Log all Sucsessfull and Failed Logins

TheMSsForum.com: The Microsoft Software Forum

Im looking for a script that will read the Security Event Log on a w2k3
server from the previous day and email to an email address.
I can't seem to get it the qry to return both the previous days Successful /
failed logins along with the date qry.
Does anyone know of a script or can point me in the right direction
Regards
Don Grover
dgrover@assoft.com.au
Top

Re: Log all Sucsessfull and Failed Logins by Torgeir

Torgeir
Sun Aug 15 18:03:12 CDT 2004

Donald Grover wrote:

> Im looking for a script that will read the Security Event Log on a w2k3
> server from the previous day and email to an email address.
> I can't seem to get it the qry to return both the previous days Successful /
> failed logins along with the date qry.
> Does anyone know of a script or can point me in the right direction
Hi

A start point maybe:
http://groups.google.com/groups?threadm=OWoEok%238CHA.1604%40TK2MSFTNGP10.phx.gbl


The command line utility PsLoglist in the free PsTools suite is also
an option I would think

http://www.sysinternals.com/ntw2k/freeware/pstools.shtml


I would think Microsoft's Log Parser might be able to do this as well.
You can run SQL-like queries against different types of log files.

Microsoft Log Parser
http://www.microsoft.com/downloads/results.aspx?freetext=log+parser

The date part can be a bit tricky, some examples of use:
http://groups.google.com/groups?selm=b6fe63%244ojeu%241%40ID-156657.news.dfncis.de

http://groups.google.com/groups?selm=b6n9qc%2475lki%241%40ID-156657.news.dfncis.de

http://groups.google.com/groups?selm=b6jvoj%2464ap1%241%40ID-156657.news.dfncis.de



--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx
Top

Re: Log all Sucsessfull and Failed Logins by Dave

Dave
Sun Aug 15 18:48:28 CDT 2004

Something like this may get you started. Then just query the Access
database.

Dim strConnect, strSQL, yr, m, d, h, min, s, timeobj
strConnect = "Provider=Microsoft.Jet.OLEDB.4.0;" _
& "Data Source=D:\Data\Access\Eventlog.mdb;" _
& "Mode=ReadWrite;Persist Security Info=False"
strSQL = "SELECT Category, ComputerName, EventCode, " _
& "Message, EventType, RecordNumber, SourceName, " _
& "Type, User, TimeGenerated, TimeWritten FROM EventTable; "

Set objConn = CreateObject("ADODB.Connection")
Set objRS = CreateObject("ADODB.Recordset")
objConn.Open strConnect
objRS.CursorLocation = 3
objRS.Open strSQL, objConn, 3, 3

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!" _
& "\\" & strComputer & "\root\cimv2")
Set colRetrievedEvents = objWMIService.ExecQuery("Select * " _
& "from Win32_NTLogEvent Where logfile = 'System'")
For Each objEvent in colRetrievedEvents
' If objEvent.SourceName = "PercRAID.Log" Then
objRS.AddNew
objRS("Category") = objEvent.Category
objRS("ComputerName") = objEvent.ComputerName
objRS("EventCode") = objEvent.EventCode
objRS("Message") = objEvent.Message
objRS("EventType") = objEvent.EventType
objRS("RecordNumber") = objEvent.RecordNumber
objRS("SourceName") = objEvent.SourceName
objRS("Type") = objEvent.Type
objRS("User") = objEvent.User
objRS("TimeGenerated") = DateTime2String(objEvent.TimeGenerated)
objRS("TimeWritten") = DateTime2String(objEvent.TimeWritten)
objRS.Update
' End If
Next
objRS.Close
objConn.Close
Function DateTime2String(timeobj)
yr = Left(timeobj,4)
m = Mid(timeobj,5,2)
d = Mid(timeobj,7,2)
h = Mid(timeobj,9,2)
min = Mid(timeobj,11,2)
s = Mid(timeobj,13,2)
DateTime2String = m & "/" & d & "/" & yr _
& " " & h & ":" & min & ":" & s
End Function

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

"Donald Grover" <dgrover@assoft.com.au> wrote in message
news:uuLUnoxgEHA.3264@tk2msftngp13.phx.gbl...
| Im looking for a script that will read the Security Event Log on a w2k3
| server from the previous day and email to an email address.
| I can't seem to get it the qry to return both the previous days Successful
/
| failed logins along with the date qry.
| Does anyone know of a script or can point me in the right direction
| Regards
| Don Grover
| dgrover@assoft.com.au
|
|
|


Top

Re: Log all Sucsessfull and Failed Logins by Donald

Donald
Mon Aug 16 01:25:49 CDT 2004

This is what I came up with if anybody is interested,.
Its doing what i want allthough I cant breakup the .Message string returned.
I just copied bits and pieces from wscript.chm.

