dh061
asked on
Vb script that sends an email when event id 528 ocurrs
I had the help of a fellow Expert with a script that sent an email to me when event ID 632 was logged into the security logs.
here is the link
https://www.experts-exchange.com/questions/25583642/Help-with-Script-that-send-email-about-Event-Log.html
I would like to do something similar to this. I would like to monitor security event 528 (when some logs in) on 4 servers(DC01, DC02, EX01 and EX02). I need it to ignore when an account called internal triggers the event 528 as its a network account that the log in script uses.
I tried editing the script myself but on my ISA server (DC02) it send me a loop of over 200 emails in less then a minute.
Thanks in advance for your help.
here is the link
https://www.experts-exchange.com/questions/25583642/Help-with-Script-that-send-email-about-Event-Log.html
I would like to do something similar to this. I would like to monitor security event 528 (when some logs in) on 4 servers(DC01, DC02, EX01 and EX02). I need it to ignore when an account called internal triggers the event 528 as its a network account that the log in script uses.
I tried editing the script myself but on my ISA server (DC02) it send me a loop of over 200 emails in less then a minute.
Thanks in advance for your help.
And here is some code on how to read the event viewer:
On Error Resume Next
strComputer = InputBox("Computer Here!!!")
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" _
& strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery("Select * from Win32_NTLogEvent " _
& "Where Logfile = 'Application'")
For Each objEvent in colLoggedEvents
ErrorChk = lcase(objEvent.Type)
If instr(ErrorChk, "error") then
Wscript.Echo "Category: " & objEvent.Category
Wscript.Echo "Computer Name: " & objEvent.ComputerName
Wscript.Echo "Event Code: " & objEvent.EventCode
Wscript.Echo "Message: " & objEvent.Message
Wscript.Echo "Record Number: " & objEvent.RecordNumber
Wscript.Echo "Source Name: " & objEvent.SourceName
Wscript.Echo "Time Written: " & objEvent.TimeWritten
Wscript.Echo "Event Type: " & objEvent.Type
Wscript.Echo "User: " & objEvent.User
End If
Next
Is your ISA running as a proxy? If so these are all the user authentications for the proxy.
ASKER
Yes it is the proxy server however its not logging ID 528 for user authentications as my security logs only show event 528 a hand full of times, I think it is event 538 for that.
The code i have below is what causes the mass emails, maybe i messed up the do loop, not sure. Because the large number of emails don't start generating until I log into the server to trigger the script.
I would also like to give credit to jostrander from my link above for the code. I edit it for my needs, his original script works like a charm of what it is suppose to do. but my changes to make it send emails for a different Event ID seemed to fail.
Thanks for comments
The code i have below is what causes the mass emails, maybe i messed up the do loop, not sure. Because the large number of emails don't start generating until I log into the server to trigger the script.
I would also like to give credit to jostrander from my link above for the code. I edit it for my needs, his original script works like a charm of what it is suppose to do. but my changes to make it send emails for a different Event ID seemed to fail.
Thanks for comments
ON ERROR RESUME NEXT
'--------------------------------------------------------------------
' User Variables
'--------------------------------------------------------------------
'Server to monitor
strServer = "dc02"
intPollSeconds=10
'Choose from:
'Error,Warning,Information,Audit Success,Audit Failure
strTargetInstanceType="Audit Success"
'Choose from:
'APPLICATION,SYSTEM,SECURITY,DNS SERVER,FILE REPLICATION SERVICE,DIRECTORY SERVICE
strLogFile="SECURITY"
strEventCode="528"
strEmailSMTPserver="ex01"
strEmailTo="RTEvents@mail.com"
strEmailFrom="me@mail.com"
strEmailSubject="Security: Someone has logged into DC02"
'--------------------------------------------------------------------
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strServer & "\root\cimv2")
strQuery="Select * from __InstanceCreationEvent WITHIN " & intPollSeconds &_
" where TargetInstance ISA 'Win32_NTLogEvent' AND TargetInstance.Type='" & strTargetInstanceType & "' AND " & _
"TargetInstance.Logfile='" & strLogFile & "' AND TargetInstance.EventCode='" & strEventCode & "'"
Set colMonitoredEvents = objWMIService.ExecNotificationQuery(strQuery)
Do
txt=""
Set objEvent = colMonitoredEvents.NextEvent()
Set objTargetInst = objEvent.TargetInstance
strTimeWritten= objTargetInst.Properties_("TimeWritten") & ""
Set objSWbemDateTime = CreateObject("WbemScripting.SWbemDateTime")
objSWbemDateTime.Value=strTimeWritten
strDate=objSWbemDateTime.GetVarDate(True) 'True=Use OS Timezone
strComputerName = objTargetInst.Properties_("ComputerName") & ""
strType = objTargetInst.Properties_("Type") & ""
strEventCode = objTargetInst.Properties_("EventCode") & ""
strMessage= objTargetInst.Properties_("Message") & ""
strUser = objTargetInst.Properties_("User") & ""
If strUser<> "" then strUser="User: " & strUser
txt = txt & "Time Written: " & strDate & vbCrLf & "Host: " & strComputerName & vbCrLf & _
"Event Code: " & strEventCode & vbCrLf & _
strUser & vbCrLf & vbCrLf & _
strMessage & vbCrLf & vbCrLf & _
"http://eventid.net/display.asp?eventid=" & strEventCode
txt = "The following " & strLogFile & " events have occurred on host: " & strComputerName & vbCrLf & vbCrLf & txt
SendMail txt
Set objEvent = Nothing
Set objTargetInst = Nothing
strTimeWritten= ""
strDate=""
strComputerName = ""
strType = ""
strEventCode = ""
strMessage=""
strUser = ""
Loop
Sub SendMail(txt)
ON ERROR RESUME NEXT
if txt <> "" Then
CONST cdoSendUsingPort = 2
CONST cdoAnonymous = 0
set msg = CreateObject("CDO.Message")
set config = CreateObject("CDO.Configuration")
set msg.Configuration = config
With msg
.to = strEmailTo
.from = strEmailFrom
.subject = strEmailSubject
.textbody = txt
End with
prefix = "http://schemas.microsoft.com/cdo/configuration/"
With config.fields
.item(prefix & "sendusing") = cdoSendUsingPort
.item(prefix & "smtpserver") = strEmailSMTPserver
.item(prefix & "smtpauthenticate") = cdoAnonymous
.update
End With
msg.send
if err.number <> 0 then
WshShell.LogEvent 1,"Error Sending Your Message" & vbCrLf & vbCrLf & _
"Email to: " & strEmailTo & vbCrLf & _
"Email From: " & strEmailFrom & vbCrLf & _
"Email Subject: " & strEmailSubject & vbCrLf & _
"Email SMTP Server: " & strEmailSMTPserver & vbCrLf & _
"Email Body: " & txt
End If
End If
End Sub
ASKER
I could use event trigger, that would allow me to remove the do loop. Do you know how to ignore accounts like an account called internal and rinstaller?
Here's an example of one I use, I havent toyed around with excluding yet.
Dim dtmStart, SearchEventStart
Dim objWMIService, colEvents, objEvent, EventTime
Dim objMessage, eventCounted
Dim ObjSendMail
Set WshNetwork = CreateObject("WScript.Network")
Set ObjSendMail = CreateObject("CDO.Message")
Const MinutesToSearchWithin = -20000 ' look for the event that triggered me within the last 2 minutes
Set dtmStart = CreateObject("WbemScripting.SWbemDateTime")
SearchEventStart = DateAdd("n", MinutesToSearchWithin, Now())
dtmStart.SetVarDate SearchEventStart, True
txt = ""
strComputer = WshNetwork.ComputerName
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery ("Select * from Win32_NTLogEvent Where Type = 'warning' And Logfile = 'Application' And TimeWritten >= '" & dtmStart & "'")
For Each objEvent in colLoggedEvents
txt = txt & "Category: " & objEvent.Category
EventTime = Mid(objEvent.TimeWritten, 5, 2) & "/" & Mid(objEvent.TimeWritten, 7, 2) & "/" & _
Mid(objEvent.TimeWritten, 1, 4) & " " & Mid(objEvent.TimeWritten, 9, 2) & ":" & _
Mid(objEvent.TimeWritten, 11, 2) & "." & Mid(objEvent.TimeWritten, 13, 2)
txt = txt & vbCrLf & "Time: " & EventTime
txt = txt & vbCrLf & "EventCode: " & objEvent.EventCode
txt = txt & vbCrLf & "Message: " & objEvent.Message
txt = txt & vbCrLf & "RecordNumber: " & objEvent.RecordNumber
txt = txt & vbCrLf & "SourceName: " & objEvent.SourceName
txt = txt & vbCrLf & "Type: " & objEvent.Type
txt = txt & vbCrLf & "User: " & objEvent.User
txt = txt & vbCRLF & objEvent.Message & "<http://eventid.net/display.asp?eventid=" &objEvent.EventCode & "&source=" & objEvent.SourceName & "&Phase=1>" & vbcrlf & vbcrlf & vbcrlf
Next
if txt <> "" then
txt = "The Following Application Errors Have Occurred on : " & strComputer & vbcrlf & vbCRLF & txt
else
Wscript.Quit(0)
end if
'This section provides the configuration information for the remote SMTP server.
ObjSendMail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2 'Send the message using the network (SMTP over the network).
ObjSendMail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpserver") ="mail.server.com"
ObjSendMail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 465
ObjSendMail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpusessl") = True 'Use SSL for the connection (True or False)
ObjSendMail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeout") = 60
' If your server requires outgoing authentication uncomment the lines bleow and use a valid email address and password.
ObjSendMail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpauthenticate") = 1 'basic (clear-text) authentication
ObjSendMail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/sendusername") ="you@server.com"
ObjSendMail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/sendpassword") ="password"
ObjSendMail.Configuration.Fields.Update
'End remote SMTP server configuration section==
ObjSendMail.To = "you@server.com"
ObjSendMail.Subject = strComputer & " Has encountered Application Errors"
ObjSendMail.From = strComputer & "@server.com"
' we are sending a text email.. simply switch the comments around to send an html email instead
'ObjSendMail.HTMLBody = "this is the body"
ObjSendMail.TextBody = strComputer & chr(32) & txt
ObjSendMail.Send
Set ObjSendMail = Nothing ASKER
I really need an exclusion for this to work, the company's login scripts show up in the event so i would be emailed nearly 3000 times a day.
You can try as below, but dont know the limits to how many "Ands" you can place in the statement
Set colLoggedEvents = objWMIService.ExecQuery ("Select * from Win32_NTLogEvent Where Type = 'warning' And Logfile = 'Application' And User <> 'internal' And TimeWritten >= '" & dtmStart & "'")
Set colLoggedEvents = objWMIService.ExecQuery ("Select * from Win32_NTLogEvent Where Type = 'warning' And Logfile = 'Application' And User <> 'internal' And TimeWritten >= '" & dtmStart & "'")
Better idea, start a new question in the vbs scripting zone. Hopefully someone like RobSampson can help you figure out the exclusions.
sorry, ignore last comment. Request Attention to try and get more experts to look back at this question.
ASKER
thanks for the fast response I will give your addition a try. I will let you know if all the "ands" work lol
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Open in new window