My work with products Microsoft Exchange, Lync, TMG, Powershell: Log Parser

Showing posts with label Log Parser. Show all posts

Wednesday, July 5, 2017

How to parse Windows DNS debug logs with Logparser: create statistics

In this article I share a powershell script that will help to identify anomalies in your DNS. Script create TOP-30 Queries and TOP-30 Clients. With the help of MS Logparser you can very quickly check the debug log files of windows-dns.

Download powershell script

1. Enable DNS debug log on all dns-servers
- set limit for file size
- set same path

2. Install on the PC from which you run the script Logparser

3. For script you have to set
- servers
- domains
- homefolder
- files with dns debug logs
- email server (anonymous smtp)
- user email

    
001

002

003

004

005

006

007

008

009

010

011

012

013

014

015

016

017

018

019

020

021

022

023

024

025

026

027

028

029

030

031

032

033

034

035

036

037

038

039

040

041

042

043

044

045

046

047

048

049

050

051

052

053

054

055

056

057

058

059

060

061

062

063

064

065

066

067

068

069

070

071

072

073

074

075

076

077

078

079

080

081

082

083

084

085

086

087

088

089

090

091

092

093

094

# Set variables

$HomeFolder = "D:\Scripts"

cd $HomeFolder

$LogParser = "C:\Program Files (x86)\Log Parser 2.2\LogParser.exe"

$Servers = @("dc1.blogspot.com","dc2.blogspot.com","dc3.blogspot.com")

$msg = new-object Net.Mail.MailMessage

$msg.From = "myscript@blogspot.com"

$msg.To.add("i-evgeny@blogspot.com")

$msg.Subject = "DNS-query statistics"

$msg.IsBodyHTML = $true

$SMTPServer = "smtp.blogspot.com"

$SMTPClient = New-Object Net.Mail.SmtpClient($SmtpServer, 25)

$LogTime = Get-Date -Format "yyyy-MM-dd_hh-mm-ss"

if (!(test-path "$HomeFolder\Logs")) {New-Item -ItemType directory -Path "$HomeFolder\Logs"}

$LogFile = $HomeFolder + "\Logs\DNSParser_"+$LogTime+".log"

$LogFile_top_domain = $HomeFolder + "\Logs\DNSParser_top_domain_" + $LogTime + ".log"

$LogFile_top_ip = $HomeFolder + "\Logs\DNSParser_top_ip_" + $LogTime + ".log"

$TempFile = $HomeFolder + "\DNSTemp.csv"

$DCs_str = ""

$i = 1

foreach ($d in $Servers) {

    if ($i -eq "1") {$DCs_str = "\\$($d)\c$\Scripts\Logs\Queries.log"

    } else {$DCs_str += ",\\$($d)\c$\Scripts\Logs\Queries.log"}

    $i++

}

# Logparser query: group by query, client ip

$query = """SELECT field8,CASE field16 WHEN NULL THEN field15 ELSE field16 END AS myquery INTO $($TempFile) FROM $DCs_str"""

$LogParserStr = "-i:TSV -iSeparator:space -nFields:16 -headerRow:OFF -nSkipLines:30 -o:csv " + $query

$LP = Start-Process -FilePath $LogParser -ArgumentList $LogParserStr -Wait -Passthru -NoNewWindow

Start-Sleep -s 15

$query_top_domain = """SELECT myquery, COUNT(myquery) INTO $LogFile_top_domain FROM $TempFile GROUP BY myquery ORDER BY COUNT(myquery) DESC"""

$LogParserStr = "-i:csv -o:csv " + $query_top_domain

$LP = Start-Process -FilePath $LogParser -ArgumentList $LogParserStr -Wait -Passthru -NoNewWindow

$query_top_ip = """SELECT Field8, COUNT(Field8) INTO $LogFile_top_ip FROM $TempFile GROUP BY field8 ORDER BY COUNT(field8) DESC"""

