PoshCode Archive  Artifact [1babfac101]

Artifact 1babfac101d44b803b595c7375e8df8379d197f60870674701266ff0ae6e55ab:

  • File Security-Log-Events.ps1 — part of check-in [7a7ad58c41] at 2018-06-10 13:39:48 on branch trunk — Will capture failed and Successful logins for a remote server for the last 24 hours and email to user. Utilizes Get-eventlog for Server 2003. Change variables on lines 5-13 (user: Robert size: 7656)

# encoding: ascii
# api: powershell
# title: Security Log Events
# description: Will capture failed and Successful logins for a remote server for the last 24 hours and email to user. Utilizes Get-eventlog for Server 2003.  Change variables on lines 5-13
# version: 0.1
# author: Robert
# license: CC0
# x-poshcode-id: 4358
# x-archived: 2016-05-17T19:21:25
# x-published: 2016-08-02T14:43:00
#
#
###Variable to be changed
##Server Setup
Write-host "Start time: "(get-date).ToShortTimeString()""
$startDate=(get-date).addDays(-1) ##-1 equates to previous date
$endDate=(get-date) ##Current Date
$Server = $(Get-WmiObject Win32_Computersystem).name
Write-host "Server and Dates set - "(get-date).ToShortTimeString()""

##Emails setup
$smtpserver = "SMTP Server"
$smtpfrom = "email.com" ##From email
$smtpto = "email.com"  ##To email
$messagesubject = "Recent Security Events on $server for Last 24hours" #email subject
write-host "Email settings set - "(get-date).ToShortTimeString()""
###End variable to be changed 
 
# Store each event from the Security Log with the specificed dates and computer in an array $flog = failure logins $slog = Successful logins
#Searches for FailureAudit entry type
Write-host "Searching for failure logs - Start time: "(get-date).ToShortTimeString()""
$flog = Get-Eventlog -LogName Security -ComputerName $server | where-object {$_.EventID -eq "529" -and $_.TimeGenerated -gt $startDate -and $_.TimeGenerated -lt $endDate}
Write-host "Complete search for failure logs - End time: "(get-date).ToShortTimeString()""
#searches for EventID 528
Write-host "Searching for successful logs - Start time: "(get-date).ToShortTimeString()""
$slog = Get-eventlog -LogName Security -ComputerName $server | Where-Object {$_.EventID -eq "528" -and $_.TimeGenerated -gt $startDate -and $_.TimeGenerated -lt $endDate}
Write-host "Complete search for successful logs - End time: "(get-date).ToShortTimeString()""

Write-host "Searching for failed  RSA logs - End time: "(get-date).ToShortTimeString()""
$rflog = get-eventlog -LogName Application -ComputerName $server   | Where-Object {$_.EventID -eq "106" -and $_.TimeGenerated -gt $startDate -and $_.TimeGenerated -lt $endDate}
Write-host "Complete search for failed  RSA logs - End time: "(get-date).ToShortTimeString()""

Write-host "Searching for successful RSA logs - Start time: "(get-date).ToShortTimeString()""
$rsLog = Get-eventlog -LogName Application -ComputerName $server | Where-Object {$_.EventID -eq "105" -and $_.TimeGenerated -gt $startDate -and $_.TimeGenerated -lt $endDate}
Write-host "Complete search for successful  RSA logs - End time: "(get-date).ToShortTimeString()""

Write-host "Searching for Event ID 550 - Start time: "(get-date).ToShortTimeString()""
$dosLog = Get-eventlog -LogName Security -ComputerName $server | Where-Object {$_.EventID -eq "550" -and $_.TimeGenerated -gt $startDate -and $_.TimeGenerated -lt $endDate}
Write-host "Complete search for Event ID 550 - End time: "(get-date).ToShortTimeString()""

Write-host "Searching for Event ID 612 - Start time: "(get-date).ToShortTimeString()""
$saLog = Get-eventlog -LogName Security -ComputerName $server | Where-Object {$_.EventID -eq "612" -and $_.TimeGenerated -gt $startDate -and $_.TimeGenerated -lt $endDate}
Write-host "Complete search for Event ID 612 - End time: "(get-date).ToShortTimeString()""

