tiberiusjones
IS-IT--Management
I am running a script to crate a list of all login failures from Domain Admins on all my domain controllers, i want to be able to send this as list via email to my domain admin groups as soon as there is a login failure.
Here is the script basically,
how do i modify this to send it out immediately rather than every four hours...?
This script will list
'************************************************
'**** Create file seclogsda.sql
'************************************************
Const ForWriting = 2
Const ForAppending = 8
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFileLog = objFSO.CreateTextFile("%0\..\seclogs.sql", ForWriting)
objFileLog.Close
'Write to log file
Set objFileLog = objFSO.OpenTextFile("%0\..\seclogs.sql", ForWriting)
objFileLog.WriteLine "select eventid,computername,timegenerated,message"
objFileLog.Close
'**** Create a list of all Domain Controllers
'**** Added on April 4, 2007 by Carlos Cunningham
'**** Additional code was added to brake the dependencies on hard
'**** coding DC in to script.
Const ADS_SCOPE_SUBTREE = 2
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCOmmand.ActiveConnection = objConnection
objCommand.CommandText = _
"Select distinguishedName from " & _
"'LDAP://CN=Configuration,DC=ornl,DC=gov' " _
& "where objectClass='nTDSDSA'"
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
DomainC=Split(objRecordSet.Fields("distinguishedName").Value, "=",-1,1)
DC=Split(DomainC(2), ",",-1,1)
DomainControllers = DomainControllers + "\\" + dc(0) + "\security,"
objRecordSet.MoveNext
Loop
Count = Len(Trim(DomainControllers))
DomainList = Left(DomainControllers,count -1)
'**** Open seclogsda.sql for appending
Set objFileLog = objFSO.OpenTextFile("%0\..\seclogs.sql", ForAppending)
objFileLog.WriteLine "from " + DomainList
objFileLog.WriteLine "where eventid in ('529';'675')"
'**** Read users of the Domain Admins Group
Count = 0
Set objNetwork = CreateObject("WScript.Network")
strComputer = objNetwork.ComputerName
strComputer = "ornl"
strGroup = "Domain Admins"
Set objGroup = GetObject("WinNT://" & strComputer & "/" & strGroup & ",group")
For Each objMember In objGroup.Members
If Count = 0 Then
objFileLog.WriteLine "and (message like '%% " & objMember.Name & " %%'"
Count = Count + 1
Else
objFileLog.WriteLine "or message like '%% " & objMember.Name & " %%'"
End If
Next
objFileLog.WriteLine ")"
'and (message not like '%%$%%')"
objFileLog.WriteLine "and TimeWritten >= SUB( TO_LOCALTIME(SYSTEM_TIMESTAMP()), "
objFileLog.WriteLine "TIMESTAMP('0000-01-01 00:15:00', 'yyyy-MM-dd hh:mm:ss') )"
objFileLog.Close
'************************************************
'**** Create file seclogspriv.sql
'************************************************
Set objFileLog = objFSO.CreateTextFile("%0\..\seclogspriv.sql", ForWriting)
objFileLog.Close
'Write to log file
Set objFileLog = objFSO.OpenTextFile("%0\..\seclogspriv.sql", ForWriting)
objFileLog.WriteLine "select eventid,computername,timegenerated,message"
objFileLog.Close
'**** Open seclogspriv.sql for appending
Set objFileLog = objFSO.OpenTextFile("%0\..\seclogspriv.sql", ForAppending)
objFileLog.WriteLine "from " + DomainList
objFileLog.WriteLine "where eventid in ('529';'675')"
'**** Read users of the IS Team Admin, Security Admins and NCTD-DSTeam Group
'**** and creates seclogspriv.sql file.
