Hi Again,
I'm still having a lot of trouble with one of these scripts. Now the strange thing is even though the $date variable is used twice this script has been working fine for over a year. It takes approximately 30 minutes to complete. However, when I try to run it from my laptop it just runs and runs (It shouldn't be a priv's issue as I'm sys admin). I suspected it was a date format issue like the problem I had before, so I've also run it on another server in the same data centre (virtual), using the same date format, and the script does complete but takes hours.
Could anyone help me with understanding this script? I can see it's checking the security log for event id 4624 and has some further 'and' requirements. The 'for-each' part I don't fully understand, but it looks like this is create the layout/formatting for the .csv file. I'm not really getting the use of the variable $eventlist = @(), I thinking this some kind of array that's piecing together the .csv?
Any help welcome. On a side note, when I'm adding a script into a post is there a correct way to do it(good practise if you like)?
Here's the script:
# DESCRIPTION: Getting Windows Security Event 4624 from the last 24 hours
#
# Logon Type – Description
#
# 2 – Interactive (logon at keyboard and screen of system)
# 3 – Network (i.e. connection to shared folder on this computer from elsewhere on network)
# 4 – Batch (i.e. scheduled task)
# 5 – Service (Service startup)
# 7 – Unlock (i.e. unnattended workstation with password protected screen saver)
# 8 – NetworkCleartext (Logon with credentials sent in the clear text. Most often indicates a logon to IIS with "basic authentication") See this article for more information.
# 9 – NewCredentials such as with RunAs or mapping a network drive with alternate credentials. This logon type does not seem to show up in any events. If you want to track users attempting to logon with alternate credentials see 4648.
# 10 – RemoteInteractive (Terminal Services, Remote Desktop or Remote Assistance)
# 11 – CachedInteractive (logon with cached domain credentials such as when logging on to a laptop when away from the network)
#
# Event ID: 4624
#
# Do not look for user names ReplacementStrings[5] : –> example: -and $_.ReplacementStrings[5] -notlike "*$"
# Do not look for logon type ReplacementStrings[8] :
#
# Change the timeframe you want to look at Now.AddHours(-24) . Can be replaced with Now.Adddays(-1) to look for longer periods.
#
#=======================================================================
#Global Variables
$server = Get-Content "E:\scripts\Event_Logs\scripts\servers.txt"
#Do it for each server in list above
ForEach ($computername in $server)
{
#Sub Global Variables
$Date = [DateTime]::Now.AddHours(-24)
$Date = get-date -format 'MMMM-yyyy'
$Path = "E:\scripts\Event_Logs\logs\Security_Audit\"
$Filename = "$Computername-SecurityLog-$date.csv"
$Filepath = $path + $filename
$eventList = @()
#Starting to get Eventlog
$event = Get-EventLog -computername $Computername "Security" -After $Date `
| Where -FilterScript {$_.EventID -eq 4624 -and $_.ReplacementStrings[4].Length -gt 10 `
-and $_.ReplacementStrings[5] -notlike "*$" `
-and $_.ReplacementStrings[5] -notlike "SophosSAUBPC*" `
-and $_.ReplacementStrings[8] -notlike ""`
-and $_.ReplacementStrings[8] -notlike "3"`
-and $_.ReplacementStrings[8] -notlike "4"`
} `
| foreach-Object {
$row = "" | Select UserName, LoginTime, LogonType
$row.UserName = $_.ReplacementStrings[5]
$row.LogonType = $_.ReplacementStrings[8]
$row.LoginTime = $_.TimeGenerated
$eventList += $row
}
#Write Event Log to CSV
$eventList | export-csv $filepath -NoTypeInformation -append
}