Alert for Logon Failed with Logs Count

Download JSON Download Python

Ratings

Release Time

03/17/2020

Downloads

920 times

Update Time

06/05/2025

Views

847 times

Share-it:

Tags

logon Failed Log

https://wiki.itarian.com/frontend/web/topic/how-to-use-custom-script-procedure-monitoring

Tested in Windows 10.

Procedure's Instructions

#To define a particular parameter, replace the 'parameterName' inside itsm.getParameter('parameterName') with that parameter's name
event_count = itsm.getParameter('LogsCount') #Enter the count of failed logons

import os
import re
import filecmp
import difflib
import sys
import ctypes
import socket
from subprocess import PIPE, Popen

Eventid=4625
ps_content=r'''

$EventLog = Get-WinEvent -FilterHashTable @{logname='security'; providername='Microsoft-Windows-Security-Auditing'; id=4625;} | select -first %s

$EventLogXML = @()

foreach ($Event in $EventLog) {
	$EventLogXML += [XML]$Event.ToXML()
}

foreach ($XMLEntry in $EventLogXML) {
	foreach ($Property in $XMLEntry.Event.EventData.Data) {
		if ($Property.Name -eq "TargetUserName" -and $Property.'#text' -ne ($ComputerName + "$")) {
			Write-Host 'Target Username:' $Property.'#text'
		}
        if ($Property.Name -eq "TargetDomainName" -and $Property.'#text' -ne ($ComputerName + "$")) {
			Write-Host 'Target Domainname:' $Property.'#text'
		}
	}
}

'''%(event_count)

workdir=os.environ['PROGRAMDATA']+r'\c1_temp'
if not os.path.exists(workdir):
    os.makedirs(workdir)
save_path=workdir

file_name='powershell_file.ps1'
file_path=os.path.join(os.environ['TEMP'], file_name)
with open(file_path, 'wb') as wr:
    wr.write(ps_content)

def computername():
    return os.environ['COMPUTERNAME']

def ipaddress():
    return socket.gethostbyname(socket.gethostname())

cmd=os.popen("systeminfo | findstr OS").read()

def eventid():
    class disable_file_system_redirection:
        _disable = ctypes.windll.kernel32.Wow64DisableWow64FsRedirection
        _revert = ctypes.windll.kernel32.Wow64RevertWow64FsRedirection
        def __enter__(self):
            self.old_value = ctypes.c_long()
            self.success = self._disable(ctypes.byref(self.old_value))
        def __exit__(self, type, value, traceback):
            if self.success:
                self._revert(self.old_value)
                
    setpolicy=os.popen('powershell "Set-ExecutionPolicy RemoteSigned"').read()

if "Server" in cmd:
       with disable_file_system_redirection():
          logs=os.popen('powershell.exe ' +'"'+'Get-Eventlog security| where {$_.eventid -like %s} | select -first %s '%(Eventid,event_count)+'"').read()

elif "Microsoft Windows" in cmd:
       with disable_file_system_redirection():
         logs=os.popen('powershell.exe ' +'"'+"Get-WinEvent -FilterHashtable @{logname='security'; providername='Microsoft-Windows-Security-Auditing'; id=%s;}| select -first %s"%(Eventid,event_count)+'"').read()
    return logs
    print logs

login_event=[]
flag=0
global fnd2
fnd2=0
out=save_path+"\\Output.txt"
event=eventid()

for i in [i.strip() for i in event.split("\n\n")  if i.strip()]:
    i = i.lower()
    login_event.append(i)

def alert(arg): 
   sys.stderr.write("%d%d%d" % (arg, arg, arg)) 
def files():
    file_name1 = "login_old.txt"
    cur_dir1 = save_path
    file_list1 = os.listdir(cur_dir1)
    parent_dir1 = os.path.dirname(cur_dir1)
    if file_name1 in file_list1:
        fnd2=1
        with open(os.path.join(save_path, "login_new.txt"), "w") as file_1:
            for j in login_event:
                j=str(j)
                file_1.write(j+'\n')
                fnd2=1      
    else:
        with open(os.path.join(save_path, "login_old.txt"), "w") as file_1:
            file_1.write('\n')
            fnd2=2  
    return fnd2
def swchanges():  
    file11=save_path+"\\login_new.txt"
    file_1=save_path+"\\login_old.txt"
    flag=0
    class disable_file_system_redirection:
        _disable = ctypes.windll.kernel32.Wow64DisableWow64FsRedirection
        _revert = ctypes.windll.kernel32.Wow64RevertWow64FsRedirection
        def __enter__(self):
            self.old_value = ctypes.c_long()
            self.success = self._disable(ctypes.byref(self.old_value))
        def __exit__(self, type, value, traceback):
            if self.success:
                self._revert(self.old_value)
    
    with disable_file_system_redirection():
        setpolicy=os.popen('powershell "Set-ExecutionPolicy RemoteSigned"').read()
        obj = Popen('powershell "%s"'%file_path, shell = True, stdout = PIPE, stderr = PIPE)
        ipaddress=os.popen('powershell.exe ' +'"'+"Test-Connection -ComputerName (hostname) -Count 1  | Select IPV4Address"+'"').read()
        ipaddress = ipaddress.splitlines()[3]
        output_o, err = obj.communicate()
    if False==0:     
        with open(file11) as file:
           data1=file.read()
           data1.strip()
           with open(file_1) as file:
               data21=file.read()
               data21.strip()
               text1Lines1 = data1.splitlines(1)
               text2Lines1 = data21.splitlines(1)
               diffInstance1 = difflib.Differ()
               diffList1 = list(diffInstance1.compare(text1Lines1,text2Lines1 ))
               with open(out, 'a+') as o1:
                   o1.write(computername())
                   o1.write('\n')
                   o1.write(ipaddress)
                   o1.write('\n')
                   o1.write(output_o)
                   o1.write("\n********** Newly Added Event logs***********\n")
                   for line in diffList1:
                       if line[0] == '-':
                           flag=1
                           o1.write(line)
               o1.close()  
           file.close()
        file.close()
    return flag 
def remove():
    os.remove(save_path+"\\login_old.txt")
    os.rename(save_path+"\\login_new.txt",save_path+"\\login_old.txt" )
    os.remove(save_path+"\\Output.txt")
ki=files()
if ki==2:
    with open(os.path.join(save_path, "login_old.txt"), "w") as file_1:
        file_1.write('\n')
    file_1.close()
    ki=files()
s=swchanges()
if s ==0:
    print "No new event for logon failed"
    alert(0)
else:
    with open(out, 'r') as o1:
        for i in o1:
            print i
    o1.close()
    alert(1)
v=remove()

 
#To define a particular parameter, replace the 'parameterName' inside itsm.getParameter('parameterName') with that parameter's name
event_count = itsm.getParameter('LogsCount') #Enter the count of failed logons
​
import os
import re
import filecmp
import difflib
import sys
import ctypes
import socket
from subprocess import PIPE, Popen
​
Eventid=4625
ps_content=r'''
​
$EventLog = Get-WinEvent -FilterHashTable @{logname='security'; providername='Microsoft-Windows-Security-Auditing'; id=4625;} | select -first %s
​
$EventLogXML = @()
​
foreach ($Event in $EventLog) {
    $EventLogXML += [XML]$Event.ToXML()
}
​
foreach ($XMLEntry in $EventLogXML) {
    foreach ($Property in $XMLEntry.Event.EventData.Data) {
        if ($Property.Name -eq "TargetUserName" -and $Property.'#text' -ne ($ComputerName + "$")) {
            Write-Host 'Target Username:' $Property.'#text'
        }
        if ($Property.Name -eq "TargetDomainName" -and $Property.'#text' -ne ($ComputerName + "$")) {
            Write-Host 'Target Domainname:' $Property.'#text'
        }
    }
}
​
'''%(event_count)
​
​
​
workdir=os.environ['PROGRAMDATA']+r'\c1_temp'
if not os.path.exists(workdir):
    os.makedirs(workdir)
save_path=workdir
​
file_name='powershell_file.ps1'
file_path=os.path.join(os.environ['TEMP'], file_name)
with open(file_path, 'wb') as wr:
    wr.write(ps_content)
​
def computername():
    return os.environ['COMPUTERNAME']
​
def ipaddress():
    return socket.gethostbyname(socket.gethostname())
​
cmd=os.popen("systeminfo | findstr OS").read()
​
def eventid():
    class disable_file_system_redirection:
        _disable = ctypes.windll.kernel32.Wow64DisableWow64FsRedirection
        _revert = ctypes.windll.kernel32.Wow64RevertWow64FsRedirection
        def __enter__(self):
            self.old_value = ctypes.c_long()
            self.success = self._disable(ctypes.byref(self.old_value))
        def __exit__(self, type, value, traceback):
            if self.success:
                self._revert(self.old_value)
                
