Report on events on Windows servers of the domain
Hello!
It is convenient to receive in the mail a daily report on events on the domain servers for the previous day. It is possible and for the current, it does not matter. When such reports are collected for a long period of time (for several years, for example), you can find who started a certain user, who added / removed a user from the group, who changed the password for the user (or when he changed it himself), logins to servers, unsuccessful logins and so on. In principle, everyone defines for himself a set of events for reports. The main principle.
For example, we receive the following report in the mail:
Who needs, under the cut implementation.
The script runs every morning at 4 o'clock. To work on the server, you need to install LogParser and 7-ZIP (if the report file is more than 3 MB, then it is packaged with a zip).
Just in case, a link to a useful document on events 7 and 2008 of the server Vista_2008_Security_Event_Descriptions.xlsx .
My script is on the C drive in the script folder. In the script folder folder Tamplates for templates. Plus folders on F Logi_ForADReports for temporary evt-files and Reports for html-report files. The Reports folder also creates a script operation log.
Auxiliary batch file.
The script can run without any keys. In this case, all eleven reports are generated.
A script can have three keys.
[report_list] is an optional key. A list of reports to be executed. It is specified in the format: "1,1,0,0,1,0,1,0,1,0,0", that is, one indicates that the report should be executed.
You can make all reports by specifying the all key.
Turns off the creation of all reports key nothing.
')
[email_address] is an optional key. It can take values:
y - send reports to the default address (admin1@domain.com)
n - do not send reports to the email box, but just add them to the reports folder f: \ Reports.
email_address - Indicates the e-mail address to which reports will be sent.
[date] is an optional key. Indicates the date for working with reports. This parameter is indicated only when it is necessary to send already made reports for a date in the past (Reports are always executed for the previous day from the date the script was run). Date format: YYYY.MM.DD
Reports:
1. Administrators login search report
2. AccauntManage report
3. Report of failed login statistics creation
4. Group management report
5. Failed login search
report 6. Password management
report 7. Computer management
report 8. Audit report on Top-Secret-Documents
9 Audit statistics report on the Top-Secret-Documents folder
10. Login search report for RDP
11. Report on tracking actions over objects in AD
Examples.
Note
Now the script is looking for events in the archive security logs (those that Archive-Security - *. Evt) in the centralized repository. In the script, this is the Q disk, which is connected at the beginning in the batch file
Here you can download the archive with the script, batch files and templates .
In principle, it is not necessary to use the script word for word. The main thing is to understand the principle of how the logparser searches for events and uploads them to the html file using a template. And enjoy.
It is convenient to receive in the mail a daily report on events on the domain servers for the previous day. It is possible and for the current, it does not matter. When such reports are collected for a long period of time (for several years, for example), you can find who started a certain user, who added / removed a user from the group, who changed the password for the user (or when he changed it himself), logins to servers, unsuccessful logins and so on. In principle, everyone defines for himself a set of events for reports. The main principle.
For example, we receive the following report in the mail:
Who needs, under the cut implementation.
The script runs every morning at 4 o'clock. To work on the server, you need to install LogParser and 7-ZIP (if the report file is more than 3 MB, then it is packaged with a zip).
Just in case, a link to a useful document on events 7 and 2008 of the server Vista_2008_Security_Event_Descriptions.xlsx .
My script is on the C drive in the script folder. In the script folder folder Tamplates for templates. Plus folders on F Logi_ForADReports for temporary evt-files and Reports for html-report files. The Reports folder also creates a script operation log.
Script run bat file
net use Q: \\nas-srv\BACKUP cscript //nologo "c:\script\LogParser_bat_4.vbs" %1 %2 %3 net use Q: /delete Script LogParser_bat_4.vbs
' ' ' luzhin.kirill@yandex.ru 'On Error Resume Next const gsReportFolder = "F:\Reports\" const gsFrom = "admin1@domain.com" const gsSubject = "send report" const gsHelpFile = "c:\script\LogParser_bat.txt" const gbDebugModeON = false Dim oLogQuery Dim oMyInputFormat Dim oCSVOutputFormat Dim strQuery Dim giErrorCode Dim gsFileNameLog Dim gsNormalDate Dim gsTo Dim gArrNumberOfFunctions gArrNumberOfFunctions = Array ("1", "1", "1", "1", "1", "1", "1", "1", "1", "1", "1") gsTo = "admin1@domain.com" gsEMail = "n" ' ( ): ' gsNormalDate = fuNormalizeSystemDate(cStr(Date)) ' ( ): gsNormalDate = fuNormalizeSystemDate(cStr(DateAdd("d", -1, Date))) gsDate = gsNormalDate gsNumberOfFunctions = "all" gsCheckDate = DateAdd("d", -1, Date) gsLogFilename = fuGetFilename(gsCheckDate) Set objFSO = CreateObject("Scripting.FileSystemObject") gsFileNameLog = gsReportFolder & gsNormalDate & ".log" Set objTextFileWriteLog = objFSO.OpenTextFile(gsFileNameLog, 8, True) ' 33 : fuWritedown "* : " & Now, 4 gsPastDate = DateAdd("h", -33, Now) fuWritedown "* " & gsPastDate, 4 ' 2 : ' gsPastDate = DateAdd("d", -2, Date) if Wscript.Arguments.Count >= 1 then if lCase(Wscript.Arguments(0)) = "nothing" then gArrNumberOfFunctions = Array ("0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0") gsNumberOfFunctions = "nothing" elseif InStr(Wscript.Arguments(0), ",") then gArrNumberOfFunctions = split(Wscript.Arguments(0), ",") gsNumberOfFunctions = "different" elseif fuNeedHelp(lCase(Wscript.Arguments(0))) then fuTypeTextfile(gsHelpFile) WScript.Quit 0 'else gArrNumberOfFunctions = Array ("1", "1", "1", "1", "1", "1", "1", "1", "1", "1", "1") end if if Wscript.Arguments.Count >= 2 then if InStr(Wscript.Arguments(1), "@") then gsEMail = "y" gsTo = Wscript.Arguments(1) else gsEMail = lCase(Wscript.Arguments(1)) end if if Wscript.Arguments.Count = 3 then gsDate = Wscript.Arguments(2) end if end if end if fuWritedown "* : " & gsFileNameLog, 2 gStartTime = fuStartTimer("") if gsNumberOfFunctions <> "nothing" then gArrProcNamesList = Array (_ " ", _ " AccauntManage", _ " ", _ " ", _ " ", _ " ", _ " ", _ " ", _ " ", _ " RDP",_ " AD") gArrReportfilesList = Array (_ gsReportFolder & "logged_Administrator_" & gsNormalDate & ".html", _ gsReportFolder & "new_AD_" & gsNormalDate & ".html", _ gsReportFolder & "logonFailuresStats_" & gsNormalDate & ".html", _ gsReportFolder & "group_Manage_" & gsNormalDate & ".html", _ gsReportFolder & "logonFailure_" & gsNormalDate & ".html", _ gsReportFolder & "change_password_" & gsNormalDate & ".html", _ gsReportFolder & "new_Comp_AD_" & gsNormalDate & ".html", _ gsReportFolder & "audit_" & gsNormalDate & ".html", _ gsReportFolder & "auditStat_" & gsNormalDate & ".html", _ gsReportFolder & "logged_Rdp_" & gsNormalDate & ".html", _ gsReportFolder & "AD_objects_" & gsNormalDate & ".html") for gix = 0 to UBound(gArrNumberOfFunctions) gsFunctionName = gArrProcNamesList(gix) gsReportfile = gArrReportfilesList(gix) if gArrNumberOfFunctions(gix) = "1" then startTime = fuStartTimer(gsFunctionName) gArrServerList = Array ("DC1", "DC2") Select Case gix Case 0: giErrorCode = fuLogonAdministrator(gArrServerList, gsReportfile) Case 1: giErrorCode = fuAccauntManage(gArrServerList, gsReportfile) Case 2: giErrorCode = fuLogonFailureStats(gArrServerList, gsReportfile) Case 3: gArrServerList = Array ("DC1","DC2","EXCH1","EXCH2") giErrorCode = fuGroupManage(gArrServerList, gsReportfile) Case 4: giErrorCode = fuLogonFailures(gArrServerList, gsReportfile) Case 5: giErrorCode = fuPasswordManage(gArrServerList, gsReportfile) Case 6: giErrorCode = fuCompManage(gArrServerList, gsReportfile) Case 7: gArrServerList = Array ("FILE-SRV1","FILE-SRV2") giErrorCode = fuAudit(gArrServerList, gsReportfile) Case 8: gArrServerList = Array ("FILE-SRV1","FILE-SRV2") giErrorCode = fuAuditStat(gArrServerList, gsReportfile) Case 9: gArrServerList = Array ("DC1","DC2","EXCH1","EXCH2") giErrorCode = fuLogonRdp(gArrServerList, gsReportfile, gsFunctionName) Case 10: giErrorCode = fuADObjects(gArrServerList, gsReportfile) Case else fuWritedown "* : " & gix, 4 End Select fuCheckErrorCode giErrorCode, gArrServerList, gsReportfile, gsFunctionName, startTime else fuWritedown gsFunctionName & " ", 4 end if next else fuWritedown "* ", 4 end if fuStopTimer(gStartTime) if gsEMail = "y" then fuSendReportMail gsReportFolder & "*_" & gsDate & ".*", gsFrom, gsTo, gsSubject, gsDate else fuWritedown "* ", 4 end if fuWritedown "* '" & gsFileNameLog & "'", 1 fuDeleteEvtxFiles "F:\Logi_ForADReports\*.evtx" 'MsgBox " '" & gsFileNameLog & "'", vbInformation, "" objTextFileWriteLog.Close ' function fuLogonAdministrator(lArrServerList, lsReport) liErrorCode = -1 lsFROM = fuCollectFileList(lArrServerList, false) if lsFROM <> "" then Set oLogQuery = CreateObject("MSUtil.LogQuery") ' Create Input Format object Set oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") oEVTInputFormat.direction = "BW" ' Create Output Format object ' Set oCSVOutputFormat = CreateObject("MSUtil.LogQuery.CSVOutputFormat") Set oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") 'oCSVOutputFormat.tabs = TRUE oTPLOutputFormat.tpl = "c:\script\Tamplates\logonAdministrator.tpl" ' strQuery = "SELECT TO_LOWERCASE(EXTRACT_TOKEN(Strings,5,'|')) as UserName, eventid, TimeGenerated, ComputerName as DC, " & _ "TO_LOWERCASE(EXTRACT_TOKEN(Strings,5,'|')) AS LogonName, " & _ "TO_LOWERCASE(EXTRACT_TOKEN(Strings,6,'|')) AS Domain, " & _ "TO_LOWERCASE(EXTRACT_TOKEN(Strings,13,'|')) AS LogonWKS, " & _ "extract_token(trim(extract_token(Message, 18, ':' )), 0, ' ') as LogonIP, " & _ "CASE TO_INT(EXTRACT_TOKEN(Strings,10,'|')) " & _ " WHEN 2 THEN 'Interactive - Intended for users who will be interactively using the machine, such as a user being logged on by a terminal server, remote shell, or similar process.'" & _ " WHEN 3 THEN 'Network - Intended for high performance servers to authenticate clear text passwords. LogonUser does not cache credentials for this logon type.'" & _ " WHEN 4 THEN 'Batch - Intended for batch servers, where processes may be executing on behalf of a user without their direct intervention; or for higher performance servers that process many clear-text authentication attempts at a time, such as mail or web servers. LogonUser does not cache credentials for this logon type.'" & _ " WHEN 5 THEN 'Service - Indicates a service-type logon. The account provided must have the service privilege enabled.'" & _ " WHEN 6 THEN 'Proxy - Indicates a proxy-type logon.'" & _ " WHEN 7 THEN 'Unlock - This logon type is intended for GINA DLLs logging on users who will be interactively using the machine. This logon type allows a unique audit record to be generated that shows when the workstation was unlocked.'" & _ " WHEN 8 THEN 'NetworkCleartext - Windows 2000; Windows XP and Windows Server 2003 family: Preserves the name and password in the authentication packages, allowing the server to make connections to