$LogParserStr = "-i:csv -o:csv " + $query_top_ip

$LP = Start-Process -FilePath $LogParser -ArgumentList $LogParserStr -Wait -Passthru -NoNewWindow

# Transformation query

$result_top_domain = import-csv $LogFile_top_domain

$good_result_top_domain = @()

for($i=0; $i -le 29; $i++) {

     $t=@()

     $good_name = $result_top_domain[$i].myquery -replace "\s" -replace "\(\d?\d\)","." -replace "^\." -replace "\.$"

     $t = new-object PSObject -Property @{

      Query = "$good_name";

      C = "$($result_top_domain[$i]."COUNT(ALL myquery)")"

     }

     $good_result_top_domain += $t

     $t=@()

}

# Create table for email

$msg.Body = "<html> 

<body>TOP-30 Queries <br><br><table border=""0"" cellpadding=""3"" style=""font-size:8pt;font-family:Arial,sans-serif""> 

<tr bgcolor=""#dddddd""> 

<td valign=""top""><b>Query</b></td> 

<td valign=""top""><b>Count</b></td> 

</tr>

<tr bgcolor=""#dddddd"">

<td valign=""top"">"

foreach ($g in $good_result_top_domain) {

    $msg.Body += "$($g.query)</td><td valign=""top"">$($g.c)</td></tr><tr bgcolor=""#dddddd""><td valign=""top"">"

}

$result_top_ip = import-csv $LogFile_top_ip

$msg.Body += "</td></tr></table><br>TOP-30 Clients <br><br><table border=""0"" cellpadding=""3"" style=""font-size:8pt;font-family:Arial,sans-serif""> 

<tr bgcolor=""#dddddd""> 

<td valign=""top""><b>Clients</b></td> 

<td valign=""top""><b>Count</b></td> 

</tr>

<tr bgcolor=""#dddddd"">

<td valign=""top"">"

for($i=0; $i -le 29; $i++) {

     $msg.Body += "$($result_top_ip[$i].field8)</td><td valign=""top"">$($result_top_ip[$i]."COUNT(ALL Field8)")</td></tr><tr bgcolor=""#dddddd""><td valign=""top"">"

}

$msg.Body += "</td></tr></table></body></html>"

# Send statistics

$SMTPClient.Send($msg)

4. Schedule a task, runas account must have read permission for Debug files

Example of result:

Tuesday, June 27, 2017

How to parse Windows DNS debug logs with Logparser for VIRUS (eg WannaCRY)

In this article I share a powershell script that will help to identify infected WannaCRY PCs and other botnet in your network. With the help of MS Logparser you can very quickly check the debug log files of windows-dns.

Download powershell script

1. At first enable DNS debug log on all dns-servers
- set limit for file size
- set same path (for script)

2. Install on the PC from which you run the script Logparser

3. For script you have to set
- servers
- domains
- homefolder
- file's path with dns debug logs
- email server (anonymous smtp)
- user email

    
001
002
003
004
005
006
007
008
009
010
011
012
013
014
015
016
017
018
019
020
021
022
023
024
025
026
027
028
029
030
031
032
033
034
035
036
037
038
039
040
041
042
043
044
045
046
047
048
049
050
051
052
053
054
055
056


    
# Set variables

$HomeFolder = "D:\Scripts"

cd $HomeFolder

if (!(test-path "$HomeFolder\Logs")) {New-Item -ItemType directory -Path "$HomeFolder\Logs"}

$LogParser = "C:\Program Files (x86)\Log Parser 2.2\LogParser.exe"



$Servers = @("dc1.blogspot.com","dc2.blogspot.com","dc3.blogspot.com")

$VirDomains = @("iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea","ifferfsodp9ifjaposdfjhgosurijfaewrwergwea","ayylmaoTJHSSTasdfasdfasdfasdfasdfasdfasdf","pingdavinci","wizardtesla","archimedus")