    setpolicy=os.popen('powershell "Set-ExecutionPolicy RemoteSigned"').read()
​
    if "Server" in cmd:
       with disable_file_system_redirection():
          logs=os.popen('powershell.exe ' +'"'+'Get-Eventlog security| where {$_.eventid -like %s} | select -first %s '%(Eventid,event_count)+'"').read()
​
    elif "Microsoft Windows" in cmd:
       with disable_file_system_redirection():
         logs=os.popen('powershell.exe ' +'"'+"Get-WinEvent -FilterHashtable @{logname='security'; providername='Microsoft-Windows-Security-Auditing'; id=%s;}| select -first %s"%(Eventid,event_count)+'"').read()
    return logs
    print logs
​
login_event=[]
flag=0
global fnd2
fnd2=0
out=save_path+"\\Output.txt"
event=eventid()
​
for i in [i.strip() for i in event.split("\n\n")  if i.strip()]:
    i = i.lower()
    login_event.append(i)
​
def alert(arg): 
   sys.stderr.write("%d%d%d" % (arg, arg, arg)) 
def files():
    file_name1 = "login_old.txt"
    cur_dir1 = save_path
    file_list1 = os.listdir(cur_dir1)
    parent_dir1 = os.path.dirname(cur_dir1)
    if file_name1 in file_list1:
        fnd2=1
        with open(os.path.join(save_path, "login_new.txt"), "w") as file_1:
            for j in login_event:
                j=str(j)
                file_1.write(j+'\n')
                fnd2=1      
    else:
        with open(os.path.join(save_path, "login_old.txt"), "w") as file_1:
            file_1.write('\n')
            fnd2=2  
    return fnd2
def swchanges():  
    file11=save_path+"\\login_new.txt"
    file_1=save_path+"\\login_old.txt"
    flag=0
    class disable_file_system_redirection:
        _disable = ctypes.windll.kernel32.Wow64DisableWow64FsRedirection
        _revert = ctypes.windll.kernel32.Wow64RevertWow64FsRedirection
        def __enter__(self):
            self.old_value = ctypes.c_long()
            self.success = self._disable(ctypes.byref(self.old_value))
        def __exit__(self, type, value, traceback):
            if self.success:
                self._revert(self.old_value)
    
    with disable_file_system_redirection():
        setpolicy=os.popen('powershell "Set-ExecutionPolicy RemoteSigned"').read()
        obj = Popen('powershell "%s"'%file_path, shell = True, stdout = PIPE, stderr = PIPE)
        ipaddress=os.popen('powershell.exe ' +'"'+"Test-Connection -ComputerName (hostname) -Count 1  | Select IPV4Address"+'"').read()
        ipaddress = ipaddress.splitlines()[3]
        output_o, err = obj.communicate()
    if False==0:     
        with open(file11) as file:
           data1=file.read()
           data1.strip()
           with open(file_1) as file:
               data21=file.read()
               data21.strip()
               text1Lines1 = data1.splitlines(1)
               text2Lines1 = data21.splitlines(1)
               diffInstance1 = difflib.Differ()
               diffList1 = list(diffInstance1.compare(text1Lines1,text2Lines1 ))
               with open(out, 'a+') as o1:
                   o1.write(computername())
                   o1.write('\n')
                   o1.write(ipaddress)
                   o1.write('\n')
                   o1.write(output_o)
                   o1.write("\n********** Newly Added Event logs***********\n")
                   for line in diffList1:
                       if line[0] == '-':
                           flag=1
                           o1.write(line)
               o1.close()  
           file.close()
        file.close()
    return flag 
def remove():
    os.remove(save_path+"\\login_old.txt")
    os.rename(save_path+"\\login_new.txt",save_path+"\\login_old.txt" )
    os.remove(save_path+"\\Output.txt")
ki=files()
if ki==2:
    with open(os.path.join(save_path, "login_old.txt"), "w") as file_1:
        file_1.write('\n')
    file_1.close()
    ki=files()
s=swchanges()
if s ==0:
    print "No new event for logon failed"
    alert(0)
else:
    with open(out, 'r') as o1:
        for i in o1:
            print i
    o1.close()
    alert(1)
v=remove()
​

Comments

No Comments.

Alert for Logon Failed with Logs Count

Comments

Leave a Comment