Count = 0
Set objNetwork = CreateObject("WScript.Network")
strComputer = objNetwork.ComputerName
strComputer = "ornl"
'**** Reading IS Team Admin
strGroup = "IS Team Admin"
Set objGroup = GetObject("WinNT://" & strComputer & "/" & strGroup & ",group")
For Each objMember In objGroup.Members
If Count = 0 Then
objFileLog.WriteLine "and (message like '%% " & objMember.Name & " %%'"
Count = Count + 1
Else
objFileLog.WriteLine "or message like '%% " & objMember.Name & " %%'"
End If
Next
'**** Reading Security Admins
strGroup = "Security Admins"
Set objGroup = GetObject("WinNT://" & strComputer & "/" & strGroup & ",group")
For Each objMember In objGroup.Members
If Count = 0 Then
objFileLog.WriteLine "and (message like '%% " & objMember.Name & " %%'"
Count = Count + 1
Else
objFileLog.WriteLine "or message like '%% " & objMember.Name & " %%'"
End If
Next
'**** Reading NCTD-DSTeam
strGroup = "IS Team Admin"
Set objGroup = GetObject("WinNT://" & strComputer & "/" & strGroup & ",group")
For Each objMember In objGroup.Members
If Count = 0 Then
objFileLog.WriteLine "and (message like '%% " & objMember.Name & " %%'"
Count = Count + 1
Else
objFileLog.WriteLine "or message like '%% " & objMember.Name & " %%'"
End If
Next
objFileLog.WriteLine ")"
' and (message not like '%%$%%')"
objFileLog.WriteLine "and TimeWritten >= SUB( TO_LOCALTIME(SYSTEM_TIMESTAMP()), "
objFileLog.WriteLine "TIMESTAMP('0000-01-01 00:15:00', 'yyyy-MM-dd hh:mm:ss') )"
objFileLog.Close
here is the other part of another script to generate login failures:
REM $Id: Parselogfile.vbs,v 1.5 2006/04/07 14:55:41 dwd Exp $
Option Explicit
'On Error Resume Next
Const ForReading=1, ForWriting = 2, ForAppending=8
Dim WshShell, strFile
Dim fso, fsoFile, fsoOutfile, fsoInfile, fsoFileLine, fsoFileLIne1, fsoFileLine2, fsoLogFile
Dim strAccountparse, aFileLine,aDate,strComputerName, dDate, strIPAddress
Dim aMessage, aEventID
Dim strUser, straddress, strBase
Dim intCount
Dim Return
If wscript.arguments.count > 0 Then
strBase=wscript.arguments.Item(0)
Else
strBase="Domain"
End If
set WshShell = WScript.CreateObject("WScript.Shell")
'
Set fso = CreateObject("Scripting.FileSystemObject")
Set fsoLogFile = fs
penTextFile(strbase + "Admin.log",ForAppending,True)
Set fsoFile = fso.GetFile(strbase+"AdminFailures.log")
'fsoLogFile.writeline Now
If fsoFile.size<>0 Then
Set fsoOutFile = fso.createTextFile("messagebody.txt")
Set fsoInfile = fsoFile.OpenAsTextStream(ForReading, False)
fsofileline=fsoInFile.Readline
fsoOutfile.WriteLine strbase + " Admin Login Failures"
intCount=0
Do While fsoInfile.AtEndofStream <> true
fsoFileLine2=fsoFileline1
fsoFileLine1=fsoFileLine
fsoFileLine = fsoInfile.REadLine
aFileLine=split(fsofileline,",")
aMessage=split(aFileLine(3)," ")
aEventID=afileline(0)
If aEventID="EventID" Then
'If aEventID = EventID do nothing, skip to next line.
ElseIf aEventID=675 Then
strUser=aMessage(4)
strAddress=aMessage(19)
intcount=intcount+1
ElseIf aEventID=529 Then
strUser=aMessage(11)
strAddress="Unknown"
intcount=intcount+1
End If
fsoOutfile.WriteLine strUser+ " has failed to authenticate from addresss " + strAddress +_
" at " + afileline(2)+", EventID: "+aEventID+" on " + aFileLine(1)
fsoLogFile.Writeline afileline(2)+","+strUser+","+strAddress
' If InStr(fsoFileLine,"NOT Found") Then
' fsoOutfile.WriteLine fsoFileLine
' End If
loop
' If intCount=0 Then
' fsoOutFile.Writeline "none"
' fsoOutfile.Writeline
' End If
End If
'fsoOutfile.close
'If fso.FileExists("messagebody.txt") Then
' Set fsoFile=fso.Getfile("messagebody.txt")
' If fsoFile.size=37 Then
' fsoLogFile.writeline "No Failures"
' Else
' Return = WshShell.run("blat messagebody.txt -s "& chr(34)&strbase&" Login Failures"&chr(34)&" -tf email.txt -f securitylogs@ornl.gov -server smtp.ornl.gov")
' End If
'
' fsoFile.delete
'Else
' fsoLogFile.writeline "No Failures"
'End If
REM $Log: Parselogfile.vbs,v $
REM REmoved emails every 15 minutes
REM
REM Modified to allow command line argument to change the file processed
REM
Here is the script basically,
how do i modify this to send it out immediately rather than every four hours...?
