Security log 32-bit Windows can be no larger than 512 MB. In the 64-bit version of the Security log size increased to 4 GB. So I want to share a script that checks the logs DCs and stores ".csv" file, the following events:
1. user added to a group,
2. user deleted from the group
3. user created,
4. user deleted,
5. group created,
6. group deleted,
7. computer generated
Pre to your computer to install the Active Directory module in PowerShell (http://blogs.msdn.com/b/rkramesh/archive/2012/01/17/how-to-add-active-directory-module-in-powershell-in-windows-7.aspx) And Log Parser 2.2 (http://www.microsoft.com/en-us/download/details.aspx?id=24659). At the beginning of the script you need to specify the domain (in example "contoso.com").
Execution of the script, you can schedule such as every 2 hours.
Download script
1. user added to a group,
2. user deleted from the group
3. user created,
4. user deleted,
5. group created,
6. group deleted,
7. computer generated
Pre to your computer to install the Active Directory module in PowerShell (http://blogs.msdn.com/b/rkramesh/archive/2012/01/17/how-to-add-active-directory-module-in-powershell-in-windows-7.aspx) And Log Parser 2.2 (http://www.microsoft.com/en-us/download/details.aspx?id=24659). At the beginning of the script you need to specify the domain (in example "contoso.com").
Execution of the script, you can schedule such as every 2 hours.
Download script
Import-Module ActiveDirectory -ErrorAction SilentlyContinue $id = new-object 'System.DirectoryServices.ActiveDirectory.DirectoryContext'("domain", "contoso.com") $dcs_id = [System.DirectoryServices.ActiveDirectory.DomainController]::FindAll($id) $LogParser = "C:\Program Files (x86)\Log Parser 2.2\LogParser.exe" function DelLFile([string] $path) { $LFile = get-content $Path | measure-object -line if ($LFile.lines -eq 1) { write-host "Log file empty and deleted" Remove-Item $path } } ### Add User to group in domain ID $LastResults = $LastResults2 = $LastTime = $LogTime = $LogFolder = $LogFile = @() $LogTime = Get-Date -Format "yyyy-MM-dd_HH-mm-ss" $LogFile = "AddUserToGorup_" + $LogTime + ".csv" $LogFolder = ".\$($dcs_id.domain.name[0])\AddUserToGorup" New-Item -ItemType Directory -Force -Path $LogFolder $LastResults = Get-ChildItem $LogFolder\*.csv -Recurse -ErrorAction SilentlyContinue | Where { !$_.PsIsContainer } | Sort LastWriteTime -descending | select -first 1 If ($LastResults) { $LastResults2 = import-csv $LastResults $LastTime = ($LastResults2.timegenerated | Measure -Max).Maximum } Add-Content $LogFolder\$LogFile "TimeGenerated,Group,NewMember,AddedBy`n" foreach ($dc_id in $dcs_id) { if ($dc_id.OSVersion -match "2008") { $LastTime if ($LastTime) { $query = """SELECT TimeGenerated,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,4,'|'),'{}%%','')) AS Group,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,1,'|'),'{}%%','')) AS NewMember,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,5,'|'),'{}%%','')) AS AddedBy into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE ((EventID IN (4728;4732;4756)) and (timegenerated > '$($LastTime)'))""" } else { $query = """SELECT TimeGenerated,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,4,'|'),'{}%%','')) AS Group,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,1,'|'),'{}%%','')) AS NewMember,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,5,'|'),'{}%%','')) AS AddedBy into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE (EventID IN (4728;4732;4756))""" } $LogParserStr = "-i:evt -o:csv " + $query + " -headers:off -filemode:0 -stats:OFF" $dc_id.Name $LogParserStr $LP = Start-Process -FilePath $LogParser -ArgumentList $LogParserStr -Wait -Passthru -NoNewWindow } elseif ($dc_id.OSVersion -match "2003") { $LastTime if ($LastTime) { $query = """SELECT TimeGenerated,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,4,'|'),'{}%%','')) AS Group, RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,1,'|'),'{}%%','')) AS NewMember, RESOLVE_SID(SID) AS AddedBy into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE ((EventID IN (660;632;636)) and (timegenerated > '$($LastTime)'))""" } else { $query = """SELECT TimeGenerated,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,4,'|'),'{}%%','')) AS Group, RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,1,'|'),'{}%%','')) AS NewMember, RESOLVE_SID(SID) AS AddedBy into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE (EventID IN (660;632;636))""" } $LogParserStr = "-i:evt -o:csv " + $query + " -headers:off -filemode:0 -stats:OFF" $dc_id.Name $LogParserStr $LP = Start-Process -FilePath $LogParser -ArgumentList $LogParserStr -Wait -Passthru -NoNewWindow } } DelLFile $LogFolder\$logfile ### Delete User from group in domain ID $LogTime = Get-Date -Format "yyyy-MM-dd_HH-mm-ss" $LogFile = "DelUserFromGorup_" + $LogTime + ".csv" $LogFolder = ".\$($dcs_id.domain.name[0])\DelUserFromGroup" New-Item -ItemType Directory -Force -Path $LogFolder $LastResults = Get-ChildItem $LogFolder\*.csv -Recurse -ErrorAction SilentlyContinue | Where { !$_.PsIsContainer } | Sort LastWriteTime -descending | select -first 1 If ($LastResults) { $LastResults = import-csv $LastResults $LastTime = ($LastResults.timegenerated | Measure -Max).Maximum } Add-Content $LogFolder\$LogFile "TimeGenerated,Group,DelMember,DelBy`n" foreach ($dc_id in $dcs_id) { if ($dc_id.OSVersion -match "2008") { if ($LastTime) { $query = """SELECT TimeGenerated,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,4,'|'),'{}%%','')) AS Group,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,1,'|'),'{}%%','')) AS DelMember,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,5,'|'),'{}%%','')) AS DelBy into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE ((EventID IN (4729;4733;4757)) and (timegenerated > '$($LastTime)'))""" } else { $query = """SELECT TimeGenerated,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,4,'|'),'{}%%','')) AS Group,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,1,'|'),'{}%%','')) AS DelMember,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,5,'|'),'{}%%','')) AS DelBy into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE EventID IN (4729;4733;4757)""" } $LogParserStr = "-i:evt -o:csv " + $query + " -headers:off -filemode:0 -stats:OFF" $dc_id.Name $LP = Start-Process -FilePath $LogParser -ArgumentList $LogParserStr -Wait -Passthru -NoNewWindow } elseif ($dc_id.OSVersion -match "2003") { if ($LastTime) { $query = """SELECT TimeGenerated,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,4,'|'),'{}%%','')) AS Group,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,1,'|'),'{}%%','')) AS DelMember,RESOLVE_SID(SID) AS DelBy into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE ((EventID IN (633;637;661)) and (timegenerated > '$($LastTime)'))""" } else { $query = """SELECT TimeGenerated,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,4,'|'),'{}%%','')) AS Group,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,1,'|'),'{}%%','')) AS DelMember,RESOLVE_SID(SID) AS DelBy into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE EventID IN (633;637;661)""" } $LogParserStr = "-i:evt -o:csv " + $query + " -headers:off -filemode:0 -stats:OFF" $dc_id.Name $LP = Start-Process -FilePath $LogParser -ArgumentList $LogParserStr -Wait -Passthru -NoNewWindow } } DelLFile $LogFolder\$logfile ### Create User in domain ID $LogTime = Get-Date -Format "yyyy-MM-dd_HH-mm-ss" $LogFile = "CreateUser_" + $LogTime + ".csv" $LogFolder = ".\$($dcs_id.domain.name[0])\CreateUser" New-Item -ItemType Directory -Force -Path $LogFolder $LastResults = Get-ChildItem $LogFolder\*.csv -Recurse -ErrorAction SilentlyContinue | Where { !$_.PsIsContainer } | Sort LastWriteTime -descending | select -first 1 If ($LastResults) { $LastResults = import-csv $LastResults $LastTime = ($LastResults.timegenerated | Measure -Max).Maximum } Add-Content $LogFolder\$LogFile "TimeGenerated,ComputerName,UserLogin,DomainName,AdminLogin`n" foreach ($dc_id in $dcs_id) { if ($dc_id.OSVersion -match "2008") { if ($LastTime) { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as UserLogin,EXTRACT_TOKEN(Strings,1,'|') as DomainName,EXTRACT_TOKEN(Strings,4,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE ((EventID=4720) and (timegenerated > '$($LastTime)'))""" } else { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as UserLogin,EXTRACT_TOKEN(Strings,1,'|') as DomainName,EXTRACT_TOKEN(Strings,4,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE EventID=4720""" } $LogParserStr = "-i:evt -o:csv " + $query + " -headers:off -filemode:0 -stats:OFF" $dc_id.Name $LP = Start-Process -FilePath $LogParser -ArgumentList $LogParserStr -Wait -Passthru -NoNewWindow } elseif ($dc_id.OSVersion -match "2003") { if ($LastTime) { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as