# encoding: ascii # api: powershell # title: Security Log Events # description: Will capture failed and Successful logins for a remote server for the last 24 hours and email to user. Utilizes Get-eventlog for Server 2003. Change variables on lines 5-13 # version: 0.1 # author: Robert # license: CC0 # x-poshcode-id: 4339 # x-derived-from-id: 4357 # x-archived: 2016-06-20T19:06:13 # x-published: 2016-07-26T18:43:00 # # ###Variable to be changed ##Server Setup ###Variable to be changed ##Server Setup $startDate=(get-date).addDays(-1) ##-1 equates to previous date $endDate=(get-date) ##Current Date $Server = "HC900WOC" ##Emails setup $smtpserver = "HC900WE2.blah.com" $smtpfrom = "Email@someone.com" ##From email $smtpto = "Email@someone" ##To email $messagesubject = "Logon/Logoff Events for $server for Last 24hours" #email subject ###End variable to be changed # Store each event from the Security Log with the specificed dates and computer in an array $flog = failure logins $slog = Successful logins #Searches for FailureAudit entry type $flog = Get-Eventlog -LogName Security -ComputerName $server | where-object {$_.EntryType -eq 'failureAudit' -and $_.TimeGenerated -gt $startDate -and $_.TimeGenerated -lt $endDate} #searches for EventID 528 $slog = Get-eventlog -LogName Security -ComputerName $server | Where-Object {$_.EventID -eq "528" -and $_.TimeGenerated -gt $startDate -and $_.TimeGenerated -lt $endDate} ##for testing to grab the newest 5 events #$flog = Get-Eventlog -LogName Security -ComputerName $server -EntryType FailureAudit -newest 5 #$slog = Get-Eventlog -LogName Security -ComputerName $server -InstanceId 528 -newest 5 #Loop through each security event [string]$messagebodyf = "" [string]$messagebodys = "" foreach ($i in $flog){ $table = @("Date: "," - User: ", " - Caller Domain: ") $time = $table[0] + $i.TimeGenerated $user = $table[1] + $i.ReplacementStrings[0] $domain = $table[2] + $i.ReplacementStrings[1] $break = "`n`n" $messagebodyf = $messagebodyf + $time, $user + $domain + "`r`n" ##Possible future change to add results to log file. ##add-content C:\temp\results.txt $time, $status, $user, $break } foreach ($s in $slog){ $time = $table[0] + $s.TimeGenerated $user = $table[1] + $s.ReplacementStrings[0] $domain = $table[2] + $s.ReplacementStrings[1] $break = "`n`n" $messagebodyS = $messagebodys + $time, $user + $domain + "`r`n" ##Possible future change to add results to log file. ##add-content C:\temp\results.txt $time, $status, $user, $break } ##Begin send email portion $smtp = New-Object Net.Mail.SmtpClient($smtpServer) $messagebody = "Failed Logins: `n" + $messagebodyF + $break + "Successful Logins: `n" + $messagebodyS $smtp.Send($smtpFrom,$smtpTo,$messagesubject,$messagebody)$startDate=(get-date).addDays(-1) ##-1 equates to previous date $endDate=(get-date) ##Current Date $Server = "HC900WOC" ##Emails setup $smtpserver = "HC900WE2.hteeter.ht" $smtpfrom = "revans@harristeeter.com" ##From email $smtpto = "revans@harristeeter.com" ##To email $messagesubject = "Logon/Logoff Events for $server for Last 24hours" #email subject ###End variable to be changed # Store each event from the Security Log with the specificed dates and computer in an array $flog = failure logins $slog = Successful logins #Searches for FailureAudit entry type $flog = Get-Eventlog -LogName Security -ComputerName $server | where-object {$_.EntryType -eq 'failureAudit' -and $_.TimeGenerated -gt $startDate -and $_.TimeGenerated -lt $endDate} #searches for EventID 528 $slog = Get-eventlog -LogName Security -ComputerName $server | Where-Object {$_.EventID -eq "528" -and $_.TimeGenerated -gt $startDate -and $_.TimeGenerated -lt $endDate} ##for testing to grab the newest 5 events #$flog = Get-Eventlog -LogName Security -ComputerName $server -EntryType FailureAudit -newest 5 #$slog = Get-Eventlog -LogName Security -ComputerName $server -InstanceId 528 -newest 5 #Loop through each security event [string]$messagebodyf = "" [string]$messagebodys = "" foreach ($i in $flog){ $table = @("Date: "," - User: ", " - Caller Domain: ") $time = $table[0] + $i.TimeGenerated $user = $table[1] + $i.ReplacementStrings[0] $domain = $table[2] + $i.ReplacementStrings[1] $break = "`n`n" $messagebodyf = $messagebodyf + $time, $user + $domain + "`r`n" ##Possible future change to add results to log file. ##add-content C:\temp\results.txt $time, $status, $user, $break } foreach ($s in $slog){ $time = $table[0] + $s.TimeGenerated $user = $table[1] + $s.ReplacementStrings[0] $domain = $table[2] + $s.ReplacementStrings[1] $break = "`n`n" $messagebodyS = $messagebodys + $time, $user + $domain + "`r`n" ##Possible future change to add results to log file. ##add-content C:\temp\results.txt $time, $status, $user, $break } ##Begin send email portion $smtp = New-Object Net.Mail.SmtpClient($smtpServer) $messagebody = "Failed Logins: `n" + $messagebodyF + $break + "Successful Logins: `n" + $messagebodyS $smtp.Send($smtpFrom,$smtpTo,$messagesubject,$messagebody)