12 сен2019

parsing windows loggin and firewall

Written by Super User. Posted in Articles MicroSoft

Sometimes analice logging to windows host. I user this powershell command:

for last loggin:

$logs = get-eventlog system -ComputerName BELMONRI -source Microsoft-Windows-Winlogon -before (Get-Date).AddDays(-7);
$res = @(); ForEach ($log in $logs) {if($log.instanceid -eq 7001) {$type = "Logon"} Elseif ($log.instanceid -eq 7002){$type="Logoff"} Else {Continue} $res += New-Object PSObject -Property @{Time = $log.TimeWritten; "Event" = $type; User = (New-Object System.Security.Principal.SecurityIdentifier $Log.ReplacementStrings[1]).Translate([System.Security.Principal.NTAccount])}};
$res

for list IP loggin:

Get-Content C:\Windows\System32\LogFiles\Firewall\pfirewall.log -Tail 20000 | select-string "3389" |  %{($_ -split "\s+")[4]} | Sort-Object  | Get-Unique

 for list bad Logins

# Define the variables 
 
# 1.  Server to query. 
$Server = "BELMONRI" 
 
# 2. Location of the result file. 
$ResultFile = "C:\Temp\LoginAttemptsResultFile.csv" 
 
 
# Create the output file and define the column headers. 
$ResultFileHeaderRow = "Time,Domain\Username,Login Status" 
Out-File -FilePath $ResultFile -InputObject $ResultFileHeaderRow 
 
# Query the server for the login events. 
$colEvents = Get-WinEvent -ComputerName $Server -FilterHashtable @{logname='Security';  StartTime=(Get-Date).AddDays(-2) ; EndTime=(Get-Date).AddDays(-1)}

 
# Iterate through the collection of login events. 
Foreach ($Entry in $colEvents) 
{ 
  If (($Entry.Id -eq "4624") -and ($Entry.Properties[8].value -eq "2")) 
  { 
    $TimeCreated = $Entry.TimeCreated 
    $Domain = $Entry.Properties[6].Value 
    $Username = $Entry.Properties[5].Value 
    $Result = "$TimeCreated,$Domain\$Username,Interactive Login Success" 
    $Result 
    Out-File -FilePath $ResultFile -InputObject $Result -Append 
  } 
  If (($Entry.Id -eq "4624") -and ($Entry.Properties[8].value -eq "10")) 
  { 
    $TimeCreated = $Entry.TimeCreated 
    $Domain = $Entry.Properties[6].Value 
    $Username = $Entry.Properties[5].Value 
    $Result = "$TimeCreated,$Domain\$Username,Remote Login Success" 
    $Result 
    Out-File -FilePath $ResultFile -InputObject $Result -Append 
  } 
  If ($Entry.Id -eq "4625") 
  { 
    $TimeCreated = $Entry.TimeCreated 
    $Domain = $Entry.Properties[6].Value 
    $Username = $Entry.Properties[5].Value 
    $Result = "$TimeCreated,$Domain\$Username,Login Failure" 
    $Result 
    Out-File -FilePath $ResultFile -InputObject $Result -Append 
  } 
}

Login