$msg = new-object Net.Mail.MailMessage

$msg.From = "myscript@blogspot.com"

$msg.To.add("i-evgeny@blogspot.com")

$msg.Subject = "Virus DNS Parser"

$SMTPServer = "smtp.blogspot.com"

$SMTPClient = New-Object Net.Mail.SmtpClient($SmtpServer, 25)

$LogTime = Get-Date -Format "yyyy-MM-dd_hh-mm-ss"

$LogFile = $HomeFolder + '\Logs\'+"parser_vir_"+$LogTime+".log"



# Logparser query

$VirDomains_str = ""

$i = 1

foreach ($v in $VirDomains) {

    if ($i -eq "1") {

    $VirDomains_str = "field15 LIKE '%$($v)%' OR field16 LIKE '%$($v)%'"

    } else {

    $VirDomains_str += " OR field15 LIKE '%$($v)%' OR field16 LIKE '%$($v)%'"

    }

    $i++

}



$DCs_str = ""

$i = 1

foreach ($d in $Servers) {

    if ($i -eq "1") {

    $DCs_str = "\\$($d)\c$\Scripts\Logs\Queries.log"

    } else {

    $DCs_str += ",\\$($d)\c$\Scripts\Logs\Queries.log"

    }

    $i++

}



$query = """SELECT * INTO $($LogFile) FROM $DCs_str WHERE $VirDomains_str"""

$LogParserStr = "-i:TSV -iSeparator:space -nFields:16 -headerRow:OFF -nSkipLines:30 -o:csv " + $query

$LP = Start-Process -FilePath $LogParser -ArgumentList $LogParserStr -Wait -Passthru -NoNewWindow

Start-Sleep -s 15

$Result = import-csv $LogFile



# Send alert

    if ($Result) {

        $vir_ip = $result | select field8 -Unique

        $msg.Body = "$($vir_ip.field8)"

        $att = new-object Net.Mail.Attachment($LogFile)

        $msg.Attachments.Add($att)

        $SMTPClient.Send($msg)

    }

4. Schedule a task (eg every 1 hour), runas account must have read permission for DNS Debug files

Wednesday, November 4, 2015

Logparser in CAS Exchange 2013 for users and their version of Outlook

In this article I want to share the search script in logs CAS Exchange 2013 current users and their version of Outlook. The script requires two CAS server, the script must be run under the administrator of these servers, the path to the log specified standard.

Download ex13_username_version.ps1

$cas1 = "cas1.blogspot.com"

$cas2 = "cas2.blogspot.com"

$LogFile = "ex13_username_version.csv"

$LogParser = "C:\Program Files (x86)\Log Parser 2.2\LogParser.exe"

$LogTime = Get-Date -Format "yyyyMMdd"

$LogHProxy = "RpcHttp" + $LogTime + "*.log"

$query = """SELECT DISTINCT EXTRACT_TOKEN(EXTRACT_TOKEN(EventData,1,';'),1,'=') as username,EXTRACT_TOKEN(EXTRACT_TOKEN(EventData,2,';'),1,'}') as client `

into $($LogFile) FROM '\\$($cas1)\c$\Program Files\Microsoft\Exchange Server\V15\Logging\RpcHttp\W3SVC1\$($LogHProxy)', `

'\\$($cas2)\c$\Program Files\Microsoft\Exchange Server\V15\Logging\RpcHttp\W3SVC1\$($LogHProxy)' `

where (EXTRACT_TOKEN(EXTRACT_TOKEN(EventData,1,';'),1,'=') NOT LIKE '%{%' AND EXTRACT_TOKEN(EXTRACT_TOKEN(EventData,1,';'),1,'=') IS NOT null `

AND EXTRACT_TOKEN(EXTRACT_TOKEN(EventData,2,';'),1,'}') IS NOT null)"""

$LogParserStr = "-i:csv -o:csv " + $query + " –nSkipLines:4"

$LP = Start-Process -FilePath $LogParser -ArgumentList $LogParserStr -Wait -Passthru -NoNewWindow

Wednesday, June 11, 2014

Script audit of basic events (create/delete user, create/delete group, change membership in group, create computer) in Active Directory.

Security log 32-bit Windows can be no larger than 512 MB. In the 64-bit version of the Security log size increased to 4 GB. So I want to share a script that checks the logs DCs and stores ".csv" file, the following events:
1. user added to a group,
2. user deleted from the group
3. user created,
4. user deleted,
5. group created,
6. group deleted,
7. computer generated

Pre to your computer to install the Active Directory module in PowerShell (http://blogs.msdn.com/b/rkramesh/archive/2012/01/17/how-to-add-active-directory-module-in-powershell-in-windows-7.aspx) And Log Parser 2.2 (http://www.microsoft.com/en-us/download/details.aspx?id=24659). At the beginning of the script you need to specify the domain (in example "contoso.com").
Execution of the script, you can schedule such as every 2 hours.

Download script

Import-Module ActiveDirectory -ErrorAction SilentlyContinue

$id = new-object 'System.DirectoryServices.ActiveDirectory.DirectoryContext'("domain", "contoso.com")
$dcs_id = [System.DirectoryServices.ActiveDirectory.DomainController]::FindAll($id)
$LogParser = "C:\Program Files (x86)\Log Parser 2.2\LogParser.exe"

function DelLFile([string] $path)
{
    $LFile = get-content $Path | measure-object -line
    if ($LFile.lines -eq 1)
    {
        write-host "Log file empty and deleted"
        Remove-Item $path
    }
}

### Add User to group in domain ID
$LastResults = $LastResults2 = $LastTime = $LogTime = $LogFolder = $LogFile = @()

$LogTime = Get-Date -Format "yyyy-MM-dd_HH-mm-ss"
$LogFile = "AddUserToGorup_" + $LogTime + ".csv"
$LogFolder = ".\$($dcs_id.domain.name[0])\AddUserToGorup"
New-Item -ItemType Directory -Force -Path $LogFolder
$LastResults = Get-ChildItem $LogFolder\*.csv -Recurse -ErrorAction SilentlyContinue | Where { !$_.PsIsContainer } | Sort LastWriteTime -descending | select -first 1
If ($LastResults)
{
    $LastResults2 = import-csv $LastResults
    $LastTime = ($LastResults2.timegenerated | Measure -Max).Maximum
}
Add-Content $LogFolder\$LogFile "TimeGenerated,Group,NewMember,AddedBy`n"


foreach ($dc_id in $dcs_id)
{
    if ($dc_id.OSVersion -match "2008")
    {
        $LastTime
        if ($LastTime)
        { $query = """SELECT TimeGenerated,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,4,'|'),'{}%%','')) AS Group,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,1,'|'),'{}%%','')) AS NewMember,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,5,'|'),'{}%%','')) AS AddedBy into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE ((EventID IN (4728;4732;4756)) and (timegenerated > '$($LastTime)'))""" }
        else { $query = """SELECT TimeGenerated,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,4,'|'),'{}%%','')) AS Group,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,1,'|'),'{}%%','')) AS NewMember,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,5,'|'),'{}%%','')) AS AddedBy into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE (EventID IN (4728;4732;4756))""" }
        $LogParserStr = "-i:evt -o:csv " + $query + " -headers:off -filemode:0 -stats:OFF"
        $dc_id.Name
        $LogParserStr
        $LP = Start-Process -FilePath $LogParser -ArgumentList $LogParserStr -Wait -Passthru -NoNewWindow
    }
    elseif ($dc_id.OSVersion -match "2003")
    {
        $LastTime
        if ($LastTime)
        { $query = """SELECT TimeGenerated,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,4,'|'),'{}%%','')) AS Group, RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,1,'|'),'{}%%','')) AS NewMember, RESOLVE_SID(SID) AS AddedBy into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE ((EventID IN (660;632;636)) and (timegenerated > '$($LastTime)'))""" }
        else { $query = """SELECT TimeGenerated,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,4,'|'),'{}%%','')) AS Group, RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,1,'|'),'{}%%','')) AS NewMember, RESOLVE_SID(SID) AS AddedBy into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE (EventID IN (660;632;636))""" }
        $LogParserStr = "-i:evt -o:csv " + $query + " -headers:off -filemode:0 -stats:OFF"
        $dc_id.Name
        $LogParserStr
        $LP = Start-Process -FilePath $LogParser -ArgumentList $LogParserStr -Wait -Passthru -NoNewWindow
    }
}
DelLFile $LogFolder\$logfile

### Delete User from group in domain ID
$LogTime = Get-Date -Format "yyyy-MM-dd_HH-mm-ss"
$LogFile = "DelUserFromGorup_" + $LogTime + ".csv"
$LogFolder = ".\$($dcs_id.domain.name[0])\DelUserFromGroup"
New-Item -ItemType Directory -Force -Path $LogFolder
$LastResults = Get-ChildItem $LogFolder\*.csv -Recurse -ErrorAction SilentlyContinue | Where { !$_.PsIsContainer } | Sort LastWriteTime -descending | select -first 1
If ($LastResults)
{
    $LastResults = import-csv $LastResults
    $LastTime = ($LastResults.timegenerated | Measure -Max).Maximum
}
Add-Content $LogFolder\$LogFile "TimeGenerated,Group,DelMember,DelBy`n"

foreach ($dc_id in $dcs_id)
{
    if ($dc_id.OSVersion -match "2008")
    {
        if ($LastTime) { $query = """SELECT TimeGenerated,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,4,'|'),'{}%%','')) AS Group,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,1,'|'),'{}%%','')) AS DelMember,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,5,'|'),'{}%%','')) AS DelBy into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE ((EventID IN (4729;4733;4757)) and (timegenerated > '$($LastTime)'))""" }
        else { $query = """SELECT TimeGenerated,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,4,'|'),'{}%%','')) AS Group,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,1,'|'),'{}%%','')) AS DelMember,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,5,'|'),'{}%%','')) AS DelBy into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE EventID IN (4729;4733;4757)""" }
        $LogParserStr = "-i:evt -o:csv " + $query + " -headers:off -filemode:0 -stats:OFF"
        $dc_id.Name
        $LP = Start-Process -FilePath $LogParser -ArgumentList $LogParserStr -Wait -Passthru -NoNewWindow
    }
    elseif ($dc_id.OSVersion -match "2003")
    {
        if ($LastTime)
        { $query = """SELECT TimeGenerated,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,4,'|'),'{}%%','')) AS Group,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,1,'|'),'{}%%','')) AS DelMember,RESOLVE_SID(SID) AS DelBy into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE ((EventID IN (633;637;661))  and (timegenerated > '$($LastTime)'))""" }
        else { $query = """SELECT TimeGenerated,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,4,'|'),'{}%%','')) AS Group,RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,1,'|'),'{}%%','')) AS DelMember,RESOLVE_SID(SID) AS DelBy into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE EventID IN (633;637;661)""" }
        $LogParserStr = "-i:evt -o:csv " + $query + " -headers:off -filemode:0 -stats:OFF"
        $dc_id.Name
        $LP = Start-Process -FilePath $LogParser -ArgumentList $LogParserStr -Wait -Passthru -NoNewWindow
    }
}
DelLFile $LogFolder\$logfile

### Create User in domain ID
$LogTime = Get-Date -Format "yyyy-MM-dd_HH-mm-ss"
$LogFile = "CreateUser_" + $LogTime + ".csv"
$LogFolder = ".\$($dcs_id.domain.name[0])\CreateUser"
New-Item -ItemType Directory -Force -Path $LogFolder
$LastResults = Get-ChildItem $LogFolder\*.csv -Recurse -ErrorAction SilentlyContinue | Where { !$_.PsIsContainer } | Sort LastWriteTime -descending | select -first 1
If ($LastResults)
{
    $LastResults = import-csv $LastResults
    $LastTime = ($LastResults.timegenerated | Measure -Max).Maximum
}
Add-Content $LogFolder\$LogFile "TimeGenerated,ComputerName,UserLogin,DomainName,AdminLogin`n"

foreach ($dc_id in $dcs_id)
{
    if ($dc_id.OSVersion -match "2008")
    {
        if ($LastTime)
        { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as UserLogin,EXTRACT_TOKEN(Strings,1,'|') as DomainName,EXTRACT_TOKEN(Strings,4,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE ((EventID=4720) and (timegenerated > '$($LastTime)'))""" }
        else { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as UserLogin,EXTRACT_TOKEN(Strings,1,'|') as DomainName,EXTRACT_TOKEN(Strings,4,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE EventID=4720""" }
        $LogParserStr = "-i:evt -o:csv " + $query + " -headers:off -filemode:0 -stats:OFF"
        $dc_id.Name
        $LP = Start-Process -FilePath $LogParser -ArgumentList $LogParserStr -Wait -Passthru -NoNewWindow
    }
    elseif ($dc_id.OSVersion -match "2003")
    {
        if ($LastTime) { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as UserLogin,EXTRACT_TOKEN(Strings,1,'|') as DomainName,EXTRACT_TOKEN(Strings,3,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE ((EventID=624) and (timegenerated > '$($LastTime)'))""" }
        else { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as UserLogin,EXTRACT_TOKEN(Strings,1,'|') as DomainName,EXTRACT_TOKEN(Strings,3,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE EventID=624""" }
        $LogParserStr = "-i:evt -o:csv " + $query + " -headers:off -filemode:0 -stats:OFF"
        $dc_id.Name
        $LP = Start-Process -FilePath $LogParser -ArgumentList $LogParserStr -Wait -Passthru -NoNewWindow
    }
}
DelLFile $LogFolder\$logfile

### Delete User in domain ID
$LogTime = Get-Date -Format "yyyy-MM-dd_HH-mm-ss"
$LogFile = "DelUser_" + $LogTime + ".csv"
$LogFolder = ".\$($dcs_id.domain.name[0])\DelUser"
New-Item -ItemType Directory -Force -Path $LogFolder
$LastResults = Get-ChildItem $LogFolder\*.csv -Recurse -ErrorAction SilentlyContinue | Where { !$_.PsIsContainer } | Sort LastWriteTime -descending | select -first 1
If ($LastResults)
{
    $LastResults = import-csv $LastResults
    $LastTime = ($LastResults.timegenerated | Measure -Max).Maximum
}
Add-Content $LogFolder\$LogFile "TimeGenerated,ComputerName,UserLogin,DomainName,AdminLogin`n"

foreach ($dc_id in $dcs_id)
{
    if ($dc_id.OSVersion -match "2008")
    {
        if ($LastTime)
        { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as UserLogin,EXTRACT_TOKEN(Strings,1,'|') as DomainName,EXTRACT_TOKEN(Strings,4,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE ((EventID=4726) and (timegenerated > '$($LastTime)'))""" }
        else { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as UserLogin,EXTRACT_TOKEN(Strings,1,'|') as DomainName,EXTRACT_TOKEN(Strings,4,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE EventID=4726""" }
        $LogParserStr = "-i:evt -o:csv " + $query + " -headers:off -filemode:0 -stats:OFF"
        $dc_id.Name
        $LP = Start-Process -FilePath $LogParser -ArgumentList $LogParserStr -Wait -Passthru -NoNewWindow
    }
    elseif ($dc_id.OSVersion -match "2003")
    {
        if ($LastTime)
        { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as UserLogin,EXTRACT_TOKEN(Strings,1,'|') as DomainName,EXTRACT_TOKEN(Strings,3,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE ((EventID=630) and (timegenerated > '$($LastTime)'))""" }
        else { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as UserLogin,EXTRACT_TOKEN(Strings,1,'|') as DomainName,EXTRACT_TOKEN(Strings,3,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE EventID=630""" }
        $LogParserStr = "-i:evt -o:csv " + $query + " -headers:off -filemode:0 -stats:OFF"
        $dc_id.Name
        $LP = Start-Process -FilePath $LogParser -ArgumentList $LogParserStr -Wait -Passthru -NoNewWindow
    }
}
DelLFile $LogFolder\$logfile

