• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 706
  • Last Modified:

Vb script that sends an email when event id 528 ocurrs

I had the help of a fellow Expert with a script that sent an email to me when event ID 632 was logged into the security logs.
here is the link
http://www.experts-exchange.com/Programming/Languages/Visual_Basic/VB_Script/Q_25583642.html

I would like to do something similar to this. I would like to monitor security event 528 (when some logs in) on 4 servers(DC01, DC02, EX01 and EX02). I need it to ignore when an account called internal triggers the event 528 as its a network account that the log in script uses.

I tried editing the script myself but on my ISA server (DC02) it send me a loop of over 200 emails in less then a minute.

Thanks in advance for your help.
0
dh061
Asked:
dh061
  • 5
  • 4
  • 2
  • +2
1 Solution
 
sr75Commented:
Here is my email function that I routinely use:

Function Notify()
         DIM strName,strRecip,strSubject,strMsg 
         DIM strSrv,strSend,strServer,strPort 
         DIM Msg 
  
  
         strName = "Notify@domain.com"                   'Sender's Email 
         strSrv = "mailserver.domain.com"                'SMTP Server 
         strSubject = "This is my subject"               'Email Subject 
         strRecip = "Recipient@domain.com"               'Recipient's Email 
  
         strMsg = "This is the body of the email, it can be anything that is a string" 
  
         strSend = "http://schemas.microsoft.com/cdo/configuration/sendusing" 
         strServer = "http://schemas.microsoft.com/cdo/configuration/smtpserver" 
         strPort = "http://schemas.microsoft.com/cdo/configuration/smtpserverport" 
  
         Set Msg = CreateObject("CDO.Message") 
         Msg.Configuration.Fields.Item(strSend) = 2 
         Msg.Configuration.Fields.Item(strServer) = strSrv 
         Msg.Configuration.Fields.Item(strPort) = 25 
         Msg.Configuration.Fields.Update 
  
         Msg.Subject = strSubject 
         Msg.From = strName 
         Msg.To = strRecip 
         Msg.TextBody = strMsg 
         Msg.Send 
  
         set strName = Nothing 
         set strRecip = Nothing 
         set strSubject = Nothing 
         set strMsg = Nothing 
         set strSrv = Nothing 
         set strSend = Nothing 
         set strServer = Nothing 
         set strPort = Nothing 
         set Msg = Nothing 
End Function

Open in new window

0
 
sr75Commented:
And here is some code on how to read the event viewer:

On Error Resume Next

strComputer = InputBox("Computer Here!!!")
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" _
	& strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery("Select * from Win32_NTLogEvent " _
        & "Where Logfile = 'Application'")
For Each objEvent in colLoggedEvents
	ErrorChk = lcase(objEvent.Type)
	If instr(ErrorChk, "error") then
		Wscript.Echo "Category: " & objEvent.Category
		Wscript.Echo "Computer Name: " & objEvent.ComputerName
		Wscript.Echo "Event Code: " & objEvent.EventCode
		Wscript.Echo "Message: " & objEvent.Message
		Wscript.Echo "Record Number: " & objEvent.RecordNumber
		Wscript.Echo "Source Name: " & objEvent.SourceName
		Wscript.Echo "Time Written: " & objEvent.TimeWritten
		Wscript.Echo "Event Type: " & objEvent.Type
		Wscript.Echo "User: " & objEvent.User
	End If
Next

Open in new window

0
 
Justin EllenbeckerIT DirectorCommented:
Is your ISA running as a proxy?  If so these are all the user authentications for the proxy.
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
dh061Author Commented:
Yes it is the proxy server however its not logging ID 528 for user authentications as my security logs only show event 528 a hand full of times,  I think it is event 538 for that.

The code i have below is what causes the mass emails, maybe i messed up the do loop, not sure. Because the large number of emails don't start generating until I log into the server to trigger the script.

I would also like to give credit to jostrander from my link above for the code. I edit it for my needs, his original script works like a charm of what it is suppose to do. but my changes to make it send emails for a different Event ID seemed to fail.

Thanks for comments
ON ERROR RESUME NEXT

'--------------------------------------------------------------------
'       User Variables
'--------------------------------------------------------------------
'Server to monitor
strServer = "dc02" 

intPollSeconds=10

'Choose from:  
'Error,Warning,Information,Audit Success,Audit Failure
strTargetInstanceType="Audit Success"   

'Choose from:  
'APPLICATION,SYSTEM,SECURITY,DNS SERVER,FILE REPLICATION SERVICE,DIRECTORY SERVICE
strLogFile="SECURITY"

strEventCode="528"

strEmailSMTPserver="ex01"
strEmailTo="RTEvents@mail.com" 
strEmailFrom="me@mail.com"
strEmailSubject="Security: Someone has logged into DC02" 
'--------------------------------------------------------------------


Set objWMIService = GetObject("winmgmts:" _ 
        & "{impersonationLevel=impersonate}!\\" & strServer & "\root\cimv2") 

strQuery="Select * from __InstanceCreationEvent WITHIN " & intPollSeconds &_
        " where TargetInstance ISA 'Win32_NTLogEvent' AND TargetInstance.Type='" & strTargetInstanceType & "' AND " & _
        "TargetInstance.Logfile='" & strLogFile & "' AND TargetInstance.EventCode='" & strEventCode & "'"

Set colMonitoredEvents = objWMIService.ExecNotificationQuery(strQuery) 



Do 
        txt=""
        
        Set objEvent = colMonitoredEvents.NextEvent()
        Set objTargetInst = objEvent.TargetInstance
        
        strTimeWritten= objTargetInst.Properties_("TimeWritten") & ""
        Set objSWbemDateTime = CreateObject("WbemScripting.SWbemDateTime")
        objSWbemDateTime.Value=strTimeWritten
        strDate=objSWbemDateTime.GetVarDate(True)       'True=Use OS Timezone
        
        
        strComputerName = objTargetInst.Properties_("ComputerName") & ""
        strType = objTargetInst.Properties_("Type") & ""
        strEventCode = objTargetInst.Properties_("EventCode") & ""
        strMessage= objTargetInst.Properties_("Message") & ""
        strUser = objTargetInst.Properties_("User") & ""
        If strUser<> "" then strUser="User:  " & strUser

        
        txt = txt & "Time Written:  " & strDate & vbCrLf & "Host:  " & strComputerName & vbCrLf & _
                "Event Code:  " & strEventCode & vbCrLf & _
                strUser & vbCrLf & vbCrLf & _ 
        strMessage & vbCrLf & vbCrLf & _
                        "http://eventid.net/display.asp?eventid=" & strEventCode
	
	txt = "The following " & strLogFile & " events have occurred on host: " & strComputerName & vbCrLf & vbCrLf & txt 
       	SendMail txt


        Set objEvent = Nothing
        Set objTargetInst = Nothing
        strTimeWritten= ""
        strDate=""
        strComputerName = ""
        strType = ""
        strEventCode = ""
        strMessage=""
        strUser = ""
        
Loop


Sub SendMail(txt)
        ON ERROR RESUME NEXT
        
        if txt <> "" Then

                CONST cdoSendUsingPort = 2 
                CONST cdoAnonymous = 0 
                set msg = CreateObject("CDO.Message") 
                set config = CreateObject("CDO.Configuration") 
                set msg.Configuration = config 

                With msg 
                                .to = strEmailTo
                                .from = strEmailFrom 
                                .subject = strEmailSubject
                                .textbody = txt 
                End with 
 
                prefix = "http://schemas.microsoft.com/cdo/configuration/" 
 
                With config.fields 
                                .item(prefix & "sendusing") = cdoSendUsingPort 
                                .item(prefix & "smtpserver") = strEmailSMTPserver 
                                .item(prefix & "smtpauthenticate") = cdoAnonymous 
                                .update 
                End With 

                msg.send 

                if err.number <> 0 then
                        WshShell.LogEvent 1,"Error Sending Your Message" & vbCrLf & vbCrLf & _
                                "Email to:  " & strEmailTo & vbCrLf & _
                                "Email From:  " & strEmailFrom & vbCrLf & _
                                "Email Subject:  " & strEmailSubject & vbCrLf & _
                                "Email SMTP Server:  " & strEmailSMTPserver & vbCrLf & _
                                "Email Body:  " & txt 
                        
                End If
        End If

End Sub

Open in new window

0
 
Donald StewartNetwork AdministratorCommented:
0
 
dh061Author Commented:
I could use event trigger, that would allow me to remove the do loop. Do you know how to ignore accounts like an account called internal and rinstaller?
0
 
Donald StewartNetwork AdministratorCommented:
Here's an example of one I use, I havent toyed around with excluding yet.
Dim dtmStart, SearchEventStart
Dim objWMIService, colEvents, objEvent, EventTime
Dim objMessage, eventCounted
Dim ObjSendMail
Set WshNetwork = CreateObject("WScript.Network")
Set ObjSendMail = CreateObject("CDO.Message") 
Const MinutesToSearchWithin = -20000 ' look for the event that triggered me within the last 2 minutes
Set dtmStart = CreateObject("WbemScripting.SWbemDateTime")
SearchEventStart = DateAdd("n", MinutesToSearchWithin, Now())
dtmStart.SetVarDate SearchEventStart, True

txt = ""

strComputer = WshNetwork.ComputerName
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery ("Select * from Win32_NTLogEvent Where Type = 'warning' And Logfile = 'Application' And TimeWritten >= '" & dtmStart & "'") 
For Each objEvent in colLoggedEvents
txt = txt &  "Category: " & objEvent.Category
EventTime = Mid(objEvent.TimeWritten, 5, 2) & "/" & Mid(objEvent.TimeWritten, 7, 2) & "/" & _
    Mid(objEvent.TimeWritten, 1, 4) & " " & Mid(objEvent.TimeWritten, 9, 2) & ":" & _
    Mid(objEvent.TimeWritten, 11, 2) & "." & Mid(objEvent.TimeWritten, 13, 2)
txt = txt &  vbCrLf & "Time: " & EventTime
txt = txt &  vbCrLf & "EventCode: " & objEvent.EventCode
txt = txt &  vbCrLf & "Message: " & objEvent.Message
txt = txt &  vbCrLf & "RecordNumber: " & objEvent.RecordNumber
txt = txt &  vbCrLf & "SourceName: " & objEvent.SourceName
txt = txt &  vbCrLf & "Type: " & objEvent.Type
txt = txt &  vbCrLf & "User: " & objEvent.User
txt = txt &  vbCRLF & objEvent.Message & "<http://eventid.net/display.asp?eventid=" &objEvent.EventCode & "&source=" & objEvent.SourceName & "&Phase=1>" & vbcrlf & vbcrlf & vbcrlf
Next


if txt <> "" then

txt = "The Following Application Errors Have Occurred on : " & strComputer & vbcrlf & vbCRLF & txt 

else
Wscript.Quit(0)
end if
     
'This section provides the configuration information for the remote SMTP server.
     
ObjSendMail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2 'Send the message using the network (SMTP over the network).
ObjSendMail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpserver") ="mail.server.com"
ObjSendMail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 465 
ObjSendMail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpusessl") = True 'Use SSL for the connection (True or False)
ObjSendMail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeout") = 60
     
' If your server requires outgoing authentication uncomment the lines bleow and use a valid email address and password.
ObjSendMail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpauthenticate") = 1 'basic (clear-text) authentication
ObjSendMail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/sendusername") ="you@server.com"
ObjSendMail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/sendpassword") ="password"
     
ObjSendMail.Configuration.Fields.Update
     
'End remote SMTP server configuration section==
     
ObjSendMail.To = "you@server.com"
ObjSendMail.Subject = strComputer & "  Has encountered Application Errors"
ObjSendMail.From = strComputer & "@server.com"
     
' we are sending a text email.. simply switch the comments around to send an html email instead
'ObjSendMail.HTMLBody = "this is the body"
ObjSendMail.TextBody = strComputer & chr(32) & txt
     
ObjSendMail.Send
     
Set ObjSendMail = Nothing 

Open in new window

0
 
dh061Author Commented:
I really need an exclusion for this to work, the company's login scripts show up in the event so i would be emailed nearly 3000 times a day.
0
 
Donald StewartNetwork AdministratorCommented:
You can try as below, but dont know the limits to how many "Ands" you can  place in the statement
Set colLoggedEvents = objWMIService.ExecQuery ("Select * from Win32_NTLogEvent Where Type = 'warning' And Logfile = 'Application' And User <> 'internal' And  TimeWritten >= '" & dtmStart & "'")
0
 
Donald StewartNetwork AdministratorCommented:
Better idea, start a new question in the vbs scripting zone. Hopefully someone like RobSampson can help you figure out the exclusions.
0
 
Donald StewartNetwork AdministratorCommented:
sorry, ignore last comment. Request Attention to try and get more experts to look back at this question.
0
 
dh061Author Commented:
thanks for the fast response I will give your addition a try. I will let you know if all the "ands" work lol
0
 
jostranderCommented:
Hey dh061, just saw this post.  If you still need help, maybe this will work.

Add the account name to skip in the user variables section.
Something like:
strSkipAccount="DC02\internal"
or
strSkipAccount="MYDOMAIN\internal"
(however it appears in the event logs.)
ON ERROR RESUME NEXT


'--------------------------------------------------------------------
'       User Variables
'--------------------------------------------------------------------
'Server to monitor
strServer = "dc02" 

intPollSeconds=10

'Choose from:  
'Error,Warning,Information,Audit Success,Audit Failure
strTargetInstanceType="Audit Success"   

'Choose from:  
'APPLICATION,SYSTEM,SECURITY,DNS SERVER,FILE REPLICATION SERVICE,DIRECTORY SERVICE
strLogFile="SECURITY"

strEventCode="528"

strEmailSMTPserver="ex01"
strEmailTo="RTEvents@mail.com" 
strEmailFrom="me@mail.com"
strEmailSubject="Security: Someone has logged into DC02" 

strSkipAccount="DC02\internal"
'--------------------------------------------------------------------


Set objWMIService = GetObject("winmgmts:" _ 
        & "{impersonationLevel=impersonate}!\\" & strServer & "\root\cimv2") 

strQuery="Select * from __InstanceCreationEvent WITHIN " & intPollSeconds &_
        " where TargetInstance ISA 'Win32_NTLogEvent' AND TargetInstance.Type='" & strTargetInstanceType & "' AND " & _
        "TargetInstance.Logfile='" & strLogFile & "' AND TargetInstance.EventCode='" & strEventCode & "'"

Set colMonitoredEvents = objWMIService.ExecNotificationQuery(strQuery) 



Do 
        txt=""
        
        Set objEvent = colMonitoredEvents.NextEvent()
        Set objTargetInst = objEvent.TargetInstance
        
        strTimeWritten= objTargetInst.Properties_("TimeWritten") & ""
        Set objSWbemDateTime = CreateObject("WbemScripting.SWbemDateTime")
        objSWbemDateTime.Value=strTimeWritten
        strDate=objSWbemDateTime.GetVarDate(True)       'True=Use OS Timezone
        
        
        strComputerName = objTargetInst.Properties_("ComputerName") & ""
        strType = objTargetInst.Properties_("Type") & ""
        strEventCode = objTargetInst.Properties_("EventCode") & ""
        strMessage= objTargetInst.Properties_("Message") & ""
        strUser = objTargetInst.Properties_("User") & ""
        
        If lcase(strUser)<>lcase(strSkipAccount) then
			
			If strUser<> "" then strUser="User:  " & strUser
	
			
			txt = txt & "Time Written:  " & strDate & vbCrLf & "Host:  " & strComputerName & vbCrLf & _
					"Event Code:  " & strEventCode & vbCrLf & _
					strUser & vbCrLf & vbCrLf & _ 
			strMessage & vbCrLf & vbCrLf & _
							"http://eventid.net/display.asp?eventid=" & strEventCode
		
			txt = "The following " & strLogFile & " events have occurred on host: " & strComputerName & vbCrLf & vbCrLf & txt 
			SendMail txt
			
		End If

        Set objEvent = Nothing
        Set objTargetInst = Nothing
        strTimeWritten= ""
        strDate=""
        strComputerName = ""
        strType = ""
        strEventCode = ""
        strMessage=""
        strUser = ""
        
Loop


Sub SendMail(txt)
        ON ERROR RESUME NEXT
        
        if txt <> "" Then

                CONST cdoSendUsingPort = 2 
                CONST cdoAnonymous = 0 
                set msg = CreateObject("CDO.Message") 
                set config = CreateObject("CDO.Configuration") 
                set msg.Configuration = config 

                With msg 
                                .to = strEmailTo
                                .from = strEmailFrom 
                                .subject = strEmailSubject
                                .textbody = txt 
                End with 
 
                prefix = "http://schemas.microsoft.com/cdo/configuration/" 
 
                With config.fields 
                                .item(prefix & "sendusing") = cdoSendUsingPort 
                                .item(prefix & "smtpserver") = strEmailSMTPserver 
                                .item(prefix & "smtpauthenticate") = cdoAnonymous 
                                .update 
                End With 

                msg.send 

                if err.number <> 0 then
                        WshShell.LogEvent 1,"Error Sending Your Message" & vbCrLf & vbCrLf & _
                                "Email to:  " & strEmailTo & vbCrLf & _
                                "Email From:  " & strEmailFrom & vbCrLf & _
                                "Email Subject:  " & strEmailSubject & vbCrLf & _
                                "Email SMTP Server:  " & strEmailSMTPserver & vbCrLf & _
                                "Email Body:  " & txt 
                        
                End If
        End If

End Sub

Open in new window

0

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

  • 5
  • 4
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now