other network servers while impersonating the client. This allows a server to accept clear text credentials from a client, call LogonUser, verify that the user can access the system across the network, and still communicate with other servers.'" & _ " WHEN 9 THEN 'NewCredentials - Windows 2000; Windows XP and Windows Server 2003 family: Allows the caller to clone its current token and specify new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.'" & _ " WHEN 10 THEN 'RemoteInteractive - Terminal Server session that is both remote and interactive.'" & _ " WHEN 11 THEN 'CachedInteractive - Attempt cached credentials without accessing the network.'" & _ " WHEN 12 THEN 'CachedRemoteInteractive - Same as RemoteInteractive. This is used for internal auditing.'" & _ " WHEN 13 THEN 'CachedUnlock - Workstation logon'" & _ " ELSE EXTRACT_TOKEN(Strings,10,'|') " & _ "END AS LogonType, " & _ "extract_token(strings, 4, '|' ) as LogonProc, " & _ "extract_token(strings, 11, '|' ) as ProcessID " & _ "INTO " & lsReport & " " & _ "FROM " & lsFROM & " " & _ "WHERE EventID IN (4624;4636) " & _ "AND TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss') " & _ "AND ((TO_LOWERCASE(LogonName) = TO_LOWERCASE('administrator')) " & _ " OR (TO_LOWERCASE(LogonName) = TO_LOWERCASE('')) " & _ " OR (TO_LOWERCASE(LogonName) = TO_LOWERCASE('admin'))) " fuWritedown "* : '" & strQuery & "'", 4 ' Execute query oLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat liErrorCode = 0 else liErrorCode = 1 end if fuLogonAdministrator = liErrorCode end function ' AccauntManage function fuAccauntManage(lArrServerList, lsReport) liErrorCode = -1 lsFROM = fuCollectFileList(lArrServerList, false) 'lsFROM = "\\DC1\c$\WINDOWS\system32\winevt\Logs\Archive-Security-2010-08-03-09-34-11-527.evtx" 'lsFROM = "\\DC1\security" if lsFROM <> "" then Set oLogQuery = CreateObject("MSUtil.LogQuery") Set oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") oEVTInputFormat.direction = "BW" Set oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") oTPLOutputFormat.tpl = "c:\script\Tamplates\accauntManage.tpl" strQuery = "select extract_token(extract_token(Message, 3, ':' ), 0, ' Account ') as UserName, TimeGenerated, SourceName, Message as EventCategoryName, " & _ "extract_token(extract_token(Message, 0, ':' ),0,'.') as Description, EventID, ComputerName, " & _ "extract_token(extract_token(Message, 8, ':' ), 1, ' ') as Name " & _ "INTO " & lsReport & " " & _ "FROM " & lsFROM & " " & _ "WHERE EventID IN (4720;4722;4725;4726;4738;4740;4767;4780;4781;4782) " &_ "AND TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss')" fuWritedown "* AccauntManage: '" & strQuery & "'", 4 if not gbDebugModeON then oLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat end if liErrorCode = 0 else liErrorCode = 1 end if fuAccauntManage = liErrorCode end function ' function fuLogonFailureStats(lArrServerList, lsReport) liErrorCode = -1 lsFROM = fuCollectFileList(lArrServerList, false) if lsFROM <> "" then Set oLogQuery = CreateObject("MSUtil.LogQuery") Set oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") oEVTInputFormat.direction = "BW" Set oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") oTPLOutputFormat.tpl = "c:\script\Tamplates\logonFailuresStats.tpl" strQuery = "SELECT TO_LOWERCASE(EXTRACT_TOKEN(Strings,5,'|')) AS User, " & _ "COUNT(*) AS Total " & _ "INTO " & lsReport & " " & _ "FROM " & lsFROM & " " & _ "WHERE EventID IN (4625) " & _ "AND TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss') " & _ "GROUP BY User " & _ "ORDER BY Total DESC" fuWritedown "* : '" & strQuery & "'", 4 if not gbDebugModeON then oLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat end if liErrorCode = 0 else liErrorCode = 1 end if fuLogonFailureStats = liErrorCode end function ' function fuGroupManage(lArrServerList, lsReport) liErrorCode = -1 lsFROM = fuCollectFileList(lArrServerList, false) if lsFROM <> "" then Set oLogQuery = CreateObject("MSUtil.LogQuery") Set oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") oEVTInputFormat.direction = "BW" Set oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") oTPLOutputFormat.tpl = "c:\script\Tamplates\groupManage.tpl" strQuery = "SELECT extract_token(extract_token(Message, 3, ':' ), 0, ' Account ') as UserName, TimeGenerated, SourceName, EventCategoryName, " & _ "extract_token(extract_token(Message, 0, ':' ), 0, '.') as EventIDName, " & _ "COALESCE(extract_token(extract_token(strings, 0, ',' ), 1, '='), extract_token(strings, 0, '|' ), strings) as Name, " & _ "COALESCE(extract_token(extract_token(strings, 0, ',' ), 1, '='), extract_token(strings, 1, '|' ), strings) as SIDName, " & _ "extract_token(strings, 2, '|' ) as Name_Group, " & _ "EventID, extract_token(ComputerName, 0, '.') " & _ "INTO " & lsReport & " " & _ "FROM " & lsFROM & " " & _ "WHERE EventID IN (4727;4728;4729;4730;4731;4732;4733;4734;4735;4737;4744;4745;4746;4747;4748;4749;4750;4751;4752;4753;4754;4755;4756;4757;4758;4759;4760;4761;4762;4764;4783;4784;4785;4786;4787;4788;4789;4790) " & _ "AND TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss')" fuWritedown "* : '" & strQuery & "'", 4 if not gbDebugModeON then oLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat end if liErrorCode = 0 else liErrorCode = 1 end if fuGroupManage = liErrorCode end function ' function fuLogonFailures(lArrServerList, lsReport) liErrorCode = -1 lsFROM = fuCollectFileList(lArrServerList, false) if lsFROM <> "" then Set oLogQuery = CreateObject("MSUtil.LogQuery") Set oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") oEVTInputFormat.direction = "BW" Set oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") oTPLOutputFormat.tpl = "c:\script\Tamplates\logonFailures.tpl" strQuery = "SELECT