### Create Group in domain ID
$i = 1
$h = "ON"
$LogTime = Get-Date -Format "yyyy-MM-dd_HH-mm-ss"
$LogFile = "CreateGroup_" + $LogTime + ".csv"
$LogFolder = ".\$($dcs_id.domain.name[0])\CreateGroup"
New-Item -ItemType Directory -Force -Path $LogFolder
$LastResults = Get-ChildItem $LogFolder\*.csv -Recurse -ErrorAction SilentlyContinue | Where { !$_.PsIsContainer } | Sort LastWriteTime -descending | select -first 1
If ($LastResults)
{
    $LastResults = import-csv $LastResults
    $LastTime = ($LastResults.timegenerated | Measure -Max).Maximum
}
Add-Content $LogFolder\$LogFile "TimeGenerated,ComputerName,GroupName,AdminLogin`n"

foreach ($dc_id in $dcs_id)
{
    if ($dc_id.OSVersion -match "2008")
    {
        if ($LastTime)
        { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as GroupName,EXTRACT_TOKEN(Strings,4,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE ((EventID IN (4727;4731;4754)) and (timegenerated > '$($LastTime)'))""" }
        else { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as GroupName,EXTRACT_TOKEN(Strings,4,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE EventID IN (4727;4731;4754)""" }
        $LogParserStr = "-i:evt -o:csv " + $query + " -headers:off -filemode:0 -stats:OFF"
        $dc_id.Name
        $LP = Start-Process -FilePath $LogParser -ArgumentList $LogParserStr -Wait -Passthru -NoNewWindow
    }
    elseif ($dc_id.OSVersion -match "2003")
    {
        if ($LastTime)
        { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as GroupName,EXTRACT_TOKEN(Strings,3,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE ((EventID IN (631;658;635)) and (timegenerated > '$($LastTime)'))""" }
        else { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as GroupName,EXTRACT_TOKEN(Strings,3,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE EventID IN (631;658;635)""" }
        $LogParserStr = "-i:evt -o:csv " + $query + " -headers:off -filemode:0 -stats:OFF"
        $dc_id.Name
        $LP = Start-Process -FilePath $LogParser -ArgumentList $LogParserStr -Wait -Passthru -NoNewWindow
    }
}
DelLFile $LogFolder\$logfile

### Delete Group in domain ID
$LogTime = Get-Date -Format "yyyy-MM-dd_HH-mm-ss"
$LogFile = "DelGroup_" + $LogTime + ".csv"
$LogFolder = ".\$($dcs_id.domain.name[0])\DelGroup"
New-Item -ItemType Directory -Force -Path $LogFolder
$LastResults = Get-ChildItem $LogFolder\*.csv -Recurse -ErrorAction SilentlyContinue | Where { !$_.PsIsContainer } | Sort LastWriteTime -descending | select -first 1
If ($LastResults)
{
    $LastResults = import-csv $LastResults
    $LastTime = ($LastResults.timegenerated | Measure -Max).Maximum
}
Add-Content $LogFolder\$LogFile "TimeGenerated,ComputerName,GroupName,AdminLogin`n"

