I am working to create a script that will do the following:
1) find successful logins of specific users. Check - Got this
2) I need to output to a file with only a few variables. Right now I am working on the computer that was authenticated. The source computer address, Time/Data, and the user. There are 3 Domain controllers and will be about 10 users. I am currently using for loops to get this done. When I run this with a static user and server. Everything seems to run fine. I don't get results when using a variable for the user setting in the get-winevent.
3) Other issue is extracting the source address out of the message. Since the different logon types produce different message, slicing and dicing the message is getting difficult.
If you have any additional questions or need more information please let me know.
Below is the script and the result of the output. I have dc01 and dc02 are 2008 SP2 servers and dc03 is 2012 R2
IGNORE -and $_.properties[8].value -ne 3.... I was just trying to do some testing. I can get you output without it.
$s = "Milw-dc03" , "Milw-dc02" , "Milw-dc01" #, "Milw-Webapps" , "Milw-Convert" , "Test-Sql" , "Test-Web" , "Test-Apps04" , "Test-Qlikeview"
$u = "rajupiter", "'raearth'" , "'ramoon'" , "raneptune"
$aLockOutDetails = @()
$aOutput = @()
Foreach ($Server in $s) {
Foreach ($User in $u) {
$Results = Get-winevent -FilterHashtable @{logname='Security'; id=4624; starttime=(get-date).date} -ComputerName $Server| where {$_.properties[5].value -ieq $User -and $_.properties[8].value -ne 3 } | Select Message, TimeCreated
ForEach($Result in $Results){
[string]$Item1 = $Result.Message
[string]$Item2 = $Result.Message
#Extract Account Name(aka User)
$sUser = $Item2.SubString($Item2.IndexOf("New Logon:"),$Item2.IndexOf(" Domain:"))
$sUser = $sUser.Substring(91)
#Extract Source Network Address
$sMachineName = $Item1.SubString($Item1.IndexOf("Source Network Address"),$Item1.IndexOf("`r"))
$sMachineName = $sMachineName.Trim("Source Network Address:")
$sMachineName = $sMachineName.Trim("`t")
#Set required info into hashtable
$hItemDetails = New-Object -TypeName psobject -Property @{
MachineName = $sMachineName
TimeCreated = $Result.TimeCreated
User = $sUser }
#Add each item hash table to array
$aLockOutDetails = $aLockOutDetails + $hItemDetails
}
ForEach($Line in $aLockOutDetails){
$sMachine = $Line.MachineName
$sDate = $Line.TimeCreated
$sUser = $Line.User
$aOutput += "$sMachine`t$sDate`t$sUser"
}
$aOutput | Set-Content 'C:\Log\logdata.txt'
}
}
Here is the Output that ran last night.
192.168.10.24
04/02/2014 09:38:41 rajupiter
Account Do
192.168.10.24
04/02/2014 09:38:41 rajupiter
Account Do
192.168.10.24
04/02/2014 09:38:41 rajupiter
Account Do
192.168.10.24
04/02/2014 09:38:41 rajupiter
Account Do
192.168.10.24
04/02/2014 09:38:41 rajupiter
Account Do
192.168.10.24
04/02/2014 09:38:41 rajupiter
Account Do
192.168.10.24
04/02/2014 09:38:41 rajupiter
Account Do
192.168.10.24
04/02/2014 09:38:41 rajupiter
Account Do
192.168.10.24
04/02/2014 09:38:41 rajupiter
Account Do
192.168.10.24
04/02/2014 09:38:41 rajupiter
Account Do
192.168.10.24
04/02/2014 09:38:41 rajupiter
Account Do
192.168.10.24
04/02/2014 09:38:41 rajupiter
Account Do
192.168.10.24
04/02/2014 09:38:41 rajupiter
Account Do
192.168.10.24
04/02/2014 09:38:41 rajupiter
Account Do
192.168.10.24
04/02/2014 09:38:41 rajupiter
Account Do
192.168.10.24
04/02/2014 09:38:41 rajupiter
Account Do
192.168.10.24
04/02/2014 09:38:41 rajupiter
Account Do
192.168.10.24
04/02/2014 09:38:41 rajupiter
Account Do
192.168.10.24
04/02/2014 09:38:41 rajupiter
Account Do
192.168.10.24
04/02/2014 09:38:41 rajupiter
Account Do
192.168.10.24
04/02/2014 09:38:41 rajupiter
Account Do
192.168.10.24
04/02/2014 09:38:41 rajupiter
Account Do
192.168.10.24
04/02/2014 09:38:41 rajupiter
Account Do
192.168.10.24
04/02/2014 09:38:41 rajupiter
Account Do