So I got all giddy regarding my creation of a script that would email me the previous day's failed logins, and blogged about it before real world testing had occurred The results were that ElDump only works with Windows 2003. I tried to get a good get-eventlog dump out of my 2008R2 domain controllers for quite some time. A couple of observations: Why does it take so long to get-eventlog remotely? Also, why don't they split up sections in an event's message property to be more accessible? Perhaps every hard-return in the message field could be delineate another element in an array? But, I digress.....
In the end, it was a post I found on the Spiceworks Community (GREAT resource by the way) that gave me what I needed. The following script builds on what I found in the original post. So, a big shout-out to B-Rad2011. Ninety percent of this is his, but I will take credit for adding a column to the output telling which hostname the user failed to log in from instead of only giving the IP address. I learned how to do reverse DNS lookups here.
#Here we flesh out some variables
$Date= Get-date
$DC= "2K8R2.foo.org"
$Report= "c:\temp\report.html"
#Here we create a web template
$HTML=@"
<title>Event Logs Report</title>
<style>
BODY{background-color :#FFFFF}
TABLE{Border-width:thin;border-style: solid;border-color:Black;border-collapse: collapse;}
TH{border-width: 1px;padding: 1px;border-style: solid;border-color: black;background-color: ThreeDShadow}
TD{border-width: 1px;padding: 0px;border-style: solid;border-color: black;background-color: Transparent}
</style>
"@
#Get the event log, then extract some properties
$eventsDC = Get-Eventlog security -Computer $DC -InstanceId 4771 -After (Get-Date).AddDays(-1) |
Select TimeGenerated,ReplacementStrings |
% {
$IPAddress = (($_.ReplacementStrings[6]).Remove(0,7))
$Hostname = ([System.Net.Dns]::GetHostByAddress($IPAddress) | select Hostname)
$hostname = (($Hostname.hostname).replace(".foo.org",""))
New-Object PSObject -Property @{
UserName = $_.ReplacementStrings[0]
Source_Computer = $hostname
IP_Address = (($_.ReplacementStrings[6]).Remove(0,7))
Date = $_.TimeGenerated
} #End NewObject -Property
} #End Foreach
#Inject the object created above into an HTML page
$eventsDC | ConvertTo-Html -Property Date,Source_Computer,IP_Address,UserName -head $HTML -body "<H2>Generated On $Date</H2>"| Out-File $Report -Append
#Mail the page, and then delete the original
$Text = "Password Failures from $DC"
Send-Mailmessage -from "administrator@foo.org" -to administrator@foo.org -subject $Text -smtpserver MailServer01 -body $Text -attachments $Report
del $report
No comments:
Post a Comment