Failed Logon Script??

5no-yt5no-yt Member Posts: 79 ■■□□□□□□□□
Hey,

Anyone heard of or created a VB script that displays all failed login attempts for .. lets say the previous month.. for a certain user? (from the error logs ...)
Security is like exercise: everyone talks about it, but not many people do it.
-J.R.Purser

Comments

  • 5no-yt5no-yt Member Posts: 79 ■■□□□□□□□□
    oh yah.. allmost forget, It has to export to like an excel file or somthing so it can be viewed by others.
    Security is like exercise: everyone talks about it, but not many people do it.
    -J.R.Purser
  • blargoeblargoe Self-Described Huguenot NC, USAMember Posts: 4,174 ■■■■■■■■■□
    Google EventCombMT

    This tool can search all event logs on multiple server simultaneously, you could filter security logs for Failure Audit events and the results are saved in tab separated txt files which can be opened in excel
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
  • keatronkeatron Security Tinkerer Member Posts: 1,213 ■■■■■■□□□□
    Or use this script. You can customize it to log only events you specify. This logs system events. It creates a txt file named system.txt on the c drive. You can modify these variables as well. I would suggest taking this script and playing with it until you have modified it into exactly what you want. Scripting knowledge is something you'll certainly need (especially if you're moving to security).
    Const ForAppending = 8


    Set objFSO = CreateObject("Scripting.FileSystemObject")
    Set objTextFile = objFSO.OpenTextFile _
    ("C:\System.txt", ForAppending, True)


    strComputer = "."


    Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")


    Set colLoggedEvents = objWMIService.ExecQuery _
    ("Select * from Win32_NTLogEvent Where LogFile = 'System'")


    For Each objEvent in colLoggedEvents


    objTextFile.WriteLine( "Category: "& objEvent.Category & vbTab _
    & "Computer Name: "& objEvent.ComputerName & vbTab _
    & "Event Code: "& objEvent.EventCode & vbTab _
    & "Message: "& objEvent.RecordNumber & vbTab _
    & "Record Number: "& objEvent.RecordNumber & vbTab _
    & "Time Written: "& objEvent.TimeWritten & vbTab _
    & "Event Type: "& objEvent.Type & vbTab _
    & "User: "& objEvent.User & vbTab _
    & objEvent.SourceName & vbCrLf & objEvent.Message & vbCrLf & vbCrLf)


    Next


    objTextFile.Close
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    The tool psloglist can filter and **** event logs to a csv file too.

    http://www.microsoft.com/technet/sysinternals/utilities/psloglist.mspx
    All things are possible, only believe.
  • 5no-yt5no-yt Member Posts: 79 ■■□□□□□□□□
    ok so, I downloaded pstools

    im running the following command "psloglist -d 30 -i 529,531,539 sec"
    2 problems

    1: It wont output any event IDs apart from 513 (which isnt even listed in my include IDs) - is it possible to list the failed logins (ID 529) with this tool?

    2: I need to know how to output this to a file... I've done it once when i first started playing around with this .. but i cant remeber how! icon_confused.gif

    your assistance is greatly appreciated :)
    cheers guys n gals

    -Chap

    Edit: I tryed fooling around with that script but it was a bit beyond me and i got nowhere.
    Security is like exercise: everyone talks about it, but not many people do it.
    -J.R.Purser
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    It looks okay, maybe you have a typo in your script for 513 instead of 531?

    Use this to **** events to a csv file:

    psloglist -d 30 -i 529,531,539 security >> C:\badlogins.csv

    You can use different delimeters with the -t switch, but the default comma should work for you.
    All things are possible, only believe.
  • 5no-yt5no-yt Member Posts: 79 ■■□□□□□□□□
    cool got it exporting to a .csv cheers,

    its weird tho - even when i dont include any -i functions it still only exports the 513 logs. its like event 513 is the only one thats there... its not as i have triple checked in the event viewer icon_mad.gif

    EDIT: I have tried on 3 diffrent terminal servers - all do the same thing. (running windows server 2000)
    Security is like exercise: everyone talks about it, but not many people do it.
    -J.R.Purser
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    How about filtering on "failure audit" instead?

    psloglist -d 30 -f f security >> C:\badlogins.csv

    Actually, it's giving me fits too. Not filtering properly. I never had this problem on the system log (default) but since you were having trouble I tried a few variations myself. I'll mess around with it and get back to you.
    All things are possible, only believe.
  • 5no-yt5no-yt Member Posts: 79 ■■□□□□□□□□
    yeh its very strange.

    legand , cheers mate
    Security is like exercise: everyone talks about it, but not many people do it.
    -J.R.Purser
  • 5no-yt5no-yt Member Posts: 79 ■■□□□□□□□□
    Its friday! Only an hour to go and its the weekend .. woop!

    Any luck on this yet sprky?
    Security is like exercise: everyone talks about it, but not many people do it.
    -J.R.Purser
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    Sorry, I keep meaning to try out a couple of things but work is getting in the way. Hopefully in the next few days. Don't wait for me though, see if google has the answer... icon_wink.gif
    All things are possible, only believe.
  • 5no-yt5no-yt Member Posts: 79 ■■□□□□□□□□
    ahh sweet np,
    yeh done a few searches in google - can't seem to find anything. most of the time the first link was to this forum lol!

    could anyone help me out with a script for this ?? i will spend some time on it over the weekend also, but yeh - some help would be great!

    cheers,
    -Chap
    Security is like exercise: everyone talks about it, but not many people do it.
    -J.R.Purser
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    Okay, I think I may have narrowed it down to the "date" filter (-d in this case) messing up somehow. I got this to work perfectly:

    psloglist -s -x -i 560,540 security >> c:\seclog.csv

    BTW - I tried tweaking Keatrons vbscript too. I made some progress, but then when using it to **** to a csv file I ran into some weird problems. Anyway, this is what I came up with, but for some reason it formats it funny.
    Const ForWriting = 2
    
    Set objFSO = CreateObject("Scripting.FileSystemObject") 
    Set objLogFile = objFSO.OpenTextFile _ 
    ("C:\FailedLogons.csv", ForWriting, True) 
    
    strComputer = "."
    
    Set objWMIService = GetObject("winmgmts:" _
        & "{(Security)}\\" & strComputer & "\root\cimv2")
    
    Set colLoggedEvents = objWMIService.ExecQuery _
        ("Select * FROM Win32_NTLogEvent WHERE Logfile = 'Security' " & _
            "AND EventType <> 4 AND EventType <> 8")
    
    
    For Each objEvent in colLoggedEvents 
    
    objLogFile.Write objEvent.Category & ","
    objLogFile.Write objEvent.ComputerName & ","
    objLogFile.Write objEvent.EventCode & ","
    objLogFile.Write objEvent.RecordNumber & ","
    objLogFile.Write objEvent.TimeWritten & ","
    objLogFile.Write objEvent.Type & ","
    objLogFile.Write objEvent.User & ","
    objLogFile.Write objEvent.SourceName & ","
    objLogFile.Write objEvent.Message
    objLogFile.Writeline
    Next
    
    objLogFile.Close
    


    I know I'm missing something simple, but my brain is full now and since the psloglist worked, I'm done for the evening. :)
    All things are possible, only believe.
  • 5no-yt5no-yt Member Posts: 79 ■■□□□□□□□□
    My Hero!!

    Thanks heaps for this mate, saved me alot of hassle.
    icon_thumright.gif


    Double thanks,
    -Chapt3r
    Security is like exercise: everyone talks about it, but not many people do it.
    -J.R.Purser
Sign In or Register to comment.