RE: Perl-Win32-Users Digest, Vol 70, Issue 1
Barry Brevik bbre...@stellarmicro.com wrote on 06/04/2012 06:34:07 PM: Thank you for the detailed response, even if it is depressing. Don't think of it as depressing, think of it as an opportunity. Gathering all your logs could provide more insight into your environment. Attached is a toy I wrote. The idea is to have a central point (in this case, my laptop) with a little mysql node on it. I then create a table, +--+--+--+-+-++ | Field| Type | Null | Key | Default | Extra| +--+--+--+-+-++ | logID| int(10) unsigned | NO | PRI | NULL| auto_increment | | Category | int(10) unsigned | YES | | NULL|| | CategoryString | tinytext | YES | | NULL|| | ComputerName | tinytext | YES | | NULL|| | Data | text | YES | | NULL|| | EventCode| int(10) unsigned | YES | | NULL|| | EventIdentifier | int(10) unsigned | YES | | NULL|| | EventType| int(11) | YES | | NULL|| | InsertionStrings | text | YES | | NULL|| | LogFile | tinytext | YES | | NULL|| | Message | text | YES | | NULL|| | RecordNumber | int(10) unsigned | YES | | NULL|| | SourceName | tinytext | YES | | NULL|| | TimeGenerated| datetime | YES | | NULL|| | TimeWritten | datetime | YES | | NULL|| | Type | tