'========================================================================== ' NAME : ' AUTHOR : Bart Hermans ' DATE : ' DESCRIPTION: ' USE IN : ' COMMENT : '========================================================================== 'Variable Declarations '========================================================================== 'On Error Resume next Dim objFSO,strText(100),SearchFor(20),Result(20) Set objFSO = CreateObject("Scripting.FileSystemObject")'Drives,folders,folder,files,file Set objShell = WScript.CreateObject("WScript.Shell")'Specialfolders,shortcut,environment Set WshNetwork = WScript.CreateObject("WScript.Network")'Mappings,connections Set StdOut = WScript.StdOut Set objArgs = Wscript.Arguments strComputerName = WshNetwork.ComputerName args = Wscript.Arguments.Count if args = 0 then 'wscript.echo "Please give evenlog ID as an Argument" wscript.quit else if args > 1 then 'wscript.echo "To much argument parameters..." wscript.quit else Argu = ucase(objArgs(0)) end if end if If Argu = "1200" then EventID = "1200" If Argu = "1201" then EventID = "1201" If Argu = "1203" then EventID = "1203" If Argu = "1206" then EventID = "1206" If Argu = "1210" then EventID = "1210" If EventID = "" then wscript.quit strlogpath = "d:\logging\logs\" Logfile = "SecurityLog.csv" SearchFor(1) = "AuditResult>" SearchFor(2) = "UserId>" SearchFor(3) = "RelyingParty>" SearchFor(4) = "ClaimsProvider>" SearchFor(5) = "NetworkLocation>" SearchFor(6) = "IpAddress>" SearchFor(7) = "ForwardedIpAddress>" SearchFor(8) = "ProxyServer>" SearchFor(9) = "AuditType>" SearchFor(10) = "SignedInRP>" MaxSearch = 10 'Here I use the command line WevtUtil to get information out of the Eventlog Set objExecObject = objShell.Exec("cmd /c wevtutil qe security /q:" & chr(34) &"*[System[(EventID=" & EventID & ")]]" & chr(34) & " /f:text /rd:true /c:1") Do While Not objExecObject.StdOut.AtEndOfStream x = x + 1 strText(x) = objExecObject.StdOut.ReadLine() if x = 4 then InventoryDate = Trim(strText(x)) Part1InventoryDate = split(InventoryDate,"T")(0) DateInfo = Replace(Part1InventoryDate,"Date: ","") HourInfo = split(InventoryDate,"T")(1) end if for t = 1 to MaxSearch SearchStr1 = "<" & SearchFor(t): SearchStr2 = " 0 then Strip Next Loop Set Logfile = objfso.OpenTextFile(strLogPath & "\" & Logfile,8) Logfile.writeline DateInfo & ";" & HourInfo & ";" & EventID & ";" & Result(9) & ";" & Result(10) & ";" & Result(1) & ";" & Result(2) & ";" & Result(3) & ";" & Result(4) & ";" & Result(5) & ";" & Result(6) & ";" & Result(7) & ";" & Result(8) Logfile.close If Result(9) = "ExtranetLockout" then FROMFIELD = "ADFS-Lockedout-Account@stater.be" Set objEmail = CreateObject("CDO.Message") objEmail.From = FROMFIELD objEmail.To = "Bart.hermans@xxx.be" objEmail.Subject = "Locked Out account on ADFS detected: " & Result(2) objEmail.Textbody = "On " & strComputerName & " a user named " & Result(2) & " is locked out after 3 bad password attemtps. After 15 minutes he can retry one time. Otherwise he will be locked in AD and ADFS." objEmail.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2 objEmail.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpserver") = "SMTPRelay.xxx.be" objEmail.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25 objEmail.Configuration.Fields.Update objEmail.Send end if wscript.quit Sub Strip ResultTrim = Trim(strText(x)) Remove1 = Replace(ResultTrim,SearchStr1,"") Remove2 = Replace(Remove1,SearchStr2,"") Result(t) = Remove2 End Sub