UserLogin,EXTRACT_TOKEN(Strings,1,'|') as DomainName,EXTRACT_TOKEN(Strings,3,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE ((EventID=624) and (timegenerated > '$($LastTime)'))""" } else { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as UserLogin,EXTRACT_TOKEN(Strings,1,'|') as DomainName,EXTRACT_TOKEN(Strings,3,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE EventID=624""" } $LogParserStr = "-i:evt -o:csv " + $query + " -headers:off -filemode:0 -stats:OFF" $dc_id.Name $LP = Start-Process -FilePath $LogParser -ArgumentList $LogParserStr -Wait -Passthru -NoNewWindow } } DelLFile $LogFolder\$logfile ### Delete User in domain ID $LogTime = Get-Date -Format "yyyy-MM-dd_HH-mm-ss" $LogFile = "DelUser_" + $LogTime + ".csv" $LogFolder = ".\$($dcs_id.domain.name[0])\DelUser" New-Item -ItemType Directory -Force -Path $LogFolder $LastResults = Get-ChildItem $LogFolder\*.csv -Recurse -ErrorAction SilentlyContinue | Where { !$_.PsIsContainer } | Sort LastWriteTime -descending | select -first 1 If ($LastResults) { $LastResults = import-csv $LastResults $LastTime = ($LastResults.timegenerated | Measure -Max).Maximum } Add-Content $LogFolder\$LogFile "TimeGenerated,ComputerName,UserLogin,DomainName,AdminLogin`n" foreach ($dc_id in $dcs_id) { if ($dc_id.OSVersion -match "2008") { if ($LastTime) { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as UserLogin,EXTRACT_TOKEN(Strings,1,'|') as DomainName,EXTRACT_TOKEN(Strings,4,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE ((EventID=4726) and (timegenerated > '$($LastTime)'))""" } else { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as UserLogin,EXTRACT_TOKEN(Strings,1,'|') as DomainName,EXTRACT_TOKEN(Strings,4,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE EventID=4726""" } $LogParserStr = "-i:evt -o:csv " + $query + " -headers:off -filemode:0 -stats:OFF" $dc_id.Name $LP = Start-Process -FilePath $LogParser -ArgumentList $LogParserStr -Wait -Passthru -NoNewWindow } elseif ($dc_id.OSVersion -match "2003") { if ($LastTime) { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as UserLogin,EXTRACT_TOKEN(Strings,1,'|') as DomainName,EXTRACT_TOKEN(Strings,3,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE ((EventID=630) and (timegenerated > '$($LastTime)'))""" } else { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as UserLogin,EXTRACT_TOKEN(Strings,1,'|') as DomainName,EXTRACT_TOKEN(Strings,3,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE EventID=630""" } $LogParserStr = "-i:evt -o:csv " + $query + " -headers:off -filemode:0 -stats:OFF" $dc_id.Name $LP = Start-Process -FilePath $LogParser -ArgumentList $LogParserStr -Wait -Passthru -NoNewWindow } } DelLFile $LogFolder\$logfile ### Create Group in domain ID $i = 1 $h = "ON" $LogTime = Get-Date -Format "yyyy-MM-dd_HH-mm-ss" $LogFile = "CreateGroup_" + $LogTime + ".csv" $LogFolder = ".\$($dcs_id.domain.name[0])\CreateGroup" New-Item -ItemType Directory -Force -Path $LogFolder $LastResults = Get-ChildItem $LogFolder\*.csv -Recurse -ErrorAction SilentlyContinue | Where { !$_.PsIsContainer } | Sort LastWriteTime -descending | select -first 1 If ($LastResults) { $LastResults = import-csv $LastResults $LastTime = ($LastResults.timegenerated | Measure -Max).Maximum } Add-Content $LogFolder\$LogFile "TimeGenerated,ComputerName,GroupName,AdminLogin`n" foreach ($dc_id in $dcs_id) { if ($dc_id.OSVersion -match "2008") { if ($LastTime) { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as GroupName,EXTRACT_TOKEN(Strings,4,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE ((EventID IN (4727;4731;4754)) and (timegenerated > '$($LastTime)'))""" } else { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as GroupName,EXTRACT_TOKEN(Strings,4,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE EventID IN (4727;4731;4754)""" } $LogParserStr = "-i:evt -o:csv " + $query + " -headers:off -filemode:0 -stats:OFF" $dc_id.Name $LP = Start-Process -FilePath $LogParser -ArgumentList $LogParserStr -Wait -Passthru -NoNewWindow } elseif ($dc_id.OSVersion -match "2003") { if ($LastTime) { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as GroupName,EXTRACT_TOKEN(Strings,3,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE ((EventID IN (631;658;635)) and (timegenerated > '$($LastTime)'))""" } else { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as GroupName,EXTRACT_TOKEN(Strings,3,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE EventID IN (631;658;635)""" } $LogParserStr = "-i:evt -o:csv " + $query + " -headers:off -filemode:0 -stats:OFF" $dc_id.Name $LP = Start-Process -FilePath $LogParser -ArgumentList $LogParserStr -Wait -Passthru -NoNewWindow } } DelLFile $LogFolder\$logfile ### Delete Group in domain ID $LogTime = Get-Date -Format "yyyy-MM-dd_HH-mm-ss" $LogFile = "DelGroup_" + $LogTime + ".csv" $LogFolder = ".