PoshCode Archive  Artifact Content

Artifact f72309a5bdfd145817c5f238f0057635aebb72940e98214f2efade9f3a5bad5c:

  • File Security-Log-Events.ps1 — part of check-in [f86a221e52] at 2018-06-10 13:39:37 on branch trunk — Will capture failed and Successful logins for a remote server for the last 24 hours and email to user. Utilizes Get-eventlog for Server 2003. Change variables on lines 5-13 (user: Robert size: 5421)

# encoding: ascii
# api: powershell
# title: Security Log Events
# description: Will capture failed and Successful logins for a remote server for the last 24 hours and email to user. Utilizes Get-eventlog for Server 2003.  Change variables on lines 5-13
# version: 0.1
# author: Robert
# license: CC0
# x-poshcode-id: 4339
# x-derived-from-id: 4357
# x-archived: 2016-06-20T19:06:13
# x-published: 2016-07-26T18:43:00
#
#
###Variable to be changed
##Server Setup
###Variable to be changed
##Server Setup
$startDate=(get-date).addDays(-1) ##-1 equates to previous date
$endDate=(get-date) ##Current Date
$Server = "HC900WOC"

##Emails setup
$smtpserver = "HC900WE2.blah.com"
$smtpfrom = "Email@someone.com" ##From email
$smtpto = "Email@someone"  ##To email
$messagesubject = "Logon/Logoff Events for $server for Last 24hours" #email subject
###End variable to be changed 
 
# Store each event from the Security Log with the specificed dates and computer in an array $flog = failure logins $slog = Successful logins
#Searches for FailureAudit entry type
$flog = Get-Eventlog -LogName Security -ComputerName $server | where-object {$_.EntryType -eq 'failureAudit' -and $_.TimeGenerated -gt $startDate -and $_.TimeGenerated -lt $endDate}
#searches for EventID 528
$slog = Get-eventlog -LogName Security -ComputerName $server | Where-Object {$_.EventID -eq "528" -and $_.TimeGenerated -gt $startDate -and $_.TimeGenerated -lt $endDate}

##for testing to grab the newest 5 events
#$flog = Get-Eventlog -LogName Security -ComputerName $server -EntryType FailureAudit -newest 5
#$slog = Get-Eventlog -LogName Security -ComputerName $server -InstanceId 528 -newest 5
 
#Loop through each security event
[string]$messagebodyf = ""
[string]$messagebodys = ""
     foreach ($i in $flog){ 
        $table = @("Date: "," - User: ", " - Caller Domain: ") 
        $time = $table[0] + $i.TimeGenerated 
        $user = $table[1] + $i.ReplacementStrings[0]
	    $domain = $table[2] + $i.ReplacementStrings[1]
        $break = "`n`n"
        $messagebodyf = $messagebodyf + $time, $user + $domain + "`r`n"
        ##Possible future change to add results to log file.
		##add-content C:\temp\results.txt $time, $status, $user, $break
        }
    foreach ($s in $slog){ 
        $time = $table[0] + $s.TimeGenerated 
        $user = $table[1] + $s.ReplacementStrings[0]
		$domain = $table[2] + $s.ReplacementStrings[1]
        $break = "`n`n"
        $messagebodyS = $messagebodys + $time, $user + $domain + "`r`n"
		##Possible future change to add results to log file.
		##add-content C:\temp\results.txt $time, $status, $user, $break
        }
		
		##Begin send email portion
        $smtp = New-Object Net.Mail.SmtpClient($smtpServer)
        $messagebody = "Failed Logins: `n" + $messagebodyF + $break + "Successful Logins: `n" + $messagebodyS
        $smtp.Send($smtpFrom,$smtpTo,$messagesubject,$messagebody)$startDate=(get-date).addDays(-1) ##-1 equates to previous date
$endDate=(get-date) ##Current Date
$Server = "HC900WOC"

##Emails setup
$smtpserver = "HC900WE2.hteeter.ht"
$smtpfrom = "revans@harristeeter.com" ##From email
$smtpto = "revans@harristeeter.com"  ##To email
$messagesubject = "Logon/Logoff Events for $server for Last 24hours" #email subject
###End variable to be changed 
 
# Store each event from the Security Log with the specificed dates and computer in an array $flog = failure logins $slog = Successful logins
#Searches for FailureAudit entry type
$flog = Get-Eventlog -LogName Security -ComputerName $server | where-object {$_.EntryType -eq 'failureAudit' -and $_.TimeGenerated -gt $startDate -and $_.TimeGenerated -lt $endDate}
#searches for EventID 528
$slog = Get-eventlog -LogName Security -ComputerName $server | Where-Object {$_.EventID -eq "528" -and $_.TimeGenerated -gt $startDate -and $_.TimeGenerated -lt $endDate}

##for testing to grab the newest 5 events
#$flog = Get-Eventlog -LogName Security -ComputerName $server -EntryType FailureAudit -newest 5
#$slog = Get-Eventlog -LogName Security -ComputerName $server -InstanceId 528 -newest 5
 
#Loop through each security event
[string]$messagebodyf = ""
[string]$messagebodys = ""
     foreach ($i in $flog){ 
        $table = @("Date: "," - User: ", " - Caller Domain: ") 
        $time = $table[0] + $i.TimeGenerated 
        $user = $table[1] + $i.ReplacementStrings[0]
	    $domain = $table[2] + $i.ReplacementStrings[1]
        $break = "`n`n"
        $messagebodyf = $messagebodyf + $time, $user + $domain + "`r`n"
        ##Possible future change to add results to log file.
		##add-content C:\temp\results.txt $time, $status, $user, $break
        }
    foreach ($s in $slog){ 
        $time = $table[0] + $s.TimeGenerated 
        $user = $table[1] + $s.ReplacementStrings[0]
		$domain = $table[2] + $s.ReplacementStrings[1]
        $break = "`n`n"
        $messagebodyS = $messagebodys + $time, $user + $domain + "`r`n"
		##Possible future change to add results to log file.
		##add-content C:\temp\results.txt $time, $status, $user, $break
        }
		
		##Begin send email portion
        $smtp = New-Object Net.Mail.SmtpClient($smtpServer)
        $messagebody = "Failed Logins: `n" + $messagebodyF + $break + "Successful Logins: `n" + $messagebodyS
        $smtp.Send($smtpFrom,$smtpTo,$messagesubject,$messagebody)