REM * FAILOG version 1.2 by Yizhar Hurwitz, April 2004. REM * FAILOG is a script for network/security administrators. REM * FAILOG scans the security event log of a server, searching for events id 529, 672 and 675 which all can indicate "bad user name or password". REM * You can view the output of FAILOG in Notepad or other programs like EXCEL. REM * The script is provided as is - please use it in test environment first and at your own risk!. REM * The script might seem to hang when it runs, but please wait for a minute until it finishes. REM * You can modify the script to suite your own needs and preferences. REM * If you decide to use the script regularly, remember that it saves security sensitive data to text file and/or email - REM * - so please protect the script itself and the output from access by the bad guys. REM * If you use this script, and have any comments (including your own improvements), please let me know: REM * My current email addresses are: REM * yizhar@mail.com REM * yizhar@new-ofek.co.il REM ****************************************** Set oShell = WScript.CreateObject ("WSCript.shell") REM ****************************************** REM * General values (feel free to modify them): outfile = oShell.ExpandEnvironmentStrings("%TEMP%") & "\FAILOG-OUTPUT.TXT" OverwriteOutputFile = true HowManyDaysBack = 7 strComputer = "." REM * You can change some other values in the script - I recommend that you read the whole script and see for yourself. REM ****************************************** REM ****************************************** REM * Edit the following values if you want to send the log by email. REM * The method used in this scirpt works only if the MS SMTP service is installed on the same computer. REM * If SMTP is not installed on the same computer, you will need to modify the script... SendOutputByEMail = false MailFrom = "failog-script@localhost" MailTo = "your@own.address" MailSubject = "FAILOG Output" MailBody = "FAILOG output attached" REM ****************************************** REM ****************************************** REM * Here begins the script code itself. * REM ****************************************** function EventTimeAsString (s) if len(s) < 14 then EventTimeAsString = "EventTime ERROR" else EventTimeAsString = mid(s,1,4) & "-" & mid(s,5,2) & "-" & mid(s,7,2) & " " & mid(s,9,2) & ":" & mid(s,11,2) & ":" & mid(s,13,2) end if end function REM * GetText searches for a substring and returns then value just next to it and before the next CR character. function GetText (byref SourceString, byval SearchString) REM * Return empty string if the search fails: GetText = "" pos1 = instr(SourceString,SearchString) if pos1>0 then pos2 = instr(pos1,SourceString,vbcr) if pos2>pos1 then REM * Do not include the search string itself and the TAB character that is assumed to follow it: SkipBytes = Len(SearchString)+1 if mid(SourceString,pos1+SkipBytes,1) = vbtab then SkipBytes = SkipBytes+1 GetText = mid(SourceString,pos1+SkipBytes,pos2-pos1-SkipBytes) end if end if end function sub SendMailUsingCDO dim objEmail Set objEmail = CreateObject("CDO.Message") objEmail.From = MailFrom objEmail.To = MailTo objEmail.Subject = MailSubject objEmail.Textbody = MailBody objEmail.AddAttachment outfile objEmail.Send end sub REM ***************************************************** REM * Here starts the main execution of the script: * REM ***************************************************** oShell.popup "FAILOG Script has started. This can take several minutes. Please wait...", 5 REM * Prepare output text file: Const ForWriting = 2 Const ForAppending = 8 if OverwriteOutputFile then OpenMode = ForWriting else OpenMode = ForAppending Set objFSO = CreateObject("Scripting.FileSystemObject") Set objTextFile = objFSO.OpenTextFile (outfile, OpenMode, True) objTextFile.WriteLine("") objTextFile.WriteLine("Starting at " & now & " ...") objTextFile.WriteLine("DATE and TIME" &vbtab& "EVENTID" &vbtab& "SERVER" &vbtab& "USER" &vbtab& "DOMAIN" &vbtab& "ADDRESS" &vbtab& "WORKSTATION" &vbtab& "TYPE" &vbtab& "PROCESS") REM * Calculate the start date value and convert WMI date format: StartDateValue = CDate(Date) - HowManyDaysBack dtmStartDate = Year(StartDateValue) & Right( "00" & Month(StartDateValue), 2) & Right( "00" & Day(StartDateValue), 2) REM * Get events from the security log with id of 529, 672 or 675 : Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate,(Security)}!\\") Set colEvents = objWMIService.ExecQuery ("Select * from Win32_NTLogEvent Where Logfile='Security' and TimeWritten>='" & dtmStartDate & "' and Type='Audit Failure' and (EventCode='529' or EventCode='672' or EventCode='675') ") For Each objEvent in colEvents DateTime = EventTimeAsString(objEvent.TimeWritten) msg = objEvent.Message UserName = GetText(msg,"User Name:") if objEvent.EventCode="672" then DomainName = GetText(msg,"Supplied Realm Name:") elseif objEvent.EventCode="675" then DomainName = GetText(msg,"User ID:") else DomainName = GetText(msg,"Domain:") end if WorkstationName = GetText(msg,"Workstation Name:") Address = GetText(msg,"Address:") LogonType = GetText(msg,"Logon Type:") LogonProcess = GetText(msg,"Logon Process:") objTextFile.WriteLine(DateTime &vbtab& objEvent.EventCode &vbtab& objEvent.ComputerName &vbtab& UserName &vbtab& DomainName &vbtab& Address &vbtab& WorkstationName &vbtab& LogonType &vbtab& LogonProcess) Next objTextFile.WriteLine("Done at " & now & ".") objTextFile.Close REM *************** REM * Show the output file to the user. This can be changed - for example to open using EXCEL, send email, etc... oShell.run "notepad.exe " & outfile if SendOutputByEMail then SendMailUsingCDO oShell.popup "FAILOG Done.", 5 REM *************** REM * If you wish to delete the output file now, UNREM the following line: REM objFSO.DeleteFile(outfile) REM *************** REM * This is it. * REM ***************