CODEWITHSUNDEEP
iis-7.5powershell-2.0
jladd
jladd

Reputation: 368

Powershell IIS Log analasys

I almost have this Powershell script completed but I am stuck at the last part and could really use some help with the final step. Below is my PS Script that I have written so far

$t1 =(get-date).AddMinutes(-10)
$t2 =$t1.ToUniversalTime().ToString("HH:mm:ss")
$IISLogPath = "C:\inetpub\logs\LogFiles\W3SVC1\"+"u_ex"+(get-date).ToString("yyMMdd")+".log" 
$IISLogFileRaw = [System.IO.File]::ReadAllLines($IISLogPath) 
$headers = $IISLogFileRaw[3].split(" ") 
$headers = $headers | where {$_ -ne "#Fields:"}
$IISLogFileCSV = Import-Csv -Delimiter " " -Header $headers -Path $IISLogPath
$IISLogFileCSV = $IISLogFileCSV | where {$_.date -notlike "#*"}
$timeTaken = $IISLogFileCSV | where {$_.("cs-uri-stem") -eq '/Login.aspx' -AND $_.("time") -gt '$t2' } | Format-Table time,s-ip

So basically it looks at the current days IIS Log and filters when a user gets to the login page for the past 10 minutes. The part that I am stuck at is I want to be emailed When an IP hits it more than 10 times within that 10 minutes (basically to be alerted when brute force attacks are happening). I have the email part of the code written just need the portion that says when the s-ip hits /login.aspx greater than 10 times. Also in my "test box" I have altered $t2 and $IISLogPath to be the following

$t2 = 20:00:00
$IISLogPath = C:\test\log.log

Below is my example Log file:

#Software: Microsoft Internet Information Services 7.5
#Version: 1.0
#Date: 2012-06-27 15:05:24
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken
2012-06-27 20:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 20:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 20:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 20:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240

Upvotes: 1

Views: 7076

Answers (2)

jladd
jladd

Reputation: 368

After a little tinkering with the script, I have found the solution. Below is the whole script

$t1 =(get-date).AddMinutes(-10)
$t2 =$t1.ToUniversalTime().ToString("HH:mm:ss")
$IISLogPath = "C:\inetpub\logs\LogFiles\W3SVC1\"+"u_ex"+(get-date).ToString("yyMMdd")+".log" 
$IISLogFileRaw = [System.IO.File]::ReadAllLines($IISLogPath) 
$headers = $headers | where {$_ -ne "#Fields:"} 
$IISLogFileCSV = Import-Csv -Delimiter " " -Header $headers -Path $IISLogPath 
$IISLogFileCSV = $IISLogFileCSV | where {$_.date -notlike "#*"} 
$timeTaken = ($IISLogFileCSV | where {$_.("cs-uri-stem") -eq '/Login.aspx' -AND $_.("time") -gt '$t2' -AND $_.("cs-method") -eq 'Get'}).count  
$count = $timeTaken
if($count -ge 8)
{
 Send-MailMessage -From [email protected] -To [email protected] -Subject "IIS Alert" -BodyAsHtml "Email body goes here" -Attachments $IISLogPath  -SmtpServer ip.add.re.ss
}

Upvotes: 3

alroc
alroc

Reputation: 28144

You ought to be using Microsoft LogParser for most of the heavy lifting in parsing/querying your logfiles. It'll save you a lot of grief, and probably be faster to boot.

You can wrap it with PowerShell to parse the results of your queries.

Upvotes: 2

Related Questions