Ok I have the evtvwr_sec_parsed_.csv file created go to go there. I am grabbing three things from my evtvwr_sec file the user, workstation, and IP address from 530 events.
I now want to email those offending my log on hours policy by using blat. for something do blat blat header.txt -to [EMAIL PROTECTED] -cc [EMAIL PROTECTED] -s "Workstation not shutdown or user still logged on after hours access." -body "The Workstation (%2) on IP (%3) was logged into by you (%1) after your log on hours have expired. Please log off your machine everynight and shut down your machine. This helps prevent damage to the workstation and assures the Credit Union no one is trying to access the network with your log on permissions." until eof of evtvwr_sec_parsed_.csv ________________________________ From: Jake Gardner [mailto:[EMAIL PROTECTED] Sent: Monday, December 01, 2008 3:36 PM To: NT System Admin Issues Subject: RE: Run a batch file to send emails I use elsave (nightly) to create daily CSV of my security event logs and then it clears the security log. I then run log parser to read the CSV and drop the columns I don't want and give myself cleaned up csv file. Watch the position identifier in the EXTRACT_TOKEN() function as this will grab the column(s) you want. Using DISTINCT in the select will make sure you only grab one instance of the username. Here's the batch file I use. @ECHO OFF REM Get current date for stamping the filename for /F "tokens=2,3,4 delims=/ " %%i in ('date/t') do set d=%%k%%i%%j REM Grab the full security event log and archive it cd \ logparser -i:EVT -o:CSV -stats:OFF "SELECT * FROM Security where eventid = '560'" >> H:\logs\evtvwr_sec_%d%.csv REM Clear the SECURITY log cd c:\scripts elsave -l security -C REM Parse the full file and create an easier to read log file. logparser -i:CSV -o:CSV -stats:OFF -e:-1 -q:ON "SELECT DISTINCT EXTRACT_TOKEN(Strings, 10, '|') AS User, EXTRACT_TOKEN(Strings, 2, '|') AS FilePath FROM H:\logs\evtvwr_sec_%d%.csv where eventid = '560' and User <> 'Administrator' and user <> '-' ORDER BY FilePath, User" > H:\logs\parsed\evtvwr_sec_parsed_%d%.csv Thanks, Jake Gardner TTC Network Administrator Ext. 246 ________________________________ From: David McSpadden [mailto:[EMAIL PROTECTED] Sent: Monday, December 01, 2008 3:10 PM To: NT System Admin Issues Subject: RE: Run a batch file to send emails Ok So I have this to create my blat input file but I am still getting to many results. C:\Program Files\Log Parser 2.2>logparser "select extract_token(strings, 0, '|') as Account, TimeGenerated into file.csv from \\10.0.50.205\security where eventid in (530) " I only want events from today-1. ________________________________ From: Jake Gardner [mailto:[EMAIL PROTECTED] Sent: Monday, December 01, 2008 2:53 PM To: NT System Admin Issues Subject: RE: Run a batch file to send emails Extract the date field the same way you extract the account field, then add it to your where clause. Thanks, Jake Gardner TTC Network Administrator Ext. 246 ________________________________ From: David McSpadden [mailto:[EMAIL PROTECTED] Sent: Monday, December 01, 2008 2:32 PM To: NT System Admin Issues Subject: RE: Run a batch file to send emails select distinct extract_token(strings, 0, '|') as Account into file.csv from \\10.0.50.205\security where eventid in (530) How do I get just yesterday's 530 events? ________________________________ From: Jake Gardner [mailto:[EMAIL PROTECTED] Sent: Monday, December 01, 2008 1:40 PM To: NT System Admin Issues Subject: RE: Run a batch file to send emails Logparser http://www.microsoft.com/downloads/details.aspx?FamilyID=890cd06b-abf8-4 c25-91b2-f8d975cf8c07 Thanks, Jake Gardner TTC Network Administrator Ext. 246 ________________________________ From: David McSpadden [mailto:[EMAIL PROTECTED] Sent: Monday, December 01, 2008 1:33 PM To: NT System Admin Issues Subject: Run a batch file to send emails I want to read an input file. It would comma delimited. It will have those users that have not logged off and are getting after hours logon events with their names. I only want to send 1 email per user so I would have to sort and then group then blat out the email. My format for the file is like this: 866265068,Security,Security,AUDIT FAILURE,031004LD5Z3K55,12/1/2008 12:49:14 AM,530,SYSTEM\NT AUTHORITY,Logon Failure: Reason: Account logon time restriction violation User Name: DawnH Domain: IM_DOM1 Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: XP31090634014W Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 10.0.31.40 Source Port: 1087 866265066,Security,Security,AUDIT FAILURE,031004LD5Z3K55,12/1/2008 12:49:11 AM,530,SYSTEM\NT AUTHORITY,Logon Failure: Reason: Account logon time restriction violation User Name: DawnH Domain: IM_DOM1 Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: XP31090634014W Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 10.0.31.40 Source Port: 1044 866265063,Security,Security,AUDIT FAILURE,031004LD5Z3K55,12/1/2008 12:49:07 AM,530,SYSTEM\NT AUTHORITY,Logon Failure: Reason: Account logon time restriction violation User Name: DawnH Domain: IM_DOM1 Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: XP31090634014W Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 10.0.31.40 Source Port: 4976 866264132,Security,Security,AUDIT FAILURE,031004LD5Z3K55,12/1/2008 12:34:33 AM,530,SYSTEM\NT AUTHORITY,Logon Failure: Reason: Account logon time restriction violation User Name: DavidE Domain: IM_DOM1 Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: XP250308200506 Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 10.0.50.48 Source Port: 4656 866264130,Security,Security,AUDIT FAILURE,031004LD5Z3K55,12/1/2008 12:34:33 AM,530,SYSTEM\NT AUTHORITY,Logon Failure: Reason: Account logon time restriction violation User Name: DavidE Domain: IM_DOM1 Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: XP250308200506 Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 10.0.50.48 Source Port: 4614 866264128,Security,Security,AUDIT FAILURE,031004LD5Z3K55,12/1/2008 12:34:33 AM,530,SYSTEM\NT AUTHORITY,Logon Failure: Reason: Account logon time restriction violation User Name: DavidE Domain: IM_DOM1 Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: XP250308200506 Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 10.0.50.48 Source Port: 4572 866264126,Security,Security,AUDIT FAILURE,031004LD5Z3K55,12/1/2008 12:34:33 AM,530,SYSTEM\NT AUTHORITY,Logon Failure: Reason: Account logon time restriction violation User Name: DavidE Domain: IM_DOM1 Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: XP250308200506 Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 10.0.50.48 Source Port: 4529 So basically I want to skip everything except the User Name: and Workstation Name: I generate this list every morning for the prior day using psloglist and now I want to parse it and blat an email to the offenders telling them to shut down every night. Any ideas??? Data Security is everyone's responsibility. ***Teletronics Technology Corporation*** This e-mail is confidential and may also be privileged. If you are not the addressee or authorized by the addressee to receive this e-mail, you may not disclose, copy, distribute, or use this e-mail. If you have received this e-mail in error, please notify the sender immediately by reply e-mail or by telephone at 267-352-2020 and destroy this message and any copies. Thank you. ******************************************************************* ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