COUNT(EventID) AS TotalLogonFailures, " & _ "TO_LOWERCASE(EXTRACT_TOKEN(Strings,5,'|')) AS User, " & _ "TO_LOWERCASE(EXTRACT_TOKEN(Strings,6,'|')) AS Domain, " & _ "TO_LOWERCASE(EXTRACT_TOKEN(Strings,13,'|')) AS WorkStation, " & _ "CASE TO_INT(EXTRACT_TOKEN(Strings,10,'|')) " & _ " WHEN 2 THEN 'Interactive - Intended for users who will be interactively using the machine, such as a user being logged on by a terminal server, remote shell, or similar process.'" & _ " WHEN 3 THEN 'Network - Intended for high performance servers to authenticate clear text passwords. LogonUser does not cache credentials for this logon type.'" & _ " WHEN 4 THEN 'Batch - Intended for batch servers, where processes may be executing on behalf of a user without their direct intervention; or for higher performance servers that process many clear-text authentication attempts at a time, such as mail or web servers. LogonUser does not cache credentials for this logon type.'" & _ " WHEN 5 THEN 'Service - Indicates a service-type logon. The account provided must have the service privilege enabled.'" & _ " WHEN 6 THEN 'Proxy - Indicates a proxy-type logon.'" & _ " WHEN 7 THEN 'Unlock - This logon type is intended for GINA DLLs logging on users who will be interactively using the machine. This logon type allows a unique audit record to be generated that shows when the workstation was unlocked.'" & _ " WHEN 8 THEN 'NetworkCleartext - Windows 2000; Windows XP and Windows Server 2003 family: Preserves the name and password in the authentication packages, allowing the server to make connections to other network servers while impersonating the client. This allows a server to accept clear text credentials from a client, call LogonUser, verify that the user can access the system across the network, and still communicate with other servers.'" & _ " WHEN 9 THEN 'NewCredentials - Windows 2000; Windows XP and Windows Server 2003 family: Allows the caller to clone its current token and specify new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.'" & _ " WHEN 10 THEN 'RemoteInteractive - Terminal Server session that is both remote and interactive.'" & _ " WHEN 11 THEN 'CachedInteractive - Attempt cached credentials without accessing the network.'" & _ " WHEN 12 THEN 'CachedRemoteInteractive - Same as RemoteInteractive. This is used for internal auditing.'" & _ " WHEN 13 THEN 'CachedUnlock - Workstation logon'" & _ " ELSE EXTRACT_TOKEN(Strings,10,'|') " & _ "END AS Type " & _ "INTO " & lsReport & " " & _ "FROM " & lsFROM & " " & _ "WHERE EventID IN (4625) " & _ "AND TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss') " & _ "GROUP BY User,Domain,WorkStation,Type " & _ "ORDER BY TotalLogonFailures DESC" fuWritedown "* : '" & strQuery & "'", 4 if not gbDebugModeON then oLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat end if liErrorCode = 0 else liErrorCode = 1 end if fuLogonFailures = liErrorCode end function ' function fuPasswordManage(lArrServerList, lsReport) liErrorCode = -1 lsFROM = fuCollectFileList(lArrServerList, false) if lsFROM <> "" then Set oLogQuery = CreateObject("MSUtil.LogQuery") Set oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") oEVTInputFormat.direction = "BW" Set oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") oTPLOutputFormat.tpl = "c:\script\Tamplates\PasswordManage.tpl" strQuery = "SELECT extract_token(extract_token(Message, 3, ':' ), 0, ' Account ') as UserName, TimeGenerated, SourceName, EventCategoryName, " & _ "extract_token(extract_token(Message, 0, ':' ),0,'.') as Description, EventID, ComputerName, " & _ "extract_token(extract_token(Message, 8, ':' ), 0, ' Account ') as Name " & _ "INTO " & lsReport & " " & _ "FROM " & lsFROM & " " & _ "WHERE EventID IN (4723;4724;4782;4793) " & _ "AND TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss')" fuWritedown "* : '" & strQuery & "'", 4 if not gbDebugModeON then oLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat end if liErrorCode = 0 else liErrorCode = 1 end if fuPasswordManage = liErrorCode end function ' function fuCompManage(lArrServerList, lsReport) liErrorCode = -1 lsFROM = fuCollectFileList(lArrServerList, false) if lsFROM <> "" then Set oLogQuery = CreateObject("MSUtil.LogQuery") Set oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") oEVTInputFormat.direction = "BW" Set oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") oTPLOutputFormat.tpl = "c:\script\Tamplates\compManage.tpl" strQuery = "SELECT extract_token(extract_token(Message, 3, ':' ), 0, ' Account ') as UserName, TimeGenerated, SourceName, EventCategoryName, " & _ "extract_token(extract_token(Message, 0, ':' ),0,'.') as Description, EventID, ComputerName, " & _ "extract_token(extract_token(Message, 8, ':' ), 0, ' Account ') as Name " & _ "INTO " & lsReport & " " & _ "FROM " & lsFROM & " " & _ "WHERE EventID in (4720;4742;4743) " & _ "and Name like '%%$%%' " & _ "AND TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss')" fuWritedown "* : '" & strQuery & "'", 4 if not gbDebugModeON then oLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat end if liErrorCode = 0 else liErrorCode = 1 end if fuCompManage = liErrorCode end function ' function fuAudit(lArrServerList, lsReport) liErrorCode = -1 lsFROM = fuCollectFileList(lArrServerList, false) if lsFROM <> "" then Set oLogQuery = CreateObject("MSUtil.LogQuery") Set oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") oEVTInputFormat.direction = "BW" Set oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") oTPLOutputFormat.tpl = "c:\script\Tamplates\audit.tpl" strQuery = "select TimeGenerated, EventID, " & _ "extract_token(Strings, 0, '|' ) as UserSID, " & _ "extract_token(Strings, 6, '|' ) as ObjectName, " & _ "extract_token(Strings, 1, '|' ) as User, " & _ "extract_token(Strings, 2, '|' ) as Domain, " & _ "extract_token(Strings, 5, '|' ) as ObjectType, " & _ "extract_token(Strings, 11, '|' ) as ProgramName, " & _ "extract_token(Message, 0, '.' ) as Event " & _ "into " & lsReport & " " & _ "from " & lsFROM & " " & _ "where EventId in (4656;4659;4660;4661;4663;4691) " & _ "and TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss') " & _ "and User <> 'NT AUTHORITY\SYSTEM' " & _ "and extract_token(Strings, 6, '|' ) not like '%%HarddiskVolumeShadowCopy%%' " & _ "and extract_token(Strings, 6, '|' ) not like '%%ShadowCopyVolume%%' " & _ "and TO_LOWERCASE(extract_token(Strings, 6, '|' )) like '%%Top-Secret-Documents%%' " & _ "and User <> 'FILE-SRV1$' " & _ "and User <> 'FILE-SRV2$' " & _ "order by Timegenerated" fuWritedown "* " & lsFunctionName & ": '" & strQuery & "'", 4 if not gbDebugModeON then oLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat end if liErrorCode = 0 else lsFROM = fuCollectFileList(lArrServerList, true) if lsFROM <> "" then Set oLogQuery = CreateObject("MSUtil.LogQuery") Set oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") oEVTInputFormat.direction = "BW" Set oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") oTPLOutputFormat.tpl = "c:\script\Tamplates\audit.tpl" strQuery = "select TimeGenerated, EventID, " & _ "extract_token(Strings, 0, '|' ) as UserSID, " & _ "extract_token(Strings, 6, '|' ) as ObjectName, " & _ "extract_token(Strings, 1, '|' ) as User, " & _ "extract_token(Strings, 2, '|' ) as Domain, " & _ "extract_token(Strings, 5, '|' ) as ObjectType, " & _ "extract_token(Strings, 11, '|' ) as ProgramName, " & _ "extract_token(Message, 0, '.' ) as Event " & _ "into " & lsReport & " " & _ "from " & lsFROM & " " & _ "where EventId in (4656;4659;4660;4661;4663;4691) " & _ "and TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss') " & _ "and User <> 'NT AUTHORITY\SYSTEM' " & _ "and extract_token(Strings, 6, '|' ) not like '%%HarddiskVolumeShadowCopy%%' " & _ "and extract_token(Strings, 6, '|' ) not like '%%ShadowCopyVolume%%' " & _ "and TO_LOWERCASE(extract_token(Strings, 6, '|' )) like '%%Top-Secret-Documents%%' " & _ "and User <> 'FILE-SRV1$' " & _ "and User <> 'FILE-SRV2$' " & _ "order by Timegenerated" fuWritedown "* " & lsFunctionName & ": '" & strQuery & "'", 4 if not gbDebugModeON then oLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat end if else fuWritedown "* - .", 4 end if liErrorCode = 1 end if fuAudit = liErrorCode end function ' function fuAuditStat(lArrServerList, lsReport) liErrorCode = -1 lsFROM = fuCollectFileList(lArrServerList, false) if lsFROM <> "" then Set oLogQuery = CreateObject("MSUtil.LogQuery") Set oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") oEVTInputFormat.direction = "BW" Set oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") oTPLOutputFormat.tpl = "c:\script\Tamplates\auditStat.tpl" strQuery = "select extract_token(Strings, 1, '|' ) as User, " & _ "COUNT(*) as Qty, " & _ "MAX(TimeGenerated) as MaxTime " & _ "into " & lsReport & " " & _ "from " & lsFROM & " " & _ "where EventId in (4656;4659;4660;4661;4663;4691) " & _ "and TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss') " & _ "and User <> 'NT AUTHORITY\SYSTEM' " & _ "and extract_token(Strings, 6, '|' ) not like '%%HarddiskVolumeShadowCopy%%' " & _ "and extract_token(Strings, 6, '|' ) not like '%%ShadowCopyVolume%%' " & _ "and TO_LOWERCASE(extract_token(Strings, 6, '|' )) like '%%Top-Secret-Documents%%' " & _ "group by User " & _ "order by User" fuWritedown "* " & lsFunctionName & ": '" & strQuery & "'", 4 if not gbDebugModeON then oLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat end if liErrorCode = 0 else lsFROM = fuCollectFileList(lArrServerList, true) if lsFROM <> "" then Set oLogQuery = CreateObject("MSUtil.LogQuery") Set oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") oEVTInputFormat.direction = "BW" Set oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") oTPLOutputFormat.tpl = "c:\script\Tamplates\auditStat.tpl" strQuery = "select extract_token(Strings, 1, '|' ) as User, " & _ "COUNT(*) as Qty, " & _ "MAX(TimeGenerated) as MaxTime " & _ "into " & lsReport & " " & _ "from " & lsFROM & " " & _ "where EventId in (4656;4659;4660;4661;4663;4691) " & _ "and TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss') " & _ "and User <> 'NT AUTHORITY\SYSTEM' " & _ "and extract_token(Strings, 6, '|' ) not like '%%HarddiskVolumeShadowCopy%%' " & _ "and extract_token(Strings, 6, '|' ) not like '%%ShadowCopyVolume%%' " & _ "and TO_LOWERCASE(extract_token(Strings, 6, '|' )) like '%%Top-Secret-Documents%%' " & _ "group by User " & _ "order by User" fuWritedown "* " & lsFunctionName & ": '" & strQuery & "'", 4 if not gbDebugModeON then oLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat end if else fuWritedown "* - .", 4 end if liErrorCode = 1 end if fuAuditStat = liErrorCode end function ' RDP function fuLogonRdp(lArrServerList, lsReport, lsFunctionName) liErrorCode = -1 lsFROM = fuCollectFileList(lArrServerList, false) if lsFROM <> "" then Set oLogQuery = CreateObject("MSUtil.LogQuery") Set oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") oEVTInputFormat.direction = "BW" Set oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") oTPLOutputFormat.tpl = "c:\script\Tamplates\logonRdp.tpl" strQuery = "SELECT DISTINCT resolve_sid(SID) as UserName, eventid, TimeGenerated, extract_token(ComputerName, 0, '.') as NormComputerName, " & _ "extract_token(strings, 5, '|' ) as LogonName, " & _ "extract_token(strings, 13, '|' ) as LogonWKS, " & _ "extract_token(strings, 18, '|' ) as LogonIP, " & _ "case extract_token(strings, 8, '|' ) " & _ " WHEN '2' THEN 'interactive' " & _ " WHEN '3' THEN 