PoshCode Archive  Artifact [a83b8ce39e]

Artifact a83b8ce39ed4637b7da511061ff550f8bd1486de9a3c7111e7a5932c70cdbadb:

  • File LDAPLogging.ps1 — part of check-in [9e30e7fb17] at 2018-06-10 13:29:08 on branch trunk — Functions to view/enable/disable LDAP query logging on a DC and parse eventlog message from logged queries. (user: Patrick Sczepanski size: 6295)

# encoding: ascii
# api: powershell
# title: LDAPLogging
# description: Functions to view/enable/disable LDAP query logging on a DC and parse eventlog message from logged queries.
# version: 1.0
# type: function
# author: Patrick Sczepanski 
# license: CC0
# x-poshcode-id: 3673
# x-archived: 2012-10-21T16:40:56
# x-published: 2012-10-01T13:45:00
#
#

function Private:Configure-Logging {
        Use one of the following aliases:
        Get-LDAPLogging
            View current LDAP logging settings
        Enable-LDAPLogging
            Enables LDAP logging. Logging is set to log every single LDAP query and stores it in directory services log.
        Disable-LDAPLogging
            Disables LDAP logging. Logging is set to its default values.
		PS C:\> Get-LDAPLogging
		PS C:\> Enable-LDAPLogging DC1
		Author:    Patrick Sczepanski 
        Version:   1.0
        Email:     patrick -at- sczepanski -dot- com
                   patrick -dot- redtoo -at- redtoo -dot- com
        Blog:      http://redtoo.com/blog
        Copyright: 2012
        Enable-LDAPLogging
        Disable-LDAPLogging
        Get-LDAPEventLog
    Param (
        [string]
        $HostName = $env:COMPUTERNAME
    )
    [System.Nullable``1[[System.Int32]]]$EnableLogging = $null
    switch ( $MyInvocation.InvocationName ) {
            [System.Nullable``1[[System.Int32]]]$EnableLogging = $true
            [bool]$ReadWrite = $true
            [int]$Threshold = 1
            [int]$FieldEngDef = 5
            break
        }
            [System.Nullable``1[[System.Int32]]]$EnableLogging = $false
            [bool]$ReadWrite = $true
            [int]$Threshold = 0
            [int]$FieldEngDef = 0
            break
        }
        Default     { 
            [System.Nullable``1[[System.Int32]]]$EnableLogging = $null
            [bool]$ReadWrite = $false
        }
    }
    if ( -not (Test-Connection $HostName -Quiet -Count 1) ) {
        continue
    }
    if ( -not ( 
                      -ComputerName $HostName -ErrorAction SilentlyContinue) ) {
        continue
    }
    $baseKey = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey( "LocalMachine", $HostName   )
    try {
        $key = $baseKey.OpenSubKey($NTDSParams,$ReadWrite)
        if ( $EnableLogging -eq $true ) { 
            $key.SetValue( $ExpThre, 1, [Microsoft.Win32.RegistryValueKind]::DWord )
            $key.SetValue( $IneThre, 1, [Microsoft.Win32.RegistryValueKind]::DWord )
        } elseif ( $EnableLogging -eq $false ) {
            $key.DeleteValue( $ExpThre )
            $key.DeleteValue( $IneThre )
        }
        $ExpThreValue = $key.GetValue($ExpThre)
        $IneThreValue = $key.GetValue($IneThre)
        $key.Close()
    }
    catch {
    }
    try {
        $key = $baseKey.OpenSubKey($NTDSDiag,$ReadWrite)
        if ( $EnableLogging -ne $null ) { 
            $key.SetValue( $FieldEng, $FieldEngDef )
        } 
        $FieldEngValue = $key.GetValue($FieldEng)
        $key.Close()
    }
    catch {
    }
    $baseKey.Close()
    New-Object PSObject -Property @{
    }
}
New-Alias Get-LDAPLogging Configure-Logging -Force
New-Alias Enable-LDAPLogging Configure-Logging -Force
New-Alias Disable-LDAPLogging Configure-Logging -Force
Function Global:Get-LDAPEventLog {
		PS C:\> Get-LDAPEventLog
		[string],[int]
		[LDAPLookups]
		Author:    Patrick Sczepanski 
        Version:   1.0
        Email:     patrick -at- sczepanski -dot- com
                   patrick -dot- redtoo -at- redtoo -dot- com
        Blog:      http://redtoo.com/blog
        Copyright: 2012
        Enable-LDAPLogging
        Disable-LDAPLogging
Param (
        [Parameter(ValueFromPipeline=$true,ValueFromPipelineByPropertyName=$true,Position=0)]
        [string]
        $DNSHostName = $env:COMPUTERNAME,
        [int]
        $LookupMinutes = 60
    )
    Begin {
        $Script:AlreadyLookedUp = @{}
Add-Type @'
using System;
        public class LDAPLookups {
            public string DNSHostName;
            public string ClientIP;
            public string ClientName;
            public string StartNode;
            public string Filter;
            public string SearchScope;
            public string Attributes;
            public string ServerControls;
            public string Date;
            public string Time;
        }
'@      
(?msx)
    # Option m = multi-line e.g. ^=start of line and $=end of line    
    # Option s = single-line e.g. . includes end-of-line    
    # Option x = spaces and comments are allowed in the pattern 
Client:\r\n
  (?<Client>.*)\:(?<Port>.*)\r\n?
Starting\snode\:\r\n
  (?<StartNode>.*?)\r\n
Filter:\r\n
  (?<Filter>.*?)\r\n
Search\sscope:\r\n
  (?<SearchScope>.*?)\r\n
Attribute\sselection:\r\n
  (?<Attributes>.*?)\r\n
Server\scontrols:\r\n
  (?<ServerControls>.*?)\r\n
Visited\sentries:\r\n
  (?<VisitedEntries>.*?)\r\n
Returned\sentries:\r\n
  (?<ReturnedEntries>.*)
    }
    Process {
        Get-WinEvent -ComputerName $DNSHostName  -FilterHashtable @{ "LogName"="Directory Service" ; "ID"=1644; StartTime= [datetime]::Now.AddMinutes( -$LookupMinutes ) } |
            Foreach-Object { 
                if ( $_.Message -match $RegEx ) { 
                     New-Object LDAPLookups -Property @{
                                            try {
                                                if( -not $AlreadyLookedUp.contains( $ClientIP ) ){
                                                    $AlreadyLookedUp.$ClientIP = ( [System.Net.Dns]::GetHostByAddress( $ClientIP ).HostName )
                                                }
                                            }
                                            catch {
                                                $AlreadyLookedUp.$ClientIP = $ClientIP
                                            }
                                             $AlreadyLookedUp.$ClientIP
                                        )
                        "Time" = $_.TimeCreated.ToString( "HH:mm:ss" )
                    }
                }
            } 
    } 
    End {
        Remove-Variable -Scope Script -Name AlreadyLookedUp
    }
}