RE: Perl-Win32-Users Digest, Vol 70, Issue 1
Barry Brevik bbre...@stellarmicro.com wrote on 06/04/2012 06:34:07 PM: Thank you for the detailed response, even if it is depressing. Don't think of it as depressing, think of it as an opportunity. Gathering all your logs could provide more insight into your environment. Attached is a toy I wrote. The idea is to have a central point (in this case, my laptop) with a little mysql node on it. I then create a table, +--+--+--+-+-++ | Field| Type | Null | Key | Default | Extra| +--+--+--+-+-++ | logID| int(10) unsigned | NO | PRI | NULL| auto_increment | | Category | int(10) unsigned | YES | | NULL|| | CategoryString | tinytext | YES | | NULL|| | ComputerName | tinytext | YES | | NULL|| | Data | text | YES | | NULL|| | EventCode| int(10) unsigned | YES | | NULL|| | EventIdentifier | int(10) unsigned | YES | | NULL|| | EventType| int(11) | YES | | NULL|| | InsertionStrings | text | YES | | NULL|| | LogFile | tinytext | YES | | NULL|| | Message | text | YES | | NULL|| | RecordNumber | int(10) unsigned | YES | | NULL|| | SourceName | tinytext | YES | | NULL|| | TimeGenerated| datetime | YES | | NULL|| | TimeWritten | datetime | YES | | NULL|| | Type | tinytext | YES | | NULL|| | User | tinytext | YES | | NULL|| | Host | tinytext | YES | | NULL|| | string | tinytext | YES | | NULL|| +--+--+--+-+-++ One runs the toy periodically, with $0 -H fully qualified target name across all the possible client machines, and build up this DB. IIRC, I had a watchdog program that would maintain a table of all the clients, and then poll this for all the TimeWritten and poll the clients based upon the order of the TimeWritten. That way, I could have five or six instances of the toy running, cover all my clients, and still not hang dead on missing machines. Then, at your leisure, you can ask questions like what machines have event ID 528 or 540 and logon type 2? These would be the local clients. The more interesting query would be are there network logins from sources that I don't know about -- the debian laptop that someone is using a remote login from, for example, that you hadn't expected. Designing that SQL query is left as an exercise.. :-) --woody -- Dr. Robert Woody Weaver GBS Cybersecurity Privacy IT Security Architect Cell: 301-524-8138 -- I have hardly ever known a mathematician who was capable of reasoning. -- Plato pullFromEventLog.pl Description: Binary data ___ Perl-Win32-Users mailing list Perl-Win32-Users@listserv.ActiveState.com To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs
Re: Perl-Win32-Users Digest, Vol 70, Issue 1
perl-win32-users-boun...@listserv.activestate.com wrote on 06/04/2012
03:00:03 PM:
I have a need to determine which client machine a given user (or all
users) has logged into the domain from.
I'm willing to back into it by starting with all client machines. I'm
If you can access via WMI, there is a mib Win32_SystemUsers that is
helpful. I'm including some code from another project. Build @Hosts with
the client machines. This just outputs the data in tab delimited format
(this was just for a dozen machines and that made sense) but throwing into
a DB for queries might make sense.
Sample output:
hostuserdomain
FredGuest Fred
FredAdministrator Fred
Fredpingsweep Fred
FredSUPPORT_388945a0Fred
FredBob AD
FredAlice AD
FredChuck AD
FredDaveAD
That is, Administrator logged into the machine Fred locally, user Bob
logged into the machine from the domain, etc. This is answering the
question of to.
On the other hand, if you are really asking the question from, you have
to go to the event logs; there, you can get if a login was local or via
the network. The problem, of course, is that it is very transitory; on
machine B you can find out that person logged in from machine A, but then
you have to go back to see who logged into A at that time.
print join( \t, 'host', 'user', 'domain' ), \n;
foreach my $server (@Hosts) {
warn Connecting to $server\n;
my $locatorObj = Win32::OLE-new('WbemScripting.SWbemLocator')
|| die Error creating locator object:
. Win32::OLE-LastError() . \n;
$locatorObj-{Security_}-{impersonationlevel} = 3;
my $serverObj = $locatorObj-ConnectServer(# connect to WMI server
$server, # on this host
'\root\cimv2', # this namespace
$opts{'u'}, # user
$opts{'p'}
)# password
|| die Error connecting to $server:
. Win32::OLE-LastError() . \n;
warn Connected.\n;
my $users = 0;
foreach my $obj ( in $serverObj-InstancesOf('Win32_SystemUsers') ) {
$users++;
my $group = $obj-{GroupComponent};
my $part = $obj-{PartComponent};
my $host = pullRefs($group);
my $user = pullRefs($part);
my ( $tmp, $subpart ) = split( /,/, $part );
my $domain = pullRefs($subpart);
print join( \t, $host, $user, $domain ), \n;
}
warn $users users found.\n;
} ## end foreach my $server (@Hosts)
sub pullRefs {
my $str = shift;
my $tmp;
my $rv;
( $tmp, $rv, $tmp ) = split( /\/, $str );
return $rv;
}
--
Dr. Robert Woody Weaver
GBS Cybersecurity Privacy
IT Security Architect
Cell: 301-524-8138
--
Anything else you wish to draw to my attention, Mr. Holmes ?
The curious incident of the stable dog in the nighttime.
But the dog did nothing in the nighttime.
That was the curious incident.
-- A. Conan Doyle, Silver Blaze
___
Perl-Win32-Users mailing list
Perl-Win32-Users@listserv.ActiveState.com
To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs
RE: Perl-Win32-Users Digest, Vol 70, Issue 1
Thank you for the detailed response, even if it is depressing.
Barry Brevik
On the other hand, if you are really asking the question from,
you have to go to the event logs; there, you can get if a login
was local or via the network. The problem, of course, is that it
is very transitory; on machine B you can find out that person logged
in from machine A, but then you have to go back to see who logged into A at
that time.
print join( \t, 'host', 'user', 'domain' ), \n;
foreach my $server (@Hosts) {
warn Connecting to $server\n;
my $locatorObj = Win32::OLE-new('WbemScripting.SWbemLocator')
|| die Error creating locator object:
___
Perl-Win32-Users mailing list
Perl-Win32-Users@listserv.ActiveState.com
To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs
