monitor failed login attempts and pipe ip address to txt?

This topic contains 0 replies, has 1 voice, and was last updated by  Forums Archives 5 years, 7 months ago.

  • Author
    Posts
  • #5233

    by jim.w.armstrong at 2012-10-25 21:55:16

    I want to monitor the security event log for failed login attempts and capture the ip address and redirect to a txt file on any pc or server. I'd like to get the user name also, but I'll start with the ip address.

    I found this script searching the web. I added the Out-File cmd-let.

    It runs without throwing an error but the txt file isn't created.
    1. Should the script work as it is without the Out-File cmd-let?
    If it should.
    2. What am I doing wrong with the Out-File cmd?

    $DT = [DateTime]::Now.AddDays(-365) # check only last 24 hours

    $l = Get-EventLog -LogName 'Security' -InstanceId 4625 -After $DT | Select-Object @{n='IpAddress';e={$_.ReplacementStrings[-2]} } # select Ip addresses that has audit failure
    $g = $l | group-object -property IpAddress | where {$_.Count -gt 1} | Select -property Name # get ip addresses, that have more than 1 wrong logins | Out-File c:\myscripts\failediptest1.txt

    I've read some of the documentation for the Out-File cmd.
    technet.microsoft.com/en-us/library/eel176924.aspx

    And searched the web for examples of how it's used.
    http://www.powershellpro.com/what-you-must-kno ... t-file/24/

    Thanks

    by jim.w.armstrong at 2012-10-25 21:59:35

    One other note, I changed the value from 1 to 365 for the Now.AddDays I was trying to get something output to the txt file. I'm running the script on my Win7 Pro laptop and I've got some evt id 4625 in the log.

    by Klaas at 2012-10-26 01:18:14

    If your code is really formatted as you put it here, there are two issues:
    – the Out-file cmdlet is commented out
    – you try to assign to a variable and send to the pipeline at the same time

    So if you arrange your code like this:
    $DT = [DateTime]::Now.AddDays(-1)
    Get-EventLog -LogName 'Security' -InstanceId 4625 -After $DT |
    Select-Object @{n='IpAddress';e={$_.ReplacementStrings[-2]} } |
    group-object -property IpAddress | where {$_.Count -gt 1} | Select -property Name |
    Out-File c:\myscripts\failediptest1.txt

    it should work.

You must be logged in to reply to this topic.