\$($dcs_id.domain.name[0])\DelGroup" New-Item -ItemType Directory -Force -Path $LogFolder $LastResults = Get-ChildItem $LogFolder\*.csv -Recurse -ErrorAction SilentlyContinue | Where { !$_.PsIsContainer } | Sort LastWriteTime -descending | select -first 1 If ($LastResults) { $LastResults = import-csv $LastResults $LastTime = ($LastResults.timegenerated | Measure -Max).Maximum } Add-Content $LogFolder\$LogFile "TimeGenerated,ComputerName,GroupName,AdminLogin`n" foreach ($dc_id in $dcs_id) { if ($dc_id.OSVersion -match "2008") { if ($LastTime) { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as GroupName,EXTRACT_TOKEN(Strings,4,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE ((EventID IN (4730;4734;4758)) and (timegenerated > '$($LastTime)'))""" } else { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as GroupName,EXTRACT_TOKEN(Strings,4,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE EventID IN (4730;4734;4758)""" } $LogParserStr = "-i:evt -o:csv " + $query + " -headers:off -filemode:0 -stats:OFF" $dc_id.Name $LP = Start-Process -FilePath $LogParser -ArgumentList $LogParserStr -Wait -Passthru -NoNewWindow } elseif ($dc_id.OSVersion -match "2003") { if ($LastTime) { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as GroupName,EXTRACT_TOKEN(Strings,3,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE ((EventID IN (634;638;662)) and (timegenerated > '$($LastTime)'))""" } else { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as GroupName,EXTRACT_TOKEN(Strings,3,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE EventID IN (634;638;662)""" } $LogParserStr = "-i:evt -o:csv " + $query + " -headers:off -filemode:0 -stats:OFF" $dc_id.Name $LP = Start-Process -FilePath $LogParser -ArgumentList $LogParserStr -Wait -Passthru -NoNewWindow } } DelLFile $LogFolder\$logfile ### Create PC in domain ID $LogTime = Get-Date -Format "yyyy-MM-dd_HH-mm-ss" $LogFile = "CreatePC_" + $LogTime + ".csv" $LogFolder = ".\$($dcs_id.domain.name[0])\CreatePC" New-Item -ItemType Directory -Force -Path $LogFolder $LastResults = Get-ChildItem $LogFolder\*.csv -Recurse -ErrorAction SilentlyContinue | Where { !$_.PsIsContainer } | Sort LastWriteTime -descending | select -first 1 If ($LastResults) { $LastResults = import-csv $LastResults $LastTime = ($LastResults.timegenerated | Measure -Max).Maximum } Add-Content $LogFolder\$LogFile "TimeGenerated,ComputerName,PCName,DomainName,AdminLogin`n" foreach ($dc_id in $dcs_id) { if ($dc_id.OSVersion -match "2008") { if ($LastTime) { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as PCName,EXTRACT_TOKEN(Strings,1,'|') as DomainName,EXTRACT_TOKEN(Strings,4,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE ((EventID = 4741) and (timegenerated > '$($LastTime)'))""" } else { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as PCName,EXTRACT_TOKEN(Strings,1,'|') as DomainName,EXTRACT_TOKEN(Strings,4,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE EventID = 4741""" } $LogParserStr = "-i:evt -o:csv " + $query + " -headers:off -filemode:0 -stats:OFF" $dc_id.Name $LP = Start-Process -FilePath $LogParser -ArgumentList $LogParserStr -Wait -Passthru -NoNewWindow } elseif ($dc_id.OSVersion -match "2003") { if ($LastTime) { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as PCName,EXTRACT_TOKEN(Strings,1,'|') as DomainName,EXTRACT_TOKEN(Strings,3,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE ((EventID = 645) and (timegenerated > '$($LastTime)'))""" } else { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as PCName,EXTRACT_TOKEN(Strings,1,'|') as DomainName,EXTRACT_TOKEN(Strings,3,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE EventID = 645""" } $LogParserStr = "-i:evt -o:csv " + $query + " -headers:off -filemode:0 -stats:OFF" $dc_id.Name $LP = Start-Process -FilePath $LogParser -ArgumentList $LogParserStr -Wait -Passthru -NoNewWindow } } DelLFile $LogFolder\$logfile
No comments:
Post a Comment