This script will list
'************************************************
'**** Create file seclogsda.sql
'************************************************
Const ForWriting = 2
Const ForAppending = 8
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFileLog = objFSO.CreateTextFile("%0\..\seclogs.sql", ForWriting)
objFileLog.Close
'Write to log file
Set objFileLog = objFSO.OpenTextFile("%0\..\seclogs.sql", ForWriting)
objFileLog.WriteLine "select eventid,computername,timegenerated,message"
objFileLog.Close
'**** Create a list of all Domain Controllers
'**** Added on April 4, 2007 by Carlos Cunningham
'**** Additional code was added to brake the dependencies on hard
'**** coding DC in to script.
Const ADS_SCOPE_SUBTREE = 2
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCOmmand.ActiveConnection = objConnection
objCommand.CommandText = _
"Select distinguishedName from " & _
"'LDAP://CN=Configuration,DC=ornl,DC=gov' " _
& "where objectClass='nTDSDSA'"
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
DomainC=Split(objRecordSet.Fields("distinguishedName").Value, "=",-1,1)
DC=Split(DomainC(2), ",",-1,1)
DomainControllers = DomainControllers + "\\" + dc(0) + "\security,"
objRecordSet.MoveNext
Loop
Count = Len(Trim(DomainControllers))
DomainList = Left(DomainControllers,count -1)
'**** Open seclogsda.sql for appending
Set objFileLog = objFSO.OpenTextFile("%0\..\seclogs.sql", ForAppending)
objFileLog.WriteLine "from " + DomainList
objFileLog.WriteLine "where eventid in ('529';'675')"
'**** Read users of the Domain Admins Group
Count = 0
Set objNetwork = CreateObject("WScript.Network")
strComputer = objNetwork.ComputerName
strComputer = "ornl"
strGroup = "Domain Admins"
Set objGroup = GetObject("WinNT://" & strComputer & "/" & strGroup & ",group")
For Each objMember In objGroup.Members
If Count = 0 Then
objFileLog.WriteLine "and (message like '%% " & objMember.Name & " %%'"
Count = Count + 1
Else
objFileLog.WriteLine "or message like '%% " & objMember.Name & " %%'"
End If
Next
objFileLog.WriteLine ")"
'and (message not like '%%$%%')"
objFileLog.WriteLine "and TimeWritten >= SUB( TO_LOCALTIME(SYSTEM_TIMESTAMP()), "
objFileLog.WriteLine "TIMESTAMP('0000-01-01 00:15:00', 'yyyy-MM-dd hh:mm:ss') )"
objFileLog.Close
'************************************************
'**** Create file seclogspriv.sql
'************************************************
Set objFileLog = objFSO.CreateTextFile("%0\..\seclogspriv.sql", ForWriting)
objFileLog.Close
'Write to log file
Set objFileLog = objFSO.OpenTextFile("%0\..\seclogspriv.sql", ForWriting)
objFileLog.WriteLine "select eventid,computername,timegenerated,message"
objFileLog.Close
'**** Open seclogspriv.sql for appending
Set objFileLog = objFSO.OpenTextFile("%0\..\seclogspriv.sql", ForAppending)
objFileLog.WriteLine "from " + DomainList
objFileLog.WriteLine "where eventid in ('529';'675')"
'**** Read users of the IS Team Admin, Security Admins and NCTD-DSTeam Group
'**** and creates seclogspriv.sql file.
