Jump to content
Sign in to follow this  
slaughter

_EventLog__Read error. Not reading description as it shuld.

Recommended Posts

slaughter

CODE do not get correct Source Network Address and much more values. Any recommendations? Or it is BUG? using on MS Server 2008 R2

#include <GUIConstantsEx.au3>
#include <EventLog.au3>
#RequireAdmin


Global $iMemo

_Main()

Func _Main()
    Local $hEventLog, $aEvent

    ; Create GUI
    GUICreate("EventLog", 604, 604)

    $iMemo = GUICtrlCreateEdit("", 2, 2, 600, 600)
    GUICtrlSetFont($iMemo, 9, 400, 0, "Courier New")
    GUISetState()

    ; Read most current event record
    $hEventLog = _EventLog__Open("", "Security")

    Local $i = 0


    ;While IsArray($aEvent)
    While $i <= 100
        $aEvent = _EventLog__Read($hEventLog, True, False) ; read last event
        if IsArray($aEvent) Then
            ConsoleWrite($aEvent[8]& @CRLF)
            if ($aEvent[8] = "Failure audit") Then
                MemoWrite("Result ............: " & $aEvent[0])
                MemoWrite("Record number .....: " & $aEvent[1])
                MemoWrite("Submitted .........: " & $aEvent[2] & " " & $aEvent[3])
                MemoWrite("Generated .........: " & $aEvent[4] & " " & $aEvent[5])
                MemoWrite("Event ID ..........: " & $aEvent[6])
                MemoWrite("Type ..............: " & $aEvent[8])
                MemoWrite("Category ..........: " & $aEvent[9])
                MemoWrite("Source ............: " & $aEvent[10])
                MemoWrite("Computer ..........: " & $aEvent[11])
                MemoWrite("Username ..........: " & $aEvent[12])
                MemoWrite("Description .......: " & $aEvent[13])
            Else
                ;MemoWrite($aEvent[8])
            EndIf
        EndIf
        $i = $i + 1
    WEnd
    _EventLog__Close($hEventLog)


    ; Loop until user exits
    Do
    Until GUIGetMsg() = $GUI_EVENT_CLOSE

EndFunc   ;==>_Main

; Write a line to the memo control
Func MemoWrite($sMessage)
    GUICtrlSetData($iMemo, $sMessage & @CRLF, 1)
EndFunc   ;==>MemoWrite

 What i get from autoit code

Result ............: True
Record number .....: 10920
Submitted .........: 02/25/2014 10:20:54 PM
Generated .........: 02/25/2014 10:20:54 PM
Event ID ..........: 4625
Type ..............: Failure audit
Category ..........: 12544
Source ............: Microsoft-Windows-Security-Auditing
Computer ..........: Hyper-V
Username ..........: 
Description .......: An account failed to log on.

Subject:
    Security ID:        S-1-5-18
    Account Name:       HYPER-V$
    Account Domain:     WORKGROUP
    Logon ID:       0x3e7

Logon Type:         S-1-5-181

Account For Which Logon Failed:
    Security ID:        S-1-0-0
    Account Name:       user
    Account Domain:     HYPER-V

Failure Information:
    Failure Reason:     %%2313
    Status:         0xc000006d
    Sub Status:     S-1-5-180

Process Information:
    Caller Process ID:  S-1-5-188
    Caller Process Name:    S-1-5-189

Network Information:
    Workstation Name:   S-1-5-184
    Source Network Address: HYPER-V$0
    Source Port:        HYPER-V$1

Detailed Authentication Information:
    Logon Process:      S-1-5-182
    Authentication Package: S-1-5-183
    Transited Services: S-1-5-185
    Package Name (NTLM only):   S-1-5-186
    Key Length:     S-1-5-187

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
    - Transited services indicate which intermediate services have participated in this logon request.
    - Package name indicates which sub-protocol was used among the NTLM protocols.
    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

What is in Windows log

An account failed to log on.

Subject:
    Security ID:        SYSTEM
    Account Name:       HYPER-V$
    Account Domain:     WORKGROUP
    Logon ID:       0x3e7

Logon Type:         10

Account For Which Logon Failed:
    Security ID:        NULL SID
    Account Name:       cashier
    Account Domain:     HYPER-V

Failure Information:
    Failure Reason:     Unknown user name or bad password.
    Status:         0xc000006d
    Sub Status:     0xc0000064

Process Information:
    Caller Process ID:  0xab0
    Caller Process Name:    C:\Windows\System32\winlogon.exe

Network Information:
    Workstation Name:   HYPER-V
    Source Network Address: 212.143.166.113
    Source Port:        43451

Detailed Authentication Information:
    Logon Process:      User32 
    Authentication Package: Negotiate
    Transited Services: -
    Package Name (NTLM only):   -
    Key Length:     0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
    - Transited services indicate which intermediate services have participated in this logon request.
    - Package name indicates which sub-protocol was used among the NTLM protocols.
    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Share this post


Link to post
Share on other sites
JLogan3o13

Are you seeing what you would expect if you use the wevtutil app instead?

Run(@ComSpec & " /c wevtutil.exe qe security /c:3 /rd:true /f:text>C:\wevtutil.txt", "", @SW_HIDE)

√-1 2^3 ∑ π, and it was delicious!

Share this post


Link to post
Share on other sites
slaughter

 

Are you seeing what you would expect if you use the wevtutil app instead?

Run(@ComSpec & " /c wevtutil.exe qe security /c:3 /rd:true /f:text>C:\wevtutil.txt", "", @SW_HIDE)

I used it and it retuns as expected good results

Event[0]:
  Log Name: Security
  Source: Microsoft-Windows-Security-Auditing
  Date: 2014-03-05T07:58:26.590
  Event ID: 4625
  Task: Logon
  Level: Information
  Opcode: Info
  Keyword: Audit Failure
  User: N/A
  User Name: N/A
  Computer: mSrv
  Description: 
An account failed to log on.

Subject:
    Security ID:        S-1-0-0
    Account Name:       -
    Account Domain:     -
    Logon ID:       0x0

Logon Type:         3

Account For Which Logon Failed:
    Security ID:        S-1-0-0
    Account Name:       Igor
    Account Domain:     L987TA

Failure Information:
    Failure Reason:     Unknown user name or bad password.
    Status:         0xc000006d
    Sub Status:     0xc0000064

Process Information:
    Caller Process ID:  0x0
    Caller Process Name:    -

Network Information:
    Workstation Name:   IGORIS
    Source Network Address: 192.168.1.43
    Source Port:        1238

Detailed Authentication Information:
    Logon Process:      NtLmSsp 
    Authentication Package: NTLM
    Transited Services: -
    Package Name (NTLM only):   -
    Key Length:     0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
    - Transited services indicate which intermediate services have participated in this logon request.
    - Package name indicates which sub-protocol was used among the NTLM protocols.
    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Event[1]:
  Log Name: Security
  Source: Microsoft-Windows-Security-Auditing
  Date: 2014-03-05T01:00:00.171
  Event ID: 4625
  Task: Logon
  Level: Information
  Opcode: Info
  Keyword: Audit Failure
  User: N/A
  User Name: N/A
  Computer: mSrv
  Description: 
An account failed to log on.

Subject:
    Security ID:        S-1-5-18
    Account Name:       MSRV$
    Account Domain:     WORKGROUP
    Logon ID:       0x3e7

Logon Type:         4

Account For Which Logon Failed:
    Security ID:        S-1-0-0
    Account Name:       backup
    Account Domain:     MSRV

Failure Information:
    Failure Reason:     Account currently disabled.
    Status:         0xc000006e
    Sub Status:     0xc0000072

Process Information:
    Caller Process ID:  0x3b4
    Caller Process Name:    C:\Windows\System32\svchost.exe

Network Information:
    Workstation Name:   MSRV
    Source Network Address: -
    Source Port:        -

Detailed Authentication Information:
    Logon Process:      Advapi  
    Authentication Package: Negotiate
    Transited Services: -
    Package Name (NTLM only):   -
    Key Length:     0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
    - Transited services indicate which intermediate services have participated in this logon request.
    - Package name indicates which sub-protocol was used among the NTLM protocols.
    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Event[2]:
  Log Name: Security
  Source: Microsoft-Windows-Security-Auditing
  Date: 2014-03-05T00:20:31.042
  Event ID: 4625
  Task: Logon
  Level: Information
  Opcode: Info
  Keyword: Audit Failure
  User: N/A
  User Name: N/A
  Computer: cvx
  Description: 
An account failed to log on.

Subject:
    Security ID:        S-1-0-0
    Account Name:       -
    Account Domain:     -
    Logon ID:       0x0

Logon Type:         3

Account For Which Logon Failed:
    Security ID:        S-1-0-0
    Account Name:       reer
    Account Domain:     sdfsdfdsf

Failure Information:
    Failure Reason:     Account currently disabled.
    Status:         0xc000006e
    Sub Status:     0xc0000072

Process Information:
    Caller Process ID:  0x0
    Caller Process Name:    -

Network Information:
    Workstation Name:   ksadhkashdkassd
    Source Network Address: 192.168.2.253
    Source Port:        2721

Detailed Authentication Information:
    Logon Process:      NtLmSsp 
    Authentication Package: NTLM
    Transited Services: -
    Package Name (NTLM only):   -
    Key Length:     0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
    - Transited services indicate which intermediate services have participated in this logon request.
    - Package name indicates which sub-protocol was used among the NTLM protocols.
    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

I could use this tool for getting information for each event but it would be very annoying and i guess would take longer.

Edited by slaughter

Share this post


Link to post
Share on other sites
slaughter

 

Are you seeing what you would expect if you use the wevtutil app instead?

Run(@ComSpec & " /c wevtutil.exe qe security /c:3 /rd:true /f:text>C:\wevtutil.txt", "", @SW_HIDE)

 

now I will try to get event description for each event by executing

wevtutil qe security "/q:*[System [(EventID=4625)]]" /c:1 /rd:true /f:text

and phrasing it to what i need if no solution is found.

Share this post


Link to post
Share on other sites
slaughter

For now using JLogan3o13 offered solution it is working, but slow. Is there possibility to make this faster?

#include <GUIConstantsEx.au3>
#include <EventLog.au3>
#include <Constants.au3>
#RequireAdmin
#include <Array.au3>

Global $iMemo

_Main()

Func _Main()
    Local $hEventLog, $aEvent

    ; Create GUI
    GUICreate("EventLog", 604, 604)
   $Progress1 = GUICtrlCreateProgress(8, 25, 580, 25)
   $Label1 = GUICtrlCreateLabel("Reading event log: 0/200", 8, 8, 430, 17)

    $iMemo = GUICtrlCreateEdit("", 2, 60, 600, 600)
    GUICtrlSetFont($iMemo, 9, 400, 0, "Courier New")
    GUISetState()

    ; Read most current event record
    $hEventLog = _EventLog__Open("", "Security")
    Local $i = 0

   Local $IPArray[1][5]
   ;While IsArray($aEvent)
   $rad_events = 100
   While $i <= $rad_events
      $prc = Round(100 / $rad_events * $i)
      GUICtrlSetData($Label1, "Reading event log: "& $i &"/"&$rad_events)
      GUICtrlSetData($Progress1, $prc)
        $aEvent = _EventLog__Read($hEventLog, True, False) ; read last event
        if IsArray($aEvent) Then
            ConsoleWrite($aEvent[8]& @CRLF)
            if ($aEvent[8] = "Failure audit") Then
                Local $foo = Run(@ComSpec & ' /c wevtutil qe security "/q:*[System [(EventID='& $aEvent[6] &')]]" /c:1 /rd:true /f:text', @SystemDir, @SW_HIDE, $STDERR_CHILD + $STDOUT_CHILD)
                Local $line
                $line = ''
                While 1
                    $line = $line & StdoutRead($foo)
                    If @error Then ExitLoop
                    ;MsgBox(0, "STDOUT read:", $line)
                WEnd

                While 1
                    $line = $line & StderrRead($foo)
                    If @error Then ExitLoop
                    ;MsgBox(0, "STDERR read:", $line)
                 WEnd

               $size = UBound($IPArray) + 1
               ReDim $IPArray[$size][5]
               $ix = $size -1

               $network = "Source Network Address:\s*+(.*)"
               $array = StringRegExp($line, $network, 1)
               If IsArray($array) Then
                  $IPArray[$ix][2] = $array[0]
               EndIf


               $account = "Account Name:\s*+(.*)"
               $array = StringRegExp($line, $account, 3)
               If IsArray($array) Then
                  ;_ArrayDisplay($array)
                  $IPArray[$ix][1] = $array[1]
               EndIf

               $IPArray[$ix][0] = $aEvent[4] & " " & $aEvent[5]


               ;MemoWrite($line)
            Else
                ;MemoWrite($aEvent[8])
            EndIf
        EndIf
        $i = $i + 1
    WEnd
    _EventLog__Close($hEventLog)

   _ArrayDisplay($IPArray, "IP LIST")


    ; Loop until user exits
    Do
    Until GUIGetMsg() = $GUI_EVENT_CLOSE

EndFunc   ;==>_Main

; Write a line to the memo control
Func MemoWrite($sMessage)
    GUICtrlSetData($iMemo, $sMessage & @CRLF, 1)
EndFunc   ;==>MemoWrite

What it does? It reads security log for failed audits (logins to system). Then reads date of event, IP address who tried to login and what user name he tried.

Share this post


Link to post
Share on other sites
slaughter

Updated to work more faster, but now not using event log read, because its not giving corect data and works slow

#RequireAdmin

#include <GUIConstantsEx.au3>
#include <Constants.au3>
#include <Array.au3>
#include <File.au3>
#include <Array.au3>
#include <MsgBoxConstants.au3>

Global $iMemo

_Main()

Func _Main()
   Local $hEventLog, $aEvent
   ; Create GUI
   GUICreate("EventLog", 604, 604)
   $Progress1 = GUICtrlCreateProgress(8, 25, 590, 25)
   $Label1 = GUICtrlCreateLabel("Reading event log", 8, 8, 430, 17)
   $iMemo = GUICtrlCreateEdit("", 2, 60, 600, 542)
   GUICtrlSetFont($iMemo, 9, 400, 0, "Courier New")
   GUISetState()

   $read_events = 50

   GUICtrlSetData($Label1, "Reading event log: 0/" & $read_events)
   GUICtrlSetData($Progress1, 1)


   $cmd = 'wevtutil qe Security "/q:*[System[band(Keywords,8010000000000000)]]" /c:'& $read_events &' /rd:true /f:xml>C:\wevtutil.xml'
   FileDelete ( "c:\wevtutil.xml" )
   Local $foo = RunWait(@ComSpec & ' /c '& $cmd, @SystemDir, @SW_HIDE, $STDERR_CHILD + $STDOUT_CHILD)
   $data = FileRead('C:\wevtutil.xml')
   MemoWrite($data)

   GUICtrlSetData($Label1, "Reading event log: "& $read_events &"/" & $read_events)
   GUICtrlSetData($Progress1, 100)


    ; Define a variable to pass to _FileReadToArray.
    Local $aArray = 0

    ; Read the current script file into an array using the variable defined previously.
    If Not _FileReadToArray("C:\wevtutil.xml", $aArray) Then
        MsgBox($MB_SYSTEMMODAL, "", "There was an error reading the file. @error: " & @error) ; An error occurred reading the current script file.
    EndIf
    ; Display the array in _ArrayDisplay.
    ;_ArrayDisplay($aArray)


    Local $IPArray[1][5]

    For $vElement In $aArray

      $size = UBound($IPArray) + 1
      ReDim $IPArray[$size][5]
      $ix = $size -1

      $date = "<TimeCreated SystemTime='(.*?)'/>"
      $array = StringRegExp($vElement, $date, 1)
      If IsArray($array) Then
         $IPArray[$ix][3] = $array[0]
      EndIf

      $network = "<Data Name='IpAddress'>(.*?)</Data>"
      $array = StringRegExp($vElement, $network, 1)
      If IsArray($array) Then
         $IPArray[$ix][2] = $array[0]
      EndIf


      $account = "<Data Name='TargetUserName'>(.*?)</Data>"
      $array = StringRegExp($vElement, $account, 1)
      If IsArray($array) Then
         ;_ArrayDisplay($array)
         $IPArray[$ix][1] = $array[0]
      EndIf

    Next

   _ArrayDisplay($IPArray, "IP LIST")






    ; Loop until user exits
    Do
    Until GUIGetMsg() = $GUI_EVENT_CLOSE

EndFunc   ;==>_Main

; Write a line to the memo control
Func MemoWrite($sMessage)
    GUICtrlSetData($iMemo, $sMessage & @CRLF, 1)
EndFunc   ;==>MemoWrite

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.