/build/static/layout/Breadcrumb_cap_w.png

Custom Inventory Rule User Login History

My custom inventory rule:

 

ShellCommandTextReturn(cmd /c powershell.exe -nologo -executionpolicy bypass -noprofile -file "\\10.86.28.238\client\logonactivityajs.ps1")\\

 

Script:

 

# Variables

# Path for HTML file output

$htmlfile = ".\LogonActivity.html"

 

# Table Creation

$LogonActivityTable = New-Object system.Data.DataTable “Logon/Logoff Activity”

 

# Create Columns

$date = New-Object system.Data.DataColumn "Date",([string])

$type = New-Object system.Data.DataColumn "Type",([string])

$status = New-Object system.Data.DataColumn "Status",([string])

$user = New-Object system.Data.DataColumn "User",([string])

$ipaddress = New-Object system.Data.DataColumn "IPAddress",([string])

 

# Add Columns to Table

$LogonActivityTable.columns.add($date)

$LogonActivityTable.columns.add($type)

$LogonActivityTable.columns.add($status)

$LogonActivityTable.columns.add($user)

$LogonActivityTable.columns.add($ipaddress)

 

$hostname = $env:computername

 

$startDate = "1/1/2000"

 

$endDate = get-date

$scope = "N"

# Writes a line with all the parameters selected for report

write-host "Hostname: "$hostname "`tStart: "$startDate "`tEnd: "$endDate "`tOnly Failed Logins: "$scope "`n"

# Store each event from the Security Log with the specificed dates and computer in an array

$log = Get-Eventlog -LogName Security -ComputerName $hostname -after $startDate -before $endDate

 

# Loop through each security event, print only failed login attempts

if ($scope -match "Y"){

    foreach ($i in $log){

        # Logon Failure Events

        # Local

        if (($i.EventID -eq 4625 ) -and ($i.ReplacementStrings[10] -eq 2)){

            # Create a Row

            $row = $LogonActivityTable.NewRow()

 

            # Enter Data into the Row

            $row.date =  $i.TimeGenerated

            $row.type =  "Logon - Local"

            $row.status =  "Failure"

            $row.user =  $i.ReplacementStrings[5]

            $row.ipaddress = ""

 

            # Add the Row to the Table

            $LogonActivityTable.Rows.Add($row)

        }

        # Remote

        if (($i.EventID -eq 4625 ) -and ($i.ReplacementStrings[10] -eq 10)){

            # Create a Row

            $row = $LogonActivityTable.NewRow()

 

            # Enter Data into the Row

            $row.date =  $i.TimeGenerated

            $row.type =  "Logon - Remote"

            $row.status =  "Failure"

            $row.user =  $i.ReplacementStrings[5]

            $row.ipaddress = $i.ReplacementStrings[19]

 

            # Add the Row to the Table

            $LogonActivityTable.Rows.Add($row)

        }

    }        

}

# Loop through each security event, print all login/logoffs with type, date/time, status, account name, and IP address if remote

else{

    foreach ($i in $log){

        # Logon Successful Events

        # Local (Logon Type 2)

        if (($i.EventID -eq 4624 ) -and ($i.ReplacementStrings[8] -eq 2)){

            # Create a Row

            $row = $LogonActivityTable.NewRow()

 

            # Enter Data into the Row

            $row.date =  $i.TimeGenerated

            $row.type =  "Logon - Local"

            $row.status =  "Success"

            $row.user =  $i.ReplacementStrings[5]

            $row.ipaddress = ""

 

            # Add the Row to the Table

            $LogonActivityTable.Rows.Add($row)

        }

        # Remote (Logon Type 10)

        if (($i.EventID -eq 4624 ) -and ($i.ReplacementStrings[8] -eq 10)){

            # Create a Row

            $row = $LogonActivityTable.NewRow()

 

            # Enter Data into the Row

            $row.date =  $i.TimeGenerated

            $row.type =  "Logon - Remote"

            $row.status =  "Success"

            $row.user =  $i.ReplacementStrings[5]

            $row.ipaddress = $i.ReplacementStrings[18]

 

            # Add the Row to the Table

            $LogonActivityTable.Rows.Add($row)

        }

         

        # Logon Failure Events

        # Local

        if (($i.EventID -eq 4625 ) -and ($i.ReplacementStrings[10] -eq 2)){

            # Create a Row

            $row = $LogonActivityTable.NewRow()

 

            # Enter Data into the Row

            $row.date =  $i.TimeGenerated

            $row.type =  "Logon - Local"

            $row.status =  "Failure"

            $row.user =  $i.ReplacementStrings[5]

            $row.ipaddress = ""

 

            # Add the Row to the Table

            $LogonActivityTable.Rows.Add($row)

        }

        # Remote

        if (($i.EventID -eq 4625 ) -and ($i.ReplacementStrings[10] -eq 10)){

            # Create a Row

            $row = $LogonActivityTable.NewRow()

 

            # Enter Data into the Row

            $row.date =  $i.TimeGenerated

            $row.type =  "Logon - Remote"

            $row.status =  "Failure"

            $row.user =  $i.ReplacementStrings[5]

            $row.ipaddress = $i.ReplacementStrings[19]

 

            # Add the Row to the Table

            $LogonActivityTable.Rows.Add($row)

        }

         

        # Logoff Events

        if ($i.EventID -eq 4647 ){

            # Create a Row

            $row = $LogonActivityTable.NewRow()

 

            # Enter Data into the Row

            $row.date =  $i.TimeGenerated

            $row.type =  "Logoff"

            $row.status =  "Success"

            $row.user =  $i.ReplacementStrings[1]

            $row.ipaddress = ""

 

            # Add the Row to the Table

            $LogonActivityTable.Rows.Add($row)

        } 

    }

}

 

# Outputs

# Table

if ($output -match "T"){

    $LogonActivityTable | Format-Table

}

 

# HTML

elseif ($output -match "H"){

    # HTML Styles

    $style = "<style>"

    $style = $style + "BODY{background-color:#F2F2F2;}"

    $style = $style + "TABLE{border-width: 1px;border-style: solid;border-color: black;}"

    $style = $style + "TH{border-width: 1px;padding: 0px;border-style: solid;border-color: black;background-color:#BDBDBD}"

    $style = $style + "TD{border-width: 1px;padding: 5px;border-style: solid;border-color: black;background-color:#D8D8D8}"

    $style = $style + "</style>"

 

    $LogonActivityTable | Select-Object Date, Type, Status, User, IPAddress | ConvertTo-Html -head $style -body "<h2>Logon Activity:</h2>" | Out-File $htmlfile

    Invoke-Expression $htmlfile

}

 

# Grid View

elseif ($output -match "G"){

    $LogonActivityTable | Out-GridView -Title "Logon Activity"

}

 

# Default output, returns the table object in list form by default

else{

    $LogonActivityTable

}


Comments

  • Custom Inventory rules run as system so did you give all computer accounts access to the share your script is hosted on? - chucksteel 6 years ago
  • My script is hosted within the KACE Samba share. - revsmitty 6 years ago
  • I just wanted to say thank you for being willing to post this script. I know it must have taken a lot of time to go through and match the required events and parameters up to be able to export it out as usable. So thanks! - gcgreen 3 years ago
This post is locked
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