# encoding: ascii # api: powershell # title: Security Log Events # description: Will capture failed and Successful logins for a remote server for the last 24 hours and email to user. Utilizes Get-eventlog for Server 2003. Change variables on lines 5-13 # version: 0.1 # author: Robert # license: CC0 # x-poshcode-id: 4357 # x-derived-from-id: 4358 # x-archived: 2016-05-17T19:21:33 # x-published: 2016-08-02T14:42:00 # # ###Variable to be changed ##Server Setup Write-host "Start time: "(get-date).ToShortTimeString()"" $rc = 1 $startDate=(get-date).addDays(-1) ##-1 equates to previous date $endDate=(get-date) ##Current Date $Server = $(Get-WmiObject Win32_Computersystem).name Write-host "Server and Dates set - "(get-date).ToShortTimeString()"" ##Emails setup $smtpserver = "SMTP Server" $smtpfrom = "email.com" ##From email $smtpto = "email.com" ##To email $messagesubject = "Recent Security Events on $server for Last 24hours" #email subject write-host "Email settings set - "(get-date).ToShortTimeString()"" ###End variable to be changed # Store each event from the Security Log with the specificed dates and computer in an array $flog = failure logins $slog = Successful logins #Searches for FailureAudit entry type Write-host "Searching for failure logs - Start time: "(get-date).ToShortTimeString()"" $flog = Get-Eventlog -LogName Security -ComputerName $server | where-object {$_.EventID -eq "529" -and $_.TimeGenerated -gt $startDate -and $_.TimeGenerated -lt $endDate} Write-host "Complete search for failure logs - End time: "(get-date).ToShortTimeString()"" #searches for EventID 528 Write-host "Searching for successful logs - Start time: "(get-date).ToShortTimeString()"" $slog = Get-eventlog -LogName Security -ComputerName $server | Where-Object {$_.EventID -eq "528" -and $_.TimeGenerated -gt $startDate -and $_.TimeGenerated -lt $endDate} Write-host "Complete search for successful logs - End time: "(get-date).ToShortTimeString()"" Write-host "Searching for failed RSA logs - End time: "(get-date).ToShortTimeString()"" $rflog = get-eventlog -LogName Application -ComputerName $server | Where-Object {$_.EventID -eq "106" -and $_.TimeGenerated -gt $startDate -and $_.TimeGenerated -lt $endDate} Write-host "Complete search for failed RSA logs - End time: "(get-date).ToShortTimeString()"" Write-host "Searching for successful RSA logs - Start time: "(get-date).ToShortTimeString()"" $rsLog = Get-eventlog -LogName Application -ComputerName $server | Where-Object {$_.EventID -eq "105" -and $_.TimeGenerated -gt $startDate -and $_.TimeGenerated -lt $endDate} Write-host "Complete search for successful RSA logs - End time: "(get-date).ToShortTimeString()"" Write-host "Searching for Event ID 550 - Start time: "(get-date).ToShortTimeString()"" $dosLog = Get-eventlog -LogName Security -ComputerName $server | Where-Object {$_.EventID -eq "550" -and $_.TimeGenerated -gt $startDate -and $_.TimeGenerated -lt $endDate} Write-host "Complete search for Event ID 550 - End time: "(get-date).ToShortTimeString()"" Write-host "Searching for Event ID 612 - Start time: "(get-date).ToShortTimeString()"" $saLog = Get-eventlog -LogName Security -ComputerName $server | Where-Object {$_.EventID -eq "612" -and $_.TimeGenerated -gt $startDate -and $_.TimeGenerated -lt $endDate} Write-host "Complete search for Event ID 612 - End time: "(get-date).ToShortTimeString()"" #Loop through each security event Write-host "Looping through