-
-
Save docouto/8e3b8d5c3317473447ca7b021c25c1a1 to your computer and use it in GitHub Desktop.
Windows Server PS: Security Log Logon/Logoff Event Reporter
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Source: https://gallery.technet.microsoft.com/Log-Parser-to-Identify-8aac36bd | |
# Authors: Ryan DeVries, Drew Bonasera, Scott Smith | |
# Rochester Institute of Technology - Computer System Forensics | |
# Variables | |
# Reads the hostname, sets to the local hostname if left blank | |
$hostname = read-host "Enter the IP or hostname of the computer you wish to scan (Leave blank for local)" | |
if ($hostname.length -eq 0){$hostname = $env:computername} | |
# Reads the start date, sets to 1/1/2000 if left blank | |
$startTmp = read-host "Enter the start date to scan from (MM/DD/YYYY, default 1/1/2000)" | |
if ($startTmp.length -eq 0){$startTmp = "1/1/2000"} | |
$startDate = get-date $startTmp | |
# Reads the end date, sets to the current date and time if left blank | |
$endTmp = read-host "Enter the end date to scan to (MM/DD/YYYY, default current time)" | |
if ($endTmp.length -eq 0){$endTmp = get-date} | |
$endDate = get-date $endTmp | |
# Reads a Yes or No response to print only the failed login attempts, defaults to No | |
$scope = read-host "Print only failed logins (Y/N, default N)" | |
if ($scope.length -eq 0){$scope = "N"} | |
# Writes a line with all the parameters selected for report | |
write-host "Hostname: "$hostname "`tStart: "$startDate "`tEnd: "$endDate "`tOnly Failed Logins: "$scope "`n" | |
# Store each event from the Security Log with the specificed dates and computer in an array | |
$log = Get-Eventlog -LogName Security -ComputerName $hostname -after $startDate -before $endDate | |
# Loop through each security event, print only failed login attempts | |
if ($scope -match "Y"){ | |
foreach ($i in $log){ | |
# Logon Failure Events, marked red | |
# Local | |
if (($i.EventID -eq 4625 ) -and ($i.ReplacementStrings[10] -eq 2)){ | |
write-host "Type: Local Logon`tDate: "$i.TimeGenerated "`tStatus: Failure`tUser: "$i.ReplacementStrings[5] -foregroundcolor "red" | |
} | |
# Remote | |
if (($i.EventID -eq 4625 ) -and ($i.ReplacementStrings[10] -eq 10)){ | |
write-host "Type: Remote Logon`tDate: "$i.TimeGenerated "`tStatus: Failure`tUser: "$i.ReplacementStrings[5] "`tIP Address: "$i.ReplacementStrings[19] -foregroundcolor "red" | |
} | |
} | |
} | |
# Loop through each security event, print all login/logoffs with type, date/time, status, account name, and IP address if remote | |
else{ | |
foreach ($i in $log){ | |
# Logon Successful Events | |
# Local (Logon Type 2) | |
if (($i.EventID -eq 4624 ) -and ($i.ReplacementStrings[8] -eq 2)){ | |
write-host "Type: Local Logon`tDate: "$i.TimeGenerated "`tStatus: Success`tUser: "$i.ReplacementStrings[5] | |
} | |
# Remote (Logon Type 10) | |
if (($i.EventID -eq 4624 ) -and ($i.ReplacementStrings[8] -eq 10)){ | |
write-host "Type: Remote Logon`tDate: "$i.TimeGenerated "`tStatus: Success`tUser: "$i.ReplacementStrings[5] "`tIP Address: "$i.ReplacementStrings[18] | |
} | |
# Logon Failure Events, marked red | |
# Local | |
if (($i.EventID -eq 4625 ) -and ($i.ReplacementStrings[10] -eq 2)){ | |
write-host "Type: Local Logon`tDate: "$i.TimeGenerated "`tStatus: Failure`tUser: "$i.ReplacementStrings[5] -foregroundcolor "red" | |
} | |
# Remote | |
if (($i.EventID -eq 4625 ) -and ($i.ReplacementStrings[10] -eq 10)){ | |
write-host "Type: Remote Logon`tDate: "$i.TimeGenerated "`tStatus: Failure`tUser: "$i.ReplacementStrings[5] "`tIP Address: "$i.ReplacementStrings[19] -foregroundcolor "red" | |
} | |
# Logoff Events | |
if ($i.EventID -eq 4647 ){ | |
write-host "Type: Logoff`t`tDate: "$i.TimeGenerated "`tStatus: Success`tUser: "$i.ReplacementStrings[1] | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment