I've written a basic script for PowerShell to Monitor Event 4771, I have the problem that it still shows RDS-Broker which doesn't tell anything - I want to filter it out and only send the real users which normally works but still sometimes shows
#Set-ExecutionPolicy unrestricted
#Liest die jeweilige Security ID aus und schickt diese dann an eine Mail, verknüpft mit Event Trigger
$Eventlog = „Security“ # (Security, Application, System)
#old $EventID = „4625“
#$EventID ist die ID auf welche Reagiert werden soll
$EventID = „4771“
#Absenderaddresse, vollständig
$From = "[email protected]"
#Empfängeradresse, vollständig
$To = "[email protected]"
$CC = "cc@some-domain"
$Subject = „Login Monitoring [BETA 1.1]“
$MailServer = „mail.some.domain“
$LOGPATH = "C:\Skripting\Logs\Audit\"
$LOGTMP1 = "tmp.txt"
$LOGTMP = $LOGPATH + $LOGTMP1
$LOG_NOMAIL = "nomail_login.txt"
$LOG_MAIL = "mail_login.txt"
$LOG1 = $LOGPATH + $LOG_NOMAIL
$LOG2 = $LOGPATH + $LOG_MAIL
# >>>>>>>> Query Eventlog <<<<<<<<
#Schreibt die Event Logs in $LOGTMP
get-winevent -FilterHashtable @{Logname='Security';ID=4771} -MaxEvents 1 |fl > $LOGTMP
$Kontoname = Get-Content $LOGTMP | findstr /I kontoname
$Clientadresse = Get-Content $LOGTMP | findstr /I Clientadresse
$Clientport = Get-Content $LOGTMP | findstr /I TimeCreated
$Fehlercode = Get-Content $LOGTMP | findstr /I Fehlercode:
$ErrorMsg = @(get-content "C:\Skripting\error.txt") | findstr "$Fehlercode"
#$Output = "Fehlerhafter Login:" + "`r`n" + $Kontoname + "`r`n" + $Clientadresse+ "`r`n" + " " + $Clientport + "`r`n" + $Fehlercode + "`r`n"
# HTML Output - neu:
$Output = "<b><h1>Fehlerhafter Login: </h1></b>" +"<br>"+ $Kontoname + "<br>" + $Clientadresse + "<br>" + $Clientport + "<br>" + "Fehlercode: " + $ErrorMsg
$Body = $Output
# >>>>>>>> Send Mail-Alert <<<<<<<<
if ($Kontoname -eq '*RDS-Broker$*')
{
#Wenn RDS-Broker als user
echo $Output > $LOG1
exit
}
else
{
#Alles andere soll er mailen
#Send-MailMessage -From $From -To $To -Subject $Subject -SmtpServer $MailServer -Body $Body
Send-MailMessage -Cc $CC -From $From -To $To -Subject $Subject -SmtpServer $MailServer -BodyAsHtml "$Body "
#echo $Output > C:\temp\true_loggin.txt
echo $Output > $LOG2
}
del $LOGTMP
It sends Mail fine in case of Logon failure but still often shows RDS-Broker and i dont want to, can someone tell me the fix?
If I understand correctly, your problem is only that the filter for the RDS-Broker user is not working.
You can solve this by changing the condition from
($Kontoname -eq '*RDS-Broker$*')
to($Kontoname -like '*RDS-Broker$*')
- theeq
operator in Powershell does not accept wildcards, it will only become true if the strings are exactly the same (including the asterisk). Thelike
operator should process your wildcards correctly.