foreach ($dc_id in $dcs_id)
{
    if ($dc_id.OSVersion -match "2008")
    {
        if ($LastTime)
        { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as GroupName,EXTRACT_TOKEN(Strings,4,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE ((EventID IN (4730;4734;4758)) and (timegenerated > '$($LastTime)'))""" }
        else { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as GroupName,EXTRACT_TOKEN(Strings,4,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE EventID IN (4730;4734;4758)""" }
        $LogParserStr = "-i:evt -o:csv " + $query + " -headers:off -filemode:0 -stats:OFF"
        $dc_id.Name
        $LP = Start-Process -FilePath $LogParser -ArgumentList $LogParserStr -Wait -Passthru -NoNewWindow
    }
    elseif ($dc_id.OSVersion -match "2003")
    {
        if ($LastTime)
        { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as GroupName,EXTRACT_TOKEN(Strings,3,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE ((EventID IN (634;638;662)) and (timegenerated > '$($LastTime)'))""" }
        else { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as GroupName,EXTRACT_TOKEN(Strings,3,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE EventID IN (634;638;662)""" }
        $LogParserStr = "-i:evt -o:csv " + $query + " -headers:off -filemode:0 -stats:OFF"
        $dc_id.Name
        $LP = Start-Process -FilePath $LogParser -ArgumentList $LogParserStr -Wait -Passthru -NoNewWindow
    }
}
DelLFile $LogFolder\$logfile

### Create PC in domain ID
$LogTime = Get-Date -Format "yyyy-MM-dd_HH-mm-ss"
$LogFile = "CreatePC_" + $LogTime + ".csv"
$LogFolder = ".\$($dcs_id.domain.name[0])\CreatePC"
New-Item -ItemType Directory -Force -Path $LogFolder
$LastResults = Get-ChildItem $LogFolder\*.csv -Recurse -ErrorAction SilentlyContinue | Where { !$_.PsIsContainer } | Sort LastWriteTime -descending | select -first 1
If ($LastResults)
{
    $LastResults = import-csv $LastResults
    $LastTime = ($LastResults.timegenerated | Measure -Max).Maximum
}
Add-Content $LogFolder\$LogFile "TimeGenerated,ComputerName,PCName,DomainName,AdminLogin`n"

foreach ($dc_id in $dcs_id)
{
    if ($dc_id.OSVersion -match "2008")
    {
        if ($LastTime) { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as PCName,EXTRACT_TOKEN(Strings,1,'|') as DomainName,EXTRACT_TOKEN(Strings,4,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE ((EventID = 4741) and (timegenerated > '$($LastTime)'))""" }
        else { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as PCName,EXTRACT_TOKEN(Strings,1,'|') as DomainName,EXTRACT_TOKEN(Strings,4,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE EventID = 4741""" }
        $LogParserStr = "-i:evt -o:csv " + $query + " -headers:off -filemode:0 -stats:OFF"
        $dc_id.Name
        $LP = Start-Process -FilePath $LogParser -ArgumentList $LogParserStr -Wait -Passthru -NoNewWindow
    }
    elseif ($dc_id.OSVersion -match "2003")
    {
        if ($LastTime) { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as PCName,EXTRACT_TOKEN(Strings,1,'|') as DomainName,EXTRACT_TOKEN(Strings,3,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE ((EventID = 645) and (timegenerated > '$($LastTime)'))""" }
        else { $query = """SELECT timegenerated,computername,EXTRACT_TOKEN(Strings,0,'|') as PCName,EXTRACT_TOKEN(Strings,1,'|') as DomainName,EXTRACT_TOKEN(Strings,3,'|') as AdminLogin into $($LogFolder)\$($LogFile) FROM \\$($dc_id.Name)\security WHERE EventID = 645""" }
        $LogParserStr = "-i:evt -o:csv " + $query + " -headers:off -filemode:0 -stats:OFF"
        $dc_id.Name
        $LP = Start-Process -FilePath $LogParser -ArgumentList $LogParserStr -Wait -Passthru -NoNewWindow
    }
}
DelLFile $LogFolder\$logfile