I checked the parameters startswith and endswith but I have the problem, that this only works if an event starts with eventid 560 and ends with id 562. But if between this two events are many events with 567 it seems that this doesn't work.
I will check this on monday morning and come back to you.
thanks for your answer.
Next week i will test it and come back to you.
But i have read in the documentation that only on unix the fschange tool will display the user information.
By the way I have created the following query.
source="WMI:WinEventLog:Security" EventCode=560 OR EventCode=562 OR EventCode=567 NOT User="NT AUTHORITY\\SYSTEM" | transaction Handle_ID Prozess_ID | stats values(Object_Name) AS Object by User
With this query i got to many files in my output. I think I have to use the transaction parameter like maxspan or maxevents to specialized the output. It seems that there are more Handle_ID's and Prozess_ID's with the same values.
Try using fschange again, using search "source=fschange". I set it up and tested it and I get uid, gid, etc. This was on my Mac, but the same info should work on Windows too. Here is my result of me creating a file in /etc called touch.cfg.
Tue Dec 20 08:16:28 2011 action=update, path="/etc/touch.cfg", isdir=0, size=90, gid=0, uid=502, modtime="Tue Dec 20 08:16:08 2011", mode="rw-r--r--", hash=, chgs="mod time "
inputs.conf (Using Whitelist and Blacklist)
regex1 = touch.cfg