Failed Logon Script??

Hey,

Anyone heard of or created a VB script that displays all failed login attempts for .. lets say the previous month.. for a certain user? (from the error logs ...)

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

5no-yt

oh yah.. allmost forget, It has to export to like an excel file or somthing so it can be viewed by others.

blargoe

Google EventCombMT

This tool can search all event logs on multiple server simultaneously, you could filter security logs for Failure Audit events and the results are saved in tab separated txt files which can be opened in excel

keatron

Or use this script. You can customize it to log only events you specify. This logs system events. It creates a txt file named system.txt on the c drive. You can modify these variables as well. I would suggest taking this script and playing with it until you have modified it into exactly what you want. Scripting knowledge is something you'll certainly need (especially if you're moving to security).

Const ForAppending = 8

Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objTextFile = objFSO.OpenTextFile _
("C:\System.txt", ForAppending, True)

strComputer = "."

Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

Set colLoggedEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where LogFile = 'System'")

For Each objEvent in colLoggedEvents

objTextFile.WriteLine( "Category: "& objEvent.Category & vbTab _
& "Computer Name: "& objEvent.ComputerName & vbTab _
& "Event Code: "& objEvent.EventCode & vbTab _
& "Message: "& objEvent.RecordNumber & vbTab _
& "Record Number: "& objEvent.RecordNumber & vbTab _
& "Time Written: "& objEvent.TimeWritten & vbTab _
& "Event Type: "& objEvent.Type & vbTab _
& "User: "& objEvent.User & vbTab _
& objEvent.SourceName & vbCrLf & objEvent.Message & vbCrLf & vbCrLf)

Next

objTextFile.Close

sprkymrk

The tool psloglist can filter and **** event logs to a csv file too.

http://www.microsoft.com/technet/sysinternals/utilities/psloglist.mspx

5no-yt

ok so, I downloaded pstools

im running the following command "psloglist -d 30 -i 529,531,539 sec"
2 problems

1: It wont output any event IDs apart from 513 (which isnt even listed in my include IDs) - is it possible to list the failed logins (ID 529) with this tool?

2: I need to know how to output this to a file... I've done it once when i first started playing around with this .. but i cant remeber how!

your assistance is greatly appreciated

cheers guys n gals

-Chap

Edit: I tryed fooling around with that script but it was a bit beyond me and i got nowhere.

sprkymrk

It looks okay, maybe you have a typo in your script for 513 instead of 531?

Use this to **** events to a csv file:

psloglist -d 30 -i 529,531,539 security >> C:\badlogins.csv

You can use different delimeters with the -t switch, but the default comma should work for you.

5no-yt

cool got it exporting to a .csv cheers,

its weird tho - even when i dont include any -i functions it still only exports the 513 logs. its like event 513 is the only one thats there... its not as i have triple checked in the event viewer

EDIT: I have tried on 3 diffrent terminal servers - all do the same thing. (running windows server 2000)

sprkymrk

How about filtering on "failure audit" instead?

psloglist -d 30 -f f security >> C:\badlogins.csv

Actually, it's giving me fits too. Not filtering properly. I never had this problem on the system log (default) but since you were having trouble I tried a few variations myself. I'll mess around with it and get back to you.

5no-yt

yeh its very strange.

legand , cheers mate

5no-yt

Its friday! Only an hour to go and its the weekend .. woop!

Any luck on this yet sprky?

sprkymrk

Sorry, I keep meaning to try out a couple of things but work is getting in the way. Hopefully in the next few days. Don't wait for me though, see if google has the answer...

5no-yt

ahh sweet np,
yeh done a few searches in google - can't seem to find anything. most of the time the first link was to this forum lol!

could anyone help me out with a script for this ?? i will spend some time on it over the weekend also, but yeh - some help would be great!

cheers,
-Chap

sprkymrk

Okay, I think I may have narrowed it down to the "date" filter (-d in this case) messing up somehow. I got this to work perfectly:

psloglist -s -x -i 560,540 security >> c:\seclog.csv

BTW - I tried tweaking Keatrons vbscript too. I made some progress, but then when using it to **** to a csv file I ran into some weird problems. Anyway, this is what I came up with, but for some reason it formats it funny.

Const ForWriting = 2

Set objFSO = CreateObject("Scripting.FileSystemObject") 
Set objLogFile = objFSO.OpenTextFile _ 
("C:\FailedLogons.csv", ForWriting, True) 

strComputer = "."

Set objWMIService = GetObject("winmgmts:" _
    & "{(Security)}\\" & strComputer & "\root\cimv2")

Set colLoggedEvents = objWMIService.ExecQuery _
    ("Select * FROM Win32_NTLogEvent WHERE Logfile = 'Security' " & _
        "AND EventType <> 4 AND EventType <> 8")


For Each objEvent in colLoggedEvents 

objLogFile.Write objEvent.Category & ","
objLogFile.Write objEvent.ComputerName & ","
objLogFile.Write objEvent.EventCode & ","
objLogFile.Write objEvent.RecordNumber & ","
objLogFile.Write objEvent.TimeWritten & ","
objLogFile.Write objEvent.Type & ","
objLogFile.Write objEvent.User & ","
objLogFile.Write objEvent.SourceName & ","
objLogFile.Write objEvent.Message
objLogFile.Writeline
Next

objLogFile.Close

I know I'm missing something simple, but my brain is full now and since the psloglist worked, I'm done for the evening.

5no-yt

My Hero!!

Thanks heaps for this mate, saved me alot of hassle.

Double thanks,
-Chapt3r