#Loop through each security event
Write-host "Looping through events to compile logs - Start time: "(get-date).ToShortTimeString()""
if($flog -eq $null){
    [string]$messagebodyf = ""
    $messagebodyf =  "No failed login events." + "`r`n"
	}
    else{
        [string]$messagebodyf = ""
            foreach ($i in $flog){ 
                $table = @("Date: "," - User: "," - Caller Domain: "," - Workstation: "," - IP: ") 
                $time = $table[0] + $i.TimeGenerated 
                $User = $table[1] + $i.ReplacementStrings[0]
	            $domain = $table[2] + $i.ReplacementStrings[1]
				$Workstation = $table[3] + $i.ReplacementStrings[5]
				$ip = $table[4] + $i.ReplacementStrings[11]
                $break = "`n`n"
                $messagebodyf = $messagebodyf + $time, $user + $domain + $workstation + $ip + "`r`n"
            }
        }
If($slog -eq $null){
    [string]$messagebodys = ""
    $messagebodys = "No Successful login events." + "`r`n"
    }
    else{
    [string]$messagebodys = ""
            foreach ($s in $slog){ 
				$table = @("Date: "," - User: "," - Caller Domain: "," - Workstation: "," - IP: ") 
                $time = $table[0] + $s.TimeGenerated 
                $user = $table[1] + $s.ReplacementStrings[0]
		        $domain = $table[2] + $s.ReplacementStrings[1]
                $break = "`n`n"
                $messagebodyS = $messagebodys + $time, $user + $domain + "`r`n"
            }
        }

if($rflog -eq $null){
	[string]$messagebodyrf= ""
	$messagebodyrf =  "No failed login events for RSA Tokens." + "`r`n"	
	}
    else{
        [string]$messagebodyrf = ""
            foreach ($rf in $rslog){ 
                $table = @("Date: "," - User: ", " - Caller Domain: ") 
                $time = $table[0] + $rf.TimeGenerated 
                $user = $table[1] + $rf.ReplacementStrings
                $break = "`n`n"
                $messagebodyrf = $messagebodyrf + $time, $user + "`r`n"
            }
        }

if($rslog -eq $null){
	[string]$messagebodyrs = ""
	$messagebodyrs =  "No successful login events for RSA Tokens." + "`r`n"	
	}
    else{
        [string]$messagebodyrs = ""
            foreach ($rs in $rslog){ 
                $table = @("Date: "," - User: ", " - Caller Domain: ") 
                $time = $table[0] + $rs.TimeGenerated 
                $user = $table[1] + $rs.ReplacementStrings
                $break = "`n`n"
                $messagebodyrs = $messagebodyrs + $time, $user + "`r`n"
            }
        }
		
if($doslog -eq $null){
    [string]$messagebodydos = ""
    $messagebodydos =  "Windows Event ID 550 - No record of possible denial-of-service (DoS) attack on $server." + "`r`n"
	}
    else{
        [string]$messagebodydos = ""
		$messagebodydos =  "Windows Event ID 550 - Possible denial-of-service found.  Please check $server" + "`r`n"
        }

if($salog -eq $null){
    [string]$messagebodysa = ""
    $messagebodysa =  "Windows Event ID 612 - No record of a system audit policy change on $server." + "`r`n"
	}
    else{
        [string]$messagebodysa = ""
		$messagebodysa =  "Windows Event ID 612 - A system audit policy was change recently on $server." + "`r`n"
        }
				
		
Write-Host "Loop complete - End time: "(get-date).ToShortTimeString()""
Write-host "Begin email - Start time: "(get-date).ToShortTimeString()""		
		##Begin send email portion
		try{		
			$smtp = New-Object Net.Mail.SmtpClient($smtpServer)
			$messagebody = "Failed Windows Logins: `n" + $messagebodyF + $break + "Successful Windows Logins: `n" + $messagebodyS + $break + "Denied RSA Token Access: `n" + $messagebodyrf + $break + "Successful RSA Token Access: `n" + $messagebodyrs + $break + "System Audit Policy:  `n" + $messagebodysa + $break + "Possible denial-of-service (DoS) attack: `n" + $messagebodydos
			$smtp.Send($smtpFrom,$smtpTo,$messagesubject,$messagebody)
			Write-host "email sent - End time: "(get-date).ToShortTimeString()""		
			}
        catch{
        $ErrorMessage = $_.Exception.Message
        $FailedItem = $_.Exception.ItemName
        write-warning "Email not sent based on error.  $ErrorMessage and $FailedItem"
        }