -Delimiter ";"
}
# printer stats
foreach ($pr in $printers){
$prout = "c:\scripts\printaudit_logs\stats$($lastm)\tiskarny\$($pr.name)$($lastm).csv"
$x = @(); $x +=$Rep | where {$_.tiskárna -like "$($pr.name)"}
$psum += $x | group tiskárna,stran | select name,count
$x | select * -excludeproperty tiskárna,ip,velikost,ipport | Export-Csv $prout -Encoding unicode -Delimiter ";"
}
$psum =  $rep | group tiskárna | sort count -Descending | select name,count
$usum =  $rep | group uživatel,tiskárna | sort count -Descending | select name,count
#sending mail
$body = "Zdravím,

Statistiky za měsíc $($lastm) naleznete v \\ophqms01\printaudit_logs .

S pozdravem
Admin" send-mailmessage -From zbynek.salon@domain.local -To $adminrecip -Subject "Print audit" -Body $body -BodyAsHtml -Encoding ([System.Text.Encoding]::unicode) -smtpserver $smtpserver Stop-Transcript