'network' " & _ " WHEN '4' THEN 'batch' " & _ " WHEN '5' THEN 'service' " & _ " WHEN '7' THEN 'unlocked workstation' " & _ " WHEN '8' THEN 'network logon using a cleartext password' " & _ " WHEN '9' THEN 'impersonated logons' " & _ " WHEN '10' THEN 'remote access' " & _ " ELSE extract_token(strings, 8, '|' ) " & _ "end as LogonType, " & _ "extract_token(strings, 17, '|' ) as LogonProc, " & _ "extract_token(strings, 16, '|' ) as ProcessID " & _ "INTO " & lsReport & " " & _ "FROM " & lsFROM & " " & _ "WHERE EventID IN (4624;4625;4648;4675) " & _ "AND TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss') " & _ "AND LogonType = 'remote access' " & _ "order by Timegenerated DESC" fuWritedown "* " & lsFunctionName & ": '" & strQuery & "'", 4 if not gbDebugModeON then oLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat end if liErrorCode = 0 else liErrorCode = 1 end if fuLogonRdp = liErrorCode end function function fuADObjects(lArrServerList, lsReport) liErrorCode = -1 lsFROM = fuCollectFileList(lArrServerList, false) 'lsFROM = "\\DC1\c$\WINDOWS\system32\winevt\Logs\Archive-Security-2010-12-09-09-55-23-631.evtx" 'lsFROM = "\\DC1\security" if lsFROM <> "" then Set oLogQuery = CreateObject("MSUtil.LogQuery") Set oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") oEVTInputFormat.direction = "BW" Set oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") oTPLOutputFormat.tpl = "c:\script\Tamplates\adobjects.tpl" strQuery = "select extract_token(extract_token(Message, 3, ':' ), 0, ' Account ') as UserName, TimeGenerated, SourceName, Message as EventCategoryName, " & _ "extract_token(extract_token(Message, 0, ':' ),0,'.') as Description, EventID, ComputerName, " & _ "extract_token(extract_token(Message, 8, ':' ), 1, ' ') as Name " & _ "INTO " & lsReport & " " & _ "FROM " & lsFROM & " " & _ "WHERE EventID IN (4928;4929;4930;4931;4934;4935;4936;4937;4662;5136;5137;" & _ "5138;5139;5141;4932;4933) " & _ "AND TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss') " & _ "AND UserName not like '%%RTCService%%' " fuWritedown "* ADObjects: '" & strQuery & "'", 4 if not gbDebugModeON then oLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat end if liErrorCode = 0 else liErrorCode = 1 end if fuADObjects = liErrorCode end function ' function fuSendReportMail(lsFileMask, lsFrom, lsTo, lsSubject, lsDate) Set objEmail = CreateObject("CDO.Message") objEmail.From = lsFrom objEmail.To = lsTo objEmail.Subject = lsSubject objEmail.HTMLBody = "<span style='font-family:Tahoma,Arial,sans-serif;font-size:14pt;'> " & _ lsDate & "</span>" fuCheckfileSizeAndZIP lsDate Set oLogQuery = CreateObject("MSUtil.LogQuery") Set oFormat = CreateObject("MSUtil.LogQuery.FileSystemInputFormat") Set oRecordSet = oLogQuery.Execute("SELECT * FROM " & lsFileMask, oFormat) i = 0 While Not oRecordSet.atEnd Set oRecord = oRecordSet.getRecord() strValue = oRecord.getValue("Path") objEmail.AddAttachment strValue i = i + 1 oRecordSet.moveNext Wend oRecordSet.Close objEmail.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2 objEmail.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpserver")="MAIL-SRV" objEmail.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25 objEmail.Configuration.Fields.Update objEmail.Send fuWritedown "* '" & lsFrom & "' '" & lsTo & "'. -: " & i, 4 end function function fuCheckErrorCode(liErrorCode, lArrServerList, lsReportfile, lsFunctionName, startTime) select case liErrorCode case -1: fuWritedown "* " & lsFunctionName & " ( )", 4 case 0: fuWritedown "* " & lsFunctionName & " ", 4 fuCheckResultFile(lsReportfile) case 1: fuWritedown "* '" & Join(lArrServerList, ",") & "' /, ( FROM ). .", 4 fuCheckResultFile(lsReportfile) case else fuWritedown "* " & lsFunctionName & "!", 4 end select fuStopTimer(startTime) fuWritedown "", 4 end function function fuPing(NetworkDevice) lBoo = false set objPING = GetObject("winmgmts:{impersonationLevel=impersonate}")._ ExecQuery ("select * from Win32_PingStatus where address ='" & NetworkDevice & "'") For Each PING In objPing if PING.StatusCode = 0 then lBoo = true end if next fuPing = lBoo end function function fuCollectFileList(lArrServerList, lbFindOnServer) ' true , false : ' lbFindOnServer = true ' lbFindOnServer = false lsTmp = Join(lArrServerList, ",") fuWritedown "* : " & lsTmp, 4 lsList = "" lsListFiles = "" lsTmpPath = "" lbServerHaveArchive = false for lix = 0 to UBound(lArrServerList) lsServer = lArrServerList(lix) fuWritedown "* '" & lsServer & "'", 4 if lbFindOnServer then if fuPing(lsServer) then fuWritedown "* ", 4 lsList = lsList & "\\" & lsServer & "\Security" if fuServerHaveArchive(lsServer, lsListFiles) then lbServerHaveArchive = true 'lsList = lsList & "," & "\\" & lsServer & "\c$\WINDOWS\system32\config\archive-security-*.evtx" if len(lsListFiles) <> 0 then 'lsList = lsList & "," & lsListFiles end if end if if lix < UBound(lArrServerList) then lsList = lsList & "," end if else fuWritedown "* ", 4 end if else lbServerHaveArchive = false if Len(lsListFiles) = 0 then lsListFiles = fuGetLogFolder(lsServer) else lsTmpPath = fuGetLogFolder(lsServer) if Len(lsTmpPath) <> 0 then lsListFiles = lsListFiles & "," & lsTmpPath end if end if end if next if Right(lsList, 2) = ", " then lsList = Left(lsList, Len(lsList)-2) end if '\\dc1\Security, \\dc1\c$\WINDOWS\system32\config\Archive-Security-*.evt, '\\dc2\Security, \\dc2\c$\WINDOWS\system32\config\Archive-Security-*.evt if lbServerHaveArchive then lsList = lsList & "," & lsListFiles end if if not lbFindOnServer then lsList = lsListFiles end if fuWritedown "* FROM : '" & lsList & "'", 4 fuCollectFileList = lsList end function function fuServerHaveArchive(lsServerName, lsListFiles_a) Const FILE_NAME = 0 dim gbFoo dim gsFilename gbFoo = false Set objShell = CreateObject ("Shell.Application") Set objFolder = objShell.Namespace ("\\" & lsServerName & "\c$\Windows\System32\winevt\Logs") For Each strFileName in objFolder.Items gsFilename = trim(lCase(objFolder.GetDetailsOf (strFileName, FILE_NAME))) ' fuWritedown "* gsFilename: " & gsFilename, 1 if ((InStr(gsFilename, "archive-security-")) and (Right(gsFilename, 4) = "evtx")) then fuWritedown "* ! \\" & lsServerName & "\c$\Windows\System32\winevt\Logs\"&gsFilename, 4 if len(lsListFiles_a) = 0 then lsListFiles_a = "f:\Logi_ForADReports\" & gsFilename else lsListFiles_a = lsListFiles_a & "," & "f:\Logi_ForADReports\" & gsFilename end if fuWritedown "* lsListFiles_a: " & lsListFiles_a, 2 'fuConvertEvt2Evtx "\\" & lsServerName & "\c$\WINDOWS\system32\config\" & gsFilename, gsFilename fuCopyEvtx "\\" & lsServerName & "\c$\Windows\System32\winevt\Logs\" & gsFilename, gsFilename gbFoo = true end if Next if gbFoo then fuWritedown "* '" & lsServerName & "' ", 4 else fuWritedown "* '" & lsServerName & "' ", 4 end if fuServerHaveArchive = gbFoo end function function fuConvertEvt2Evtx(lsFilenamePath, lsFilename) lbTmp = true if (fuIsFileExists("f:\Logi_ForADReports\" & lsFilename) and (fuIsFileExists("f:\Logi_ForADReports\" & lsFilename & "x"))) then fuWritedown "* " & lsFilename & " , ", 4 else fuWritedown "* " & lsFilename & "...", 4 Set WshShell = CreateObject("WScript.Shell") gsRunCmd = "c:\script\convert_evt_to_evtx.bat " & lsFilenamePath & " " & lsFilename fuWritedown "* : '" & gsRunCmd & "'", 2 WshShell.Run gsRunCmd WScript.Sleep 300000 end if fuConvertEvt2Evtx = lbTmp end function function fuCopyEvtx(lsFilenamePath, lsFilename) lbTmp = true if not fuIsFileExists("f:\Logi_ForADReports\" & lsFilename) then Set WshShell = CreateObject("WScript.Shell") gsRunCmd = "c:\script\copy_evtx.bat " & lsFilenamePath & " " & lsFilename fuWritedown "* : '" & gsRunCmd & "'", 4 WshShell.Run gsRunCmd WScript.Sleep 25000 else fuWritedown "* " & lsFilename & " , ", 4 end if fuCopyEvtx = lbTmp end function function fuDeleteEvtxFiles(lsFromList) fuWritedown "* : " & lsFromList, 4 lbTmp = true Set WshShell = CreateObject("WScript.Shell") if InStr(lsFromList, ",") then lArrFrom = Split(lsFromList, ",") for lix = 0 to uBound(lArrFrom) if InStr(lCase(lArrFrom(lix)), "archive-security-") then gsRunCmd = "c:\script\del_evtx.bat " & lArrFrom(lix) fuWritedown "* : '" & gsRunCmd & "'", 4 WshShell.Run gsRunCmd end if next else gsRunCmd = "c:\script\del_evtx.bat " & lsFromList fuWritedown "* : '" & gsRunCmd & "'", 4 WshShell.Run gsRunCmd end if WScript.Sleep 60000 fuDeleteEvtxFiles = lbTmp end function function fuIsFileExists(lsFilename) lBoo = false Set FSO = CreateObject("Scripting.FileSystemObject") if FSO.FileExists(lsFilename) then ' lBoo = true else ' end if Set FSO = nothing fuIsFileExists = lBoo end function function fuWritedown(lsToWrite, liCase) Select Case liCase Case 0: ' . . Case 1: WScript.Echo lsToWrite ' Case 2: objTextFileWriteLog.WriteLine lsToWrite ' Case 4: WScript.Echo lsToWrite ' , objTextFileWriteLog.WriteLine lsToWrite Case else WScript.Echo lsToWrite End Select end function function fuNormalizeSystemDate(lsDate) lsNormalizeDate = lsDate if InStr(lsDate, ".") then lArrDate = Split(lsDate, ".") lsNormalizeDate = lArrDate(2) & "." & lArrDate(1) & "." & lArrDate(0) elseif InStr(lsDate, "/") then lArrDate = Split(lsDate, "/") lsNormalizeDate = fuCheckDatePart(lArrDate(2)) & "." & fuCheckDatePart(lArrDate(0)) & "." & fuCheckDatePart(lArrDate(1)) end if fuNormalizeSystemDate = lsNormalizeDate end function function fuNormalizeDate(lsDate) lsNormalizeDate = lsDate if InStr(lsDate, ".") then lArrDate = Split(lsDate, ".") lsNormalizeDate = lArrDate(2) & "." & lArrDate(1) & "." & lArrDate(0) end if fuNormalizeDate = lsNormalizeDate end function function fuCheckDatePart(lsDate) lsNormalizeDate = lsDate if len(lsDate) <= 1 then lsNormalizeDate = "0" & lsDate end if fuCheckDatePart = lsNormalizeDate end function function fuStartTimer(lsFunctionName) fuStartTimer = Now() if lsFunctionName <> "" then fuWritedown VBNewLine & lsFunctionName & " ", 4 end if end function function fuStopTimer(startTime) EndTime = Now() timeDiff = CDate(EndTime - startTime) fuWritedown "* : " & timeDiff & " (" & startTime & "/" & EndTime & ").", 4 end function function fuCheckResultFile(lsReportfile) if objFSO.FileExists(lsReportfile) then fuWritedown "* '" & lsReportfile & "'", 4 else fuWritedown "* '" & lsReportfile & "' , ", 4 end if end function function fuTypeTextfile(lsTextfile) 'fuWritedown " '" & lsTextfile & "'", 1 Set objTextFileShowHelp = objFSO.OpenTextFile(lsTextfile, 1) Do Until objTextFileShowHelp.AtEndOfStream fuWritedown objTextFileShowHelp.Readline, 1 Loop objTextFileShowHelp.Close end function function fuNeedHelp(lsPar) lbFoo = false if lsPar = "h" or lsPar = "help" or InStr(lsPar, "?") then lbFoo = true end if fuNeedHelp = lbFoo end function function fuGetFilename(lsDate) lsTmp = "Archive-Security-2013-12-01-*.evtx" if InStr(lsDate, ".") then lArrDate = Split(lsDate, ".") lsTmp = "Archive-Security-" & fuCheckDatePart(lArrDate(2)) & "-" & fuCheckDatePart(lArrDate(1)) & "-" & fuCheckDatePart(lArrDate(0)) & "-*.evtx" elseif InStr(lsDate, "/") then lArrDate = Split(lsDate, "/") lsTmp = "Archive-Security-" & fuCheckDatePart(lArrDate(2)) & "-" & fuCheckDatePart(lArrDate(1)) & "-" & fuCheckDatePart(lArrDate(0)) & "-*.evtx" end if fuGetFilename = lsTmp end function function fuGetLogFolder(lsServer) lsTmp = "" Select Case lsServer Case "DC1": lsTmp = "Q:\Logi_DC1\" Case "DC2": lsTmp = "Q:\Logi_DC2\" Case "FILE-SRV1": lsTmp = "Q:\Logi_FILE-SRV1\" Case "FILE-SRV2": lsTmp = "Q:\Logi_FILE-SRV2\" Case "EXCH1": lsTmp = "Q:\Logi_EXCH1\" Case "EXCH2": lsTmp = "Q:\Logi_EXCH2\" Case else fuWritedown "* " & lsServer & " . 