REM * FAILOG version 1.2 by Yizhar Hurwitz, April 2004.
REM * FAILOG is a script for network/security administrators.
REM * FAILOG scans the security event log of a server, searching for events id 529, 672 and 675 which all can indicate "bad user name or password".

REM * You can view the output of FAILOG in Notepad or other programs like EXCEL.
REM * The script is provided as is - please use it in test environment first and at your own risk!.
REM * The script might seem to hang when it runs, but please wait for a minute until it finishes.
REM * You can modify the script to suite your own needs and preferences.
REM * If you use this script, and have any comments (including your own improvements), please let me know:

REM * My current email addresses are:
REM * yizhar@mail.com
REM * yizhar@new-ofek.co.il
REM ******************************************

Set oShell = WScript.CreateObject ("WSCript.shell")

REM ******************************************
REM * General values (feel free to modify them):
outfile = oShell.ExpandEnvironmentStrings("%TEMP%") & "\FAILOG-OUTPUT.TXT"
OverwriteOutputFile = true
HowManyDaysBack = 7
strComputer = "."
REM * You can change some other values in the script - I recommend that you read the whole script and see for yourself.
REM ******************************************

REM ******************************************
REM * Edit the following values if you want to send the log by email.
REM * The method used in this scirpt works only if the MS SMTP service is installed on the same computer.
REM * If SMTP is not installed on the same computer, you will need to modify the script...
SendOutputByEMail = false
MailFrom = "failog-script@localhost"
MailTo = "your@own.address"
MailSubject = "FAILOG Output"
MailBody = "FAILOG output attached"
REM ******************************************


REM ******************************************
REM * Here begins the script code itself. *
REM ******************************************

function EventTimeAsString (s)
 if len(s) < 14 then
  EventTimeAsString = "EventTime ERROR"
 else
  EventTimeAsString = mid(s,1,4) & "-" & mid(s,5,2) & "-" & mid(s,7,2) & " " & mid(s,9,2) & ":" & mid(s,11,2) & ":" & mid(s,13,2)
 end if
end function

REM * GetText searches for a substring and returns then value just next to it and before the next CR character.
function GetText (byref SourceString, byval SearchString)
 REM * Return empty string if the search fails:
 GetText = ""
 pos1 =  instr(SourceString,SearchString)
 if pos1>0 then
  pos2 = instr(pos1,SourceString,vbcr)
  if pos2>pos1 then
   REM * Do not include the search string itself and the TAB character that is assumed to follow it:
   SkipBytes = Len(SearchString)+1
   if mid(SourceString,pos1+SkipBytes,1) = vbtab then SkipBytes = SkipBytes+1
   GetText = mid(SourceString,pos1+SkipBytes,pos2-pos1-SkipBytes)
  end if
 end if
end function

sub SendMailUsingCDO
 dim objEmail
 Set objEmail = CreateObject("CDO.Message")
 objEmail.From = MailFrom
 objEmail.To = MailTo
 objEmail.Subject = MailSubject
 objEmail.Textbody = MailBody
 objEmail.AddAttachment outfile
 objEmail.Send
end sub


REM *****************************************************
REM * Here starts the main execution of the script: *
REM *****************************************************

oShell.popup "FAILOG Script has started. This can take several minutes. Please wait...", 5

REM * Prepare output text file:
Const ForWriting = 2
Const ForAppending = 8
if OverwriteOutputFile then OpenMode = ForWriting else OpenMode = ForAppending
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objTextFile = objFSO.OpenTextFile (outfile, OpenMode, True)
objTextFile.WriteLine("")
objTextFile.WriteLine("Starting at " & now & " ...")
objTextFile.WriteLine("DATE and TIME"  &vbtab& "EVENTID" &vbtab& "SERVER"  &vbtab& "USER" &vbtab& "DOMAIN"  &vbtab& "ADDRESS" &vbtab& "WORKSTATION")

REM * Calculate the start date value and convert WMI date format:
StartDateValue = CDate(Date) - HowManyDaysBack
dtmStartDate = Year(StartDateValue) & Right( "00" & Month(StartDateValue), 2) & Right( "00" & Day(StartDateValue), 2)

REM * Get events from the security log with id of 529, 672 or 675 :
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate,(Security)}!\\")
Set colEvents = objWMIService.ExecQuery ("Select * from Win32_NTLogEvent Where Logfile='Security' and TimeWritten>='" & dtmStartDate & "' and Type='Audit Failure' and (EventCode='529' or EventCode='672' or EventCode='675') ")

For Each objEvent in colEvents
 DateTime = EventTimeAsString(objEvent.TimeWritten)
 msg = objEvent.Message
 UserName = GetText(msg,"User Name:")
 if objEvent.EventCode="672" then
  DomainName = GetText(msg,"Supplied Realm Name:")
 elseif objEvent.EventCode="675" then
  DomainName = GetText(msg,"User ID:")
 else
  DomainName = GetText(msg,"Domain:")
 end if
 WorkstationName = GetText(msg,"Workstation Name:")
 Address = GetText(msg,"Address:")
 objTextFile.WriteLine(DateTime &vbtab& objEvent.EventCode &vbtab& objEvent.ComputerName &vbtab& UserName &vbtab& DomainName &vbtab& Address &vbtab& WorkstationName)
Next

objTextFile.WriteLine("Done at " & now & ".")
objTextFile.Close

REM ***************
REM * Show the output file to the user. This can be changed - for example to open using EXCEL, send email, etc...
oShell.run "notepad.exe " & outfile
if SendOutputByEMail then SendMailUsingCDO
oShell.popup "FAILOG Done.", 5
REM ***************

REM * If you wish to delete the output file now, UNREM the following line:
REM objFSO.DeleteFile(outfile)

REM ***************
REM * This is it. *
REM ***************