events to compile logs - Start time: "(get-date).ToShortTimeString()"" if($flog -eq $null){ [string]$messagebodyf = "" $messagebodyf = "No failed login events." + "`r`n" } else{ [string]$messagebodyf = "" foreach ($i in $flog){ $table = @("Date: "," - User: "," - Caller Domain: "," - Workstation: "," - IP: ") $time = $table[0] + $i.TimeGenerated $User = $table[1] + $i.ReplacementStrings[0] $domain = $table[2] + $i.ReplacementStrings[1] $Workstation = $table[3] + $i.ReplacementStrings[5] $ip = $table[4] + $i.ReplacementStrings[11] $break = "`n`n" $messagebodyf = $messagebodyf + $time, $user + $domain + $workstation + $ip + "`r`n" } } If($slog -eq $null){ [string]$messagebodys = "" $messagebodys = "No Successful login events." + "`r`n" } else{ [string]$messagebodys = "" foreach ($s in $slog){ $table = @("Date: "," - User: "," - Caller Domain: "," - Workstation: "," - IP: ") $time = $table[0] + $s.TimeGenerated $user = $table[1] + $s.ReplacementStrings[0] $domain = $table[2] + $s.ReplacementStrings[1] $break = "`n`n" $messagebodyS = $messagebodys + $time, $user + $domain + "`r`n" } } if($rflog -eq $null){ [string]$messagebodyrf= "" $messagebodyrf = "No failed login events for RSA Tokens." + "`r`n" } else{ [string]$messagebodyrf = "" foreach ($rf in $rslog){ $table = @("Date: "," - User: ", " - Caller Domain: ") $time = $table[0] + $rf.TimeGenerated $user = $table[1] + $rf.ReplacementStrings $break = "`n`n" $messagebodyrf = $messagebodyrf + $time, $user + "`r`n" } } if($rslog -eq $null){ [string]$messagebodyrs = "" $messagebodyrs = "No successful login events for RSA Tokens." + "`r`n" } else{ [string]$messagebodyrs = "" foreach ($rs in $rslog){ $table = @("Date: "," - User: ", " - Caller Domain: ") $time = $table[0] + $rs.TimeGenerated $user = $table[1] + $rs.ReplacementStrings $break = "`n`n" $messagebodyrs = $messagebodyrs + $time, $user + "`r`n" } } if($doslog -eq $null){ [string]$messagebodydos = "" $messagebodydos = "Windows Event ID 550 - No record of possible denial-of-service (DoS) attack on $server." + "`r`n" } else{ [string]$messagebodydos = "" $messagebodydos = "Windows Event ID 550 - Possible denial-of-service found. Please check $server" + "`r`n" } if($salog -eq $null){ [string]$messagebodysa = "" $messagebodysa = "Windows Event ID 612 - No record of a system audit policy change on $server." + "`r`n" } else{ [string]$messagebodysa = "" $messagebodysa = "Windows Event ID 612 - A system audit policy was change recently on $server." + "`r`n" } Write-Host "Loop complete - End time: "(get-date).ToShortTimeString()"" Write-host "Begin email - Start time: "(get-date).ToShortTimeString()"" ##Begin send email portion try{ $smtp = New-Object Net.Mail.SmtpClient($smtpServer) $messagebody = "Failed Windows Logins: `n" + $messagebodyF + $break + "Successful Windows Logins: `n" + $messagebodyS + $break + "Denied RSA Token Access: `n" + $messagebodyrf + $break + "Successful RSA Token Access: `n" + $messagebodyrs + $break + "System Audit Policy: `n" + $messagebodysa + $break + "Possible denial-of-service (DoS) attack: `n" + $messagebodydos $smtp.Send($smtpFrom,$smtpTo,$messagesubject,$messagebody) Write-host "email sent - End time: "(get-date).ToShortTimeString()"" $rc = 0 } catch{ $ErrorMessage = $_.Exception.Message $FailedItem = $_.Exception.ItemName write-warning "Email not sent based on error. $ErrorMessage and $FailedItem" $rc = 1 } if ($rc -eq 1 ){ exit 1 } else{ exit 0 }