'Q:\Logi_" & lsServer & "\'", 4 lsTmp = "Q:\Logi_" & lsServer & "\" End Select lsPath = Left(lsTmp, Len(lsTmp)-1) 'lsPath = lsTmp lsFile = gsLogFilename lsBoo = fuNASHaveArchive(lsServer, lsPath, lsFile) if lsBoo then lsTmp = lsTmp & gsLogFilename else lsTmp = "" end if fuGetLogFolder = lsTmp end function function fuNASHaveArchive(Server, Path, File) wscript.echo Server & ", " & Path & ", " & File Const FILE_NAME = 0 dim gbFoo dim gsFilename gbFoo = false lsF = lCase(Left(File, Len(File)-6)) Set objShell = CreateObject("Shell.Application") Set objFolder = objShell.Namespace(Path) For Each strFileName in objFolder.Items gsFilename = trim(lCase(objFolder.GetDetailsOf (strFileName, FILE_NAME))) ' wscript.echo "* gsFilename: " & gsFilename if InStr(gsFilename, lsF) then gbFoo = true end if Next fuNASHaveArchive = gbFoo end function function fuCheckfileSizeAndZIP(lsDate) lsReportFolder = "F:\Reports\" lArrReportfilesList = Array (_ lsReportFolder & "logged_Administrator_" & lsDate & ".html", _ lsReportFolder & "new_AD_" & lsDate & ".html", _ lsReportFolder & "logonFailuresStats_" & lsDate & ".html", _ lsReportFolder & "group_Manage_" & lsDate & ".html", _ lsReportFolder & "logonFailure_" & lsDate & ".html", _ lsReportFolder & "change_password_" & lsDate & ".html", _ lsReportFolder & "new_Comp_AD_" & lsDate & ".html", _ lsReportFolder & "audit_" & lsDate & ".html", _ lsReportFolder & "auditStat_" & lsDate & ".html", _ lsReportFolder & "logged_Rdp_" & lsDate & ".html", _ gsReportFolder & "AD_objects_" & gsNormalDate & ".html") for lix = 0 to UBound(lArrReportfilesList) lbTmp = false lsFilenamePath = lArrReportfilesList(lix) ArcName = Left(lsFilenamePath, Len(lsFilenamePath)-5) & ".zip" if fuIsFileExists(lsFilenamePath) then Set File = objFSO.GetFile(lsFilenamePath) lsFilenameSize = File.Size if lsFilenameSize > 3000000 then fuWritedown "* '" & lsFilenamePath & "' 3 ( " & lsFilenameSize & " ), ", 4 fuWritedown "* ...", 1 '--[ ]------------------------------------------------------------------- Set Shell=CreateObject("WScript.Shell") Set Zip=Shell.Exec("C:\Program Files\7-Zip\7z.exe a " & ArcName & " " & lsFilenamePath) ' , While (Zip.Status = 0) WScript.Sleep 5000 Wend Set Shell = Nothing fuWritedown "* ! '" & ArcName & "'", 4 fuWritedown "* '" & lsFilenamePath & "'...", 4 objFSO.DeleteFile lsFilenamePath, true fuWritedown "* !", 1 lbTmp = true 'WScript.Sleep 2000 '--------------------------------------------------------------------------------------------- end if else ' , . end if next fuCheckfileSizeAndZIP = lbTmp end function Auxiliary batch file.
convert_evt_to_evtx.bat
copy %1 f:\Logi_ForADReports\%2 wevtutil epl f:\Logi_ForADReports\%2 f:\Logi_ForADReports\%2x /lf:true copy_evtx.bat
copy %1 f:\Logi_ForADReports\%2 del_evtx.bat
del %1 The script can run without any keys. In this case, all eleven reports are generated.
A script can have three keys.
Logparser_4.bat [_] [__] [] [report_list] is an optional key. A list of reports to be executed. It is specified in the format: "1,1,0,0,1,0,1,0,1,0,0", that is, one indicates that the report should be executed.
You can make all reports by specifying the all key.
Turns off the creation of all reports key nothing.
')
[email_address] is an optional key. It can take values:
y - send reports to the default address (admin1@domain.com)
n - do not send reports to the email box, but just add them to the reports folder f: \ Reports.
email_address - Indicates the e-mail address to which reports will be sent.
[date] is an optional key. Indicates the date for working with reports. This parameter is indicated only when it is necessary to send already made reports for a date in the past (Reports are always executed for the previous day from the date the script was run). Date format: YYYY.MM.DD
Reports:
1. Administrators login search report
2. AccauntManage report
3. Report of failed login statistics creation
4. Group management report
5. Failed login search
report 6. Password management
report 7. Computer management
report 8. Audit report on Top-Secret-Documents
9 Audit statistics report on the Top-Secret-Documents folder
10. Login search report for RDP
11. Report on tracking actions over objects in AD
Examples.
Logparser_4.bat nothing "admin2@domain.com" 2013.01.01 All reports already made for January 1, 2013 are sent to “admin2@domain.com” (again, reports are not executed). Logparser_4.bat nothing y 2013.02.18 All reports already made for February 18, 2013 are sent to the default address (again, reports are not executed). Logparser_4.bat all "admin3@domain.com" Creates all reports and sends to "admin3@domain.com". Logparser_4.bat "1,0,0,0,0,0,0,0,0,1,0" It creates only the first and last reports and sends to the default address. Logparser_4.bat "0,1,0,0,0,0,0,0,0,0,0" n It creates only the second report, but does not send it anywhere, but adds it to the f: \ Reports folder. Logparser_4.bat /? Shows help.Note
Now the script is looking for events in the archive security logs (those that Archive-Security - *. Evt) in the centralized repository. In the script, this is the Q disk, which is connected at the beginning in the batch file
net use Q: \\nas-srv\BACKUP But it can search in online and archived logs on servers. To do this, in each of their 11 functions, change lsFROM = fuCollectFileList(lArrServerList, false) on lsFROM = fuCollectFileList(lArrServerList, true) Here you can download the archive with the script, batch files and templates .
In principle, it is not necessary to use the script word for word. The main thing is to understand the principle of how the logparser searches for events and uploads them to the html file using a template. And enjoy.
Source: https://habr.com/ru/post/205128/
All Articles