Option Explicit
Dim dtmStartDate, dtmEndDate, DateToCheck, strComputer
Dim objWMIService, colEvents, objEvent, sMessageStringCat, sheader
Dim CONVERT_TO_LOCAL_TIME, iCounter

'Application Variables
Dim sEmailFrom, sEmailTo, iEmailPort, sConEmailMonitor
sEmailFrom = "xxx@netspace.net.au"
sEmailTo = "xxx@netspace.net.au"
sConEmailMonitor = "xxxx@netspace.net.au"
strComputer = "servernamegoeshere"
iEmailPort = 25
iCounter = 0

sheader = String(55, "_")
CONVERT_TO_LOCAL_TIME = True

Set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime")
Set dtmEndDate = CreateObject("WbemScripting.SWbemDateTime")
DateToCheck = Date - 1
dtmStartDate.SetVarDate DateToCheck, CONVERT_TO_LOCAL_TIME
dtmEndDate.SetVarDate DateToCheck + 1, CONVERT_TO_LOCAL_TIME


Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,(Security)}!\\" & _
strComputer & "\root\cimv2")


Set colEvents = objWMIService.ExecQuery("Select * from Win32_NTLogEvent
Where LogFile='Security' AND (TimeWritten >= '" _
& dtmStartDate & "' and TimeWritten < '" & dtmEndDate & "') AND
(EventCode='529') ")


For Each objEvent In colEvents
iCounter = iCounter + 1
sMessageStringCat = sMessageStringCat & vbCrLf & sheader & vbCrLf &
vbTab & "Category: " & objEvent.Category & vbCrLf & vbTab & "Computer Name:
" & objEvent.ComputerName & vbCrLf & vbTab & "Message: " & objEvent.Message
Next


Set colEvents = Nothing
Set objWMIService = Nothing


If iCounter > 0 Then
SendEmailNotification "Email remote login security report from " &
UCase(strComputer), "Sent: " & FormatDateTime(Now) & vbCrLf & _
"This is an automated security report from " &
UCase(strComputer) & vbCrLf & _
"The below list is all FAILED remote logins to " & strComputer &
"By Windows Terminal Services " & vbCrLf & sMessageStringCat
End If
WScript.Quit

Function SendEmailNotification(TheSubJect, TheBody)
'******************************************************
'*** Send the message Using CDOSYS Win2k & Win2003 ****
'******************************************************
On Error Resume Next
' CDO mail object
Dim sch, cdoConfig, cdoMessage, sError
sch = "http://schemas.microsoft.com/cdo/configuration/"
Set cdoConfig = CreateObject("CDO.Configuration")
cdoConfig.Fields.Item(sch & "sendusing") = 2
cdoConfig.Fields.Item(sch & "smtpserverport") = iEmailPort
cdoConfig.Fields.Item(sch & "smtpserver") = strComputer
cdoConfig.Fields.Update

Set cdoMessage = CreateObject("CDO.Message")
Set cdoMessage.Configuration = cdoConfig
cdoMessage.From = sEmailFrom
cdoMessage.To = sEmailTo
cdoMessage.BCC = sConEmailMonitor
cdoMessage.Subject = TheSubJect
cdoMessage.TextBody = TheBody
'
cdoMessage.item("http://schemas.microsoft.com/cdo/configuration/smtpauthenticate").value
= 1 ' use clear text authenticate
'
cdoMessage.item("http://schemas.microsoft.com/cdo/configuration/sendpassword").value
="mypassword"
'
cdoMessage.item("http://schemas.microsoft.com/cdo/configuration/sendusername").value
="yourusername"
cdoMessage.Fields.Item("urn:schemas:mailheader:X-MSMail-Priority") =
"High"
cdoMessage.Fields.Item("urn:schemas:mailheader:X-Priority") = 2
cdoMessage.Fields.Item("urn:schemas:mailheader:Keywords") = "COKESHOP"
cdoMessage.Fields.Item("urn:schemas:mailheader:Sensitivity") =
"Company-Confidential"
cdoMessage.Fields.Item("urn:schemas:mailheader:X-Message-Flag") = "Do
not Forward"
cdoMessage.Fields.Update
cdoMessage.Send
Set cdoMessage = Nothing
Set cdoConfig = Nothing

If Err.Number <> 0 Then
sError = Err.Description
End If
On Error GoTo 0
End Function







"Donald Grover" <dgrover@assoft.com.au> wrote in message
news:uuLUnoxgEHA.3264@tk2msftngp13.phx.gbl...
> Im looking for a script that will read the Security Event Log on a w2k3
> server from the previous day and email to an email address.
> I can't seem to get it the qry to return both the previous days Successful
> / failed logins along with the date qry.
> Does anyone know of a script or can point me in the right direction
> Regards
> Don Grover
> dgrover@assoft.com.au
>
>
>


Top