Syslog Audit of Logon / Logoff - KiXtart.org

You are not logged in. [Log In] KiXtart.org website » Forums » KiXtart » Lounge » Syslog Audit of Logon / Logoff

Page 1 of 1

Topic Options

#181963 - 2007-10-26 02:01 AM

Re: Syslog Audit of Logon / Logoff [Re: Gargoyle]

It_took_my_meds Offline

Hey THIS is FUN

Registered: 2003-05-07
Posts: 273
Loc: Sydney, Australia

Hi Gargoyle,

I stripped this code out of my inventory collection script. It gets the data using LogParser and may help you as a starting point.

Code:

Break On 

;region Log Parser
If @INWIN = 1 And Not InStr(@PRODUCTTYPE," NT")
	Dim $oLogQuery
	$oLogQuery = CreateObject("MSUtil.LogQuery")
	If VarType($oLogQuery) = 9
		;User logons
		Dim $Data,$What,$Where,$Order
		$Order = "To_String(TimeGenerated, 'yyyy-MM-ddThh:mm:ss')"
		If InStr(@PRODUCTTYPE," 2000") Or InStr(@PRODUCTTYPE," XP") Or InStr(@PRODUCTTYPE," 2003")
			$What = "Case EventID When 528 Then 'Logon' When 551 Then 'Logoff' END, To_String(TimeGenerated, 'yyyy-MM-ddThh:mm:ss')"
			$What = $What+", RESOLVE_SID(SID), SID"
			$Where = "EventID = 551 Or EventID = 528 AND (EXTRACT_TOKEN(Strings,3,'|')='2' Or EXTRACT_TOKEN(Strings,3,'|')='10') And EXTRACT_TOKEN(Strings,4,'|') like 'User32%'"
		Else
			$What = "Case EventID When 4624 Then 'Logon' When 4647 Then 'Logoff' END, To_String(TimeGenerated, 'yyyy-MM-ddThh:mm:ss')"
			$What = $What+", Case EventID When 4624 Then RESOLVE_SID(EXTRACT_TOKEN(Strings,4,'|'))"
			$What = $What+" When 4647 Then RESOLVE_SID(EXTRACT_TOKEN(Strings,0,'|')) END"
			$What = $What+", Case EventID When 4624 Then EXTRACT_TOKEN(Strings,4,'|') When 4647 Then EXTRACT_TOKEN(Strings,0,'|') END"
			$Where = "EventID = 4647 Or (EventID = 4624 AND (EXTRACT_TOKEN(Strings,8,'|')='2' Or EXTRACT_TOKEN(Strings,8,'|')='11')"
			$Where = $Where+" And EXTRACT_TOKEN(Strings,9,'|') like 'User32%'"
			$Where = $Where+" And EXTRACT_TOKEN(Strings,12,'|')='{00000000-0000-0000-0000-000000000000}')"
		EndIf
		$Data = LogToDataTable($oLogQuery,"Security","UserLogs",$What,$Where,$Order)
	EndIf
EndIf

Function LogToDataTable($oLogQuery, $Source, $Checkpoint, $sFields, Optional $Criteria, $Order)
		
	Dim $oEventLog, $oRecordSet,$Query
	$oEventLog = CreateObject("MSUtil.LogQuery.EventLogInputFormat")
	$oEventLog.iCheckPoint = %windir% + "\system32\logs\" + $Checkpoint + ".lpc"
	If Not Exist(%windir%+"\system32\logs\")
		MD %windir%+"\system32\logs\"
	EndIf
	$Query = "Select Distinct "+$sFields+" from "+$Source+IIf($Criteria," where "+$Criteria,"")+IIf($Order," order by "+$Order,"")
	$oRecordSet = $oLogQuery.Execute($Query, $oEventLog)
	While Not $oRecordSet.atEnd
		$LogToDataTable = Push($LogToDataTable, Split($oRecordSet.getRecord.toNativeString(Chr(1)), Chr(1)))
		$oRecordSet.moveNext
	Loop
		
EndFunction
;endregion

Function Push($a,$s)
	
	Dim $i
	$i = UBound($a)+1
	ReDim Preserve $a[$i]
	$a[$i] = $s
	$Push = $a
	
EndFunction

Cheers,

Richard

Edited by It_took_my_meds (2007-11-14 04:42 AM)

Top

Page 1 of 1

Previous Topic View All Topics

Index Next Topic

Entire topic
Subject	Posted by	Posted
Syslog Audit of Logon / Logoff	Gargoyle	2007-10-25 11:43 PM
Re: Syslog Audit of Logon / Logoff	It_took_my_meds	2007-10-26 02:01 AM
Re: Syslog Audit of Logon / Logoff	Les	2007-10-27 12:10 AM
Re: Syslog Audit of Logon / Logoff	Gargoyle	2007-10-26 04:54 AM
Re: Syslog Audit of Logon / Logoff	It_took_my_meds	2007-10-26 05:53 AM
Re: Syslog Audit of Logon / Logoff	Gargoyle	2007-10-26 07:31 AM
Re: Syslog Audit of Logon / Logoff	It_took_my_meds	2007-10-26 07:40 AM
Re: Syslog Audit of Logon / Logoff	Mart	2007-10-26 09:20 AM
Re: Syslog Audit of Logon / Logoff	Jochen	2007-10-26 10:20 AM
Re: Syslog Audit of Logon / Logoff	NTDOC	2007-10-26 07:40 PM

Moderator: Arend_, Allen, Jochen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Mart

Hop to:

Shout Box

Search the board with:
superb Board Search
or try with google:

	Web kixtart.org