Vb script that sends an email when event id 528 ocurrs

I had the help of a fellow Expert with a script that sent an email to me when event ID 632 was logged into the security logs.
here is the link
http://www.experts-exchange.com/Programming/Languages/Visual_Basic/VB_Script/Q_25583642.html

I would like to do something similar to this. I would like to monitor security event 528 (when some logs in) on 4 servers(DC01, DC02, EX01 and EX02). I need it to ignore when an account called internal triggers the event 528 as its a network account that the log in script uses.

I tried editing the script myself but on my ISA server (DC02) it send me a loop of over 200 emails in less then a minute.

Thanks in advance for your help.
LVL 1
dh061Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sr75Commented:
Here is my email function that I routinely use:

Function Notify()
         DIM strName,strRecip,strSubject,strMsg 
         DIM strSrv,strSend,strServer,strPort 
         DIM Msg 
  
  
         strName = "Notify@domain.com"                   'Sender's Email 
         strSrv = "mailserver.domain.com"                'SMTP Server 
         strSubject = "This is my subject"               'Email Subject 
         strRecip = "Recipient@domain.com"               'Recipient's Email 
  
         strMsg = "This is the body of the email, it can be anything that is a string" 
  
         strSend = "http://schemas.microsoft.com/cdo/configuration/sendusing" 
         strServer = "http://schemas.microsoft.com/cdo/configuration/smtpserver" 
         strPort = "http://schemas.microsoft.com/cdo/configuration/smtpserverport" 
  
         Set Msg = CreateObject("CDO.Message") 
         Msg.Configuration.Fields.Item(strSend) = 2 
         Msg.Configuration.Fields.Item(strServer) = strSrv 
         Msg.Configuration.Fields.Item(strPort) = 25 
         Msg.Configuration.Fields.Update 
  
         Msg.Subject = strSubject 
         Msg.From = strName 
         Msg.To = strRecip 
         Msg.TextBody = strMsg 
         Msg.Send 
  
         set strName = Nothing 
         set strRecip = Nothing 
         set strSubject = Nothing 
         set strMsg = Nothing 
         set strSrv = Nothing 
         set strSend = Nothing 
         set strServer = Nothing 
         set strPort = Nothing 
         set Msg = Nothing 
End Function

Open in new window

0
sr75Commented:
And here is some code on how to read the event viewer:

On Error Resume Next

strComputer = InputBox("Computer Here!!!")
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" _
	& strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery("Select * from Win32_NTLogEvent " _
        & "Where Logfile = 'Application'")
For Each objEvent in colLoggedEvents
	ErrorChk = lcase(objEvent.Type)
	If instr(ErrorChk, "error") then
		Wscript.Echo "Category: " & objEvent.Category
		Wscript.Echo "Computer Name: " & objEvent.ComputerName
		Wscript.Echo "Event Code: " & objEvent.EventCode
		Wscript.Echo "Message: " & objEvent.Message
		Wscript.Echo "Record Number: " & objEvent.RecordNumber
		Wscript.Echo "Source Name: " & objEvent.SourceName
		Wscript.Echo "Time Written: " & objEvent.TimeWritten
		Wscript.Echo "Event Type: " & objEvent.Type
		Wscript.Echo "User: " & objEvent.User
	End If
Next

Open in new window

0
Justin EllenbeckerIT DirectorCommented:
Is your ISA running as a proxy?  If so these are all the user authentications for the proxy.
0
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

dh061Author Commented:
Yes it is the proxy server however its not logging ID 528 for user authentications as my security logs only show event 528 a hand full of times,  I think it is event 538 for that.

The code i have below is what causes the mass emails, maybe i messed up the do loop, not sure. Because the large number of emails don't start generating until I log into the server to trigger the script.

I would also like to give credit to jostrander from my link above for the code. I edit it for my needs, his original script works like a charm of what it is suppose to do. but my changes to make it send emails for a different Event ID seemed to fail.

Thanks for comments
ON ERROR RESUME NEXT

'--------------------------------------------------------------------
'       User Variables
'--------------------------------------------------------------------
'Server to monitor
strServer = "dc02" 

intPollSeconds=10

'Choose from:  
'Error,Warning,Information,Audit Success,Audit Failure
strTargetInstanceType="Audit Success"   

'Choose from:  
'APPLICATION,SYSTEM,SECURITY,DNS SERVER,FILE REPLICATION SERVICE,DIRECTORY SERVICE
strLogFile="SECURITY"

strEventCode="528"

strEmailSMTPserver="ex01"
strEmailTo="RTEvents@mail.com" 
strEmailFrom="me@mail.com"
strEmailSubject="Security: Someone has logged into DC02" 
'--------------------------------------------------------------------


Set objWMIService = GetObject("winmgmts:" _ 
        & "{impersonationLevel=impersonate}!\\" & strServer & "\root\cimv2") 

strQuery="Select * from __InstanceCreationEvent WITHIN " & intPollSeconds &_
        " where TargetInstance ISA 'Win32_NTLogEvent' AND TargetInstance.Type='" & strTargetInstanceType & "' AND " & _
        "TargetInstance.Logfile='" & strLogFile & "' AND TargetInstance.EventCode='" & strEventCode & "'"

Set colMonitoredEvents = objWMIService.ExecNotificationQuery(strQuery) 



Do 
        txt=""
        
        Set objEvent = colMonitoredEvents.NextEvent()
        Set objTargetInst = objEvent.TargetInstance
        
        strTimeWritten= objTargetInst.Properties_("TimeWritten") & ""
        Set objSWbemDateTime = CreateObject("WbemScripting.SWbemDateTime")
        objSWbemDateTime.Value=strTimeWritten
        strDate=objSWbemDateTime.GetVarDate(True)       'True=Use OS Timezone
        
        
        strComputerName = objTargetInst.Properties_("ComputerName") & ""
        strType = objTargetInst.Properties_("Type") & ""
        strEventCode = objTargetInst.Properties_("EventCode") & ""
        strMessage= objTargetInst.Properties_("Message") & ""
        strUser = objTargetInst.Properties_("User") & ""
        If strUser<> "" then strUser="User:  " & strUser

        
        txt = txt & "Time Written:  " & strDate & vbCrLf & "Host:  " & strComputerName & vbCrLf & _
                "Event Code:  " & strEventCode & vbCrLf & _
                strUser & vbCrLf & vbCrLf & _ 
        strMessage & vbCrLf & vbCrLf & _
                        "http://eventid.net/display.asp?eventid=" & strEventCode
	
	txt = "The following " & strLogFile & " events have occurred on host: " & strComputerName & vbCrLf & vbCrLf & txt 
       	SendMail txt


        Set objEvent = Nothing
        Set objTargetInst = Nothing
        strTimeWritten= ""
        strDate=""
        strComputerName = ""
        strType = ""
        strEventCode = ""
        strMessage=""
        strUser = ""
        
Loop


Sub SendMail(txt)
        ON ERROR RESUME NEXT
        
        if txt <> "" Then

                CONST cdoSendUsingPort = 2 
                CONST cdoAnonymous = 0 
                set msg = CreateObject("CDO.Message") 
                set config = CreateObject("CDO.Configuration") 
                set msg.Configuration = config 

                With msg 
                                .to = strEmailTo
                                .from = strEmailFrom 
                                .subject = strEmailSubject
                                .textbody = txt 
                End with 
 
                prefix = "http://schemas.microsoft.com/cdo/configuration/" 
 
                With config.fields 
                                .item(prefix & "sendusing") = cdoSendUsingPort 
                                .item(prefix & "smtpserver") = strEmailSMTPserver 
                                .item(prefix & "smtpauthenticate") = cdoAnonymous 
                                .update 
                End With 

                msg.send 

                if err.number <> 0 then
                        WshShell.LogEvent 1,"Error Sending Your Message" & vbCrLf & vbCrLf & _
                                "Email to:  " & strEmailTo & vbCrLf & _
                                "Email From:  " & strEmailFrom & vbCrLf & _
                                "Email Subject:  " & strEmailSubject & vbCrLf & _
                                "Email SMTP Server:  " & strEmailSMTPserver & vbCrLf & _
                                "Email Body:  " & txt 
                        
                End If
        End If

End Sub

Open in new window

0
DonNetwork AdministratorCommented:
0
dh061Author Commented:
I could use event trigger, that would allow me to remove the do loop. Do you know how to ignore accounts like an account called internal and rinstaller?
0
DonNetwork AdministratorCommented:
Here's an example of one I use, I havent toyed around with excluding yet.
Dim dtmStart, SearchEventStart
Dim objWMIService, colEvents, objEvent, EventTime
Dim objMessage, eventCounted
Dim ObjSendMail
Set WshNetwork = CreateObject("WScript.Network")
Set ObjSendMail = CreateObject("CDO.Message") 
Const MinutesToSearchWithin = -20000 ' look for the event that triggered me within the last 2 minutes
Set dtmStart = CreateObject("WbemScripting.SWbemDateTime")
SearchEventStart = DateAdd("n", MinutesToSearchWithin, Now())
dtmStart.SetVarDate SearchEventStart, True

txt = ""

strComputer = WshNetwork.ComputerName
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery ("Select * from Win32_NTLogEvent Where Type = 'warning' And Logfile = 'Application' And TimeWritten >= '" & dtmStart & "'") 
For Each objEvent in colLoggedEvents
txt = txt &  "Category: " & objEvent.Category
EventTime = Mid(objEvent.TimeWritten, 5, 2) & "/" & Mid(objEvent.TimeWritten, 7, 2) & "/" & _
    Mid(objEvent.TimeWritten, 1, 4) & " " & Mid(objEvent.TimeWritten, 9, 2) & ":" & _
    Mid(objEvent.TimeWritten, 11, 2) & "." & Mid(objEvent.TimeWritten, 13, 2)
txt = txt &  vbCrLf & "Time: " & EventTime
txt = txt &  vbCrLf & "EventCode: " & objEvent.EventCode
txt = txt &  vbCrLf & "Message: " & objEvent.Message
txt = txt &  vbCrLf & "RecordNumber: " & objEvent.RecordNumber
txt = txt &  vbCrLf & "SourceName: " & objEvent.SourceName
txt = txt &  vbCrLf & "Type: " & objEvent.Type
txt = txt &  vbCrLf & "User: " & objEvent.User
txt = txt &  vbCRLF & objEvent.Message & "<http://eventid.net/display.asp?eventid=" &objEvent.EventCode & "&source=" & objEvent.SourceName & "&Phase=1>" & vbcrlf & vbcrlf & vbcrlf
Next


if txt <> "" then

txt = "The Following Application Errors Have Occurred on : " & strComputer & vbcrlf & vbCRLF & txt 

else
Wscript.Quit(0)
end if
     
'This section provides the configuration information for the remote SMTP server.
     
ObjSendMail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2 'Send the message using the network (SMTP over the network).
ObjSendMail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpserver") ="mail.server.com"
ObjSendMail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 465 
ObjSendMail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpusessl") = True 'Use SSL for the connection (True or False)
ObjSendMail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeout") = 60
     
' If your server requires outgoing authentication uncomment the lines bleow and use a valid email address and password.
ObjSendMail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpauthenticate") = 1 'basic (clear-text) authentication
ObjSendMail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/sendusername") ="you@server.com"
ObjSendMail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/sendpassword") ="password"
     
ObjSendMail.Configuration.Fields.Update
     
'End remote SMTP server configuration section==
     
ObjSendMail.To = "you@server.com"
ObjSendMail.Subject = strComputer & "  Has encountered Application Errors"
ObjSendMail.From = strComputer & "@server.com"
     
' we are sending a text email.. simply switch the comments around to send an html email instead
'ObjSendMail.HTMLBody = "this is the body"
ObjSendMail.TextBody = strComputer & chr(32) & txt
     
ObjSendMail.Send
     
Set ObjSendMail = Nothing 

Open in new window

0
dh061Author Commented:
I really need an exclusion for this to work, the company's login scripts show up in the event so i would be emailed nearly 3000 times a day.
0
DonNetwork AdministratorCommented:
You can try as below, but dont know the limits to how many "Ands" you can  place in the statement
Set colLoggedEvents = objWMIService.ExecQuery ("Select * from Win32_NTLogEvent Where Type = 'warning' And Logfile = 'Application' And User <> 'internal' And  TimeWritten >= '" & dtmStart & "'")
0
DonNetwork AdministratorCommented:
Better idea, start a new question in the vbs scripting zone. Hopefully someone like RobSampson can help you figure out the exclusions.
0
DonNetwork AdministratorCommented:
sorry, ignore last comment. Request Attention to try and get more experts to look back at this question.
0
dh061Author Commented:
thanks for the fast response I will give your addition a try. I will let you know if all the "ands" work lol
0
jostranderCommented:
Hey dh061, just saw this post.  If you still need help, maybe this will work.

Add the account name to skip in the user variables section.
Something like:
strSkipAccount="DC02\internal"
or
strSkipAccount="MYDOMAIN\internal"
(however it appears in the event logs.)
ON ERROR RESUME NEXT


'--------------------------------------------------------------------
'       User Variables
'--------------------------------------------------------------------
'Server to monitor
strServer = "dc02" 

intPollSeconds=10

'Choose from:  
'Error,Warning,Information,Audit Success,Audit Failure
strTargetInstanceType="Audit Success"   

'Choose from:  
'APPLICATION,SYSTEM,SECURITY,DNS SERVER,FILE REPLICATION SERVICE,DIRECTORY SERVICE
strLogFile="SECURITY"

strEventCode="528"

strEmailSMTPserver="ex01"
strEmailTo="RTEvents@mail.com" 
strEmailFrom="me@mail.com"
strEmailSubject="Security: Someone has logged into DC02" 

strSkipAccount="DC02\internal"
'--------------------------------------------------------------------


Set objWMIService = GetObject("winmgmts:" _ 
        & "{impersonationLevel=impersonate}!\\" & strServer & "\root\cimv2") 

strQuery="Select * from __InstanceCreationEvent WITHIN " & intPollSeconds &_
        " where TargetInstance ISA 'Win32_NTLogEvent' AND TargetInstance.Type='" & strTargetInstanceType & "' AND " & _
        "TargetInstance.Logfile='" & strLogFile & "' AND TargetInstance.EventCode='" & strEventCode & "'"

Set colMonitoredEvents = objWMIService.ExecNotificationQuery(strQuery) 



Do 
        txt=""
        
        Set objEvent = colMonitoredEvents.NextEvent()
        Set objTargetInst = objEvent.TargetInstance
        
        strTimeWritten= objTargetInst.Properties_("TimeWritten") & ""
        Set objSWbemDateTime = CreateObject("WbemScripting.SWbemDateTime")
        objSWbemDateTime.Value=strTimeWritten
        strDate=objSWbemDateTime.GetVarDate(True)       'True=Use OS Timezone
        
        
        strComputerName = objTargetInst.Properties_("ComputerName") & ""
        strType = objTargetInst.Properties_("Type") & ""
        strEventCode = objTargetInst.Properties_("EventCode") & ""
        strMessage= objTargetInst.Properties_("Message") & ""
        strUser = objTargetInst.Properties_("User") & ""
        
        If lcase(strUser)<>lcase(strSkipAccount) then
			
			If strUser<> "" then strUser="User:  " & strUser
	
			
			txt = txt & "Time Written:  " & strDate & vbCrLf & "Host:  " & strComputerName & vbCrLf & _
					"Event Code:  " & strEventCode & vbCrLf & _
					strUser & vbCrLf & vbCrLf & _ 
			strMessage & vbCrLf & vbCrLf & _
							"http://eventid.net/display.asp?eventid=" & strEventCode
		
			txt = "The following " & strLogFile & " events have occurred on host: " & strComputerName & vbCrLf & vbCrLf & txt 
			SendMail txt
			
		End If

        Set objEvent = Nothing
        Set objTargetInst = Nothing
        strTimeWritten= ""
        strDate=""
        strComputerName = ""
        strType = ""
        strEventCode = ""
        strMessage=""
        strUser = ""
        
Loop


Sub SendMail(txt)
        ON ERROR RESUME NEXT
        
        if txt <> "" Then

                CONST cdoSendUsingPort = 2 
                CONST cdoAnonymous = 0 
                set msg = CreateObject("CDO.Message") 
                set config = CreateObject("CDO.Configuration") 
                set msg.Configuration = config 

                With msg 
                                .to = strEmailTo
                                .from = strEmailFrom 
                                .subject = strEmailSubject
                                .textbody = txt 
                End with 
 
                prefix = "http://schemas.microsoft.com/cdo/configuration/" 
 
                With config.fields 
                                .item(prefix & "sendusing") = cdoSendUsingPort 
                                .item(prefix & "smtpserver") = strEmailSMTPserver 
                                .item(prefix & "smtpauthenticate") = cdoAnonymous 
                                .update 
                End With 

                msg.send 

                if err.number <> 0 then
                        WshShell.LogEvent 1,"Error Sending Your Message" & vbCrLf & vbCrLf & _
                                "Email to:  " & strEmailTo & vbCrLf & _
                                "Email From:  " & strEmailFrom & vbCrLf & _
                                "Email Subject:  " & strEmailSubject & vbCrLf & _
                                "Email SMTP Server:  " & strEmailSMTPserver & vbCrLf & _
                                "Email Body:  " & txt 
                        
                End If
        End If

End Sub

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VB Script

From novice to tech pro — start learning today.