Count = 0
Set objNetwork = CreateObject("WScript.Network")
strComputer = objNetwork.ComputerName
strComputer = "ornl"
'**** Reading IS Team Admin
strGroup = "IS Team Admin"
Set objGroup = GetObject("WinNT://" & strComputer & "/" & strGroup & ",group")
For Each objMember In objGroup.Members
If Count = 0 Then
objFileLog.WriteLine "and (message like '%% " & objMember.Name & " %%'"
Count = Count + 1
Else
objFileLog.WriteLine "or message like '%% " & objMember.Name & " %%'"
End If
Next
'**** Reading Security Admins
strGroup = "Security Admins"
Set objGroup = GetObject("WinNT://" & strComputer & "/" & strGroup & ",group")
For Each objMember In objGroup.Members
If Count = 0 Then
objFileLog.WriteLine "and (message like '%% " & objMember.Name & " %%'"
Count = Count + 1
Else
objFileLog.WriteLine "or message like '%% " & objMember.Name & " %%'"
End If
Next
'**** Reading NCTD-DSTeam
strGroup = "IS Team Admin"
Set objGroup = GetObject("WinNT://" & strComputer & "/" & strGroup & ",group")
For Each objMember In objGroup.Members
If Count = 0 Then
objFileLog.WriteLine "and (message like '%% " & objMember.Name & " %%'"
Count = Count + 1
Else
objFileLog.WriteLine "or message like '%% " & objMember.Name & " %%'"
End If
Next
objFileLog.WriteLine ")"
' and (message not like '%%$%%')"
objFileLog.WriteLine "and TimeWritten >= SUB( TO_LOCALTIME(SYSTEM_TIMESTAMP()), "
objFileLog.WriteLine "TIMESTAMP('0000-01-01 00:15:00', 'yyyy-MM-dd hh:mm:ss') )"
objFileLog.Close
here is the other part of another script to generate login failures:
REM $Id: Parselogfile.vbs,v 1.5 2006/04/07 14:55:41 dwd Exp $
Option Explicit
'On Error Resume Next
Const ForReading=1, ForWriting = 2, ForAppending=8
Dim WshShell, strFile
Dim fso, fsoFile, fsoOutfile, fsoInfile, fsoFileLine, fsoFileLIne1, fsoFileLine2, fsoLogFile
Dim strAccountparse, aFileLine,aDate,strComputerName, dDate, strIPAddress
Dim aMessage, aEventID
Dim strUser, straddress, strBase
Dim intCount
Dim Return
If wscript.arguments.count > 0 Then
strBase=wscript.arguments.Item(0)
Else
strBase="Domain"
End If
set WshShell = WScript.CreateObject("WScript.Shell")
'
Set fso = CreateObject("Scripting.FileSystemObject")
Set fsoLogFile = fs
penTextFile(strbase + "Admin.log",ForAppending,True)Set fsoFile = fso.GetFile(strbase+"AdminFailures.log")
'fsoLogFile.writeline Now
If fsoFile.size<>0 Then
Set fsoOutFile = fso.createTextFile("messagebody.txt")
Set fsoInfile = fsoFile.OpenAsTextStream(ForReading, False)
fsofileline=fsoInFile.Readline
fsoOutfile.WriteLine strbase + " Admin Login Failures"
intCount=0
Do While fsoInfile.AtEndofStream <> true
fsoFileLine2=fsoFileline1
fsoFileLine1=fsoFileLine
fsoFileLine = fsoInfile.REadLine
aFileLine=split(fsofileline,",")
aMessage=split(aFileLine(3)," ")
aEventID=afileline(0)
If aEventID="EventID" Then
'If aEventID = EventID do nothing, skip to next line.
ElseIf aEventID=675 Then
strUser=aMessage(4)
strAddress=aMessage(19)
intcount=intcount+1
ElseIf aEventID=529 Then
strUser=aMessage(11)
strAddress="Unknown"
intcount=intcount+1
End If
fsoOutfile.WriteLine strUser+ " has failed to authenticate from addresss " + strAddress +_
" at " + afileline(2)+", EventID: "+aEventID+" on " + aFileLine(1)
fsoLogFile.Writeline afileline(2)+","+strUser+","+strAddress
' If InStr(fsoFileLine,"NOT Found") Then
' fsoOutfile.WriteLine fsoFileLine
' End If
loop
' If intCount=0 Then
' fsoOutFile.Writeline "none"
' fsoOutfile.Writeline
' End If
End If
'fsoOutfile.close
'If fso.FileExists("messagebody.txt") Then
' Set fsoFile=fso.Getfile("messagebody.txt")
' If fsoFile.size=37 Then
' fsoLogFile.writeline "No Failures"
' Else
' Return = WshShell.run("blat messagebody.txt -s "& chr(34)&strbase&" Login Failures"&chr(34)&" -tf email.txt -f securitylogs@ornl.gov -server smtp.ornl.gov")
' End If
'
' fsoFile.delete
'Else
' fsoLogFile.writeline "No Failures"
'End If
REM $Log: Parselogfile.vbs,v $
REM REmoved emails every 15 minutes
REM
REM Modified to allow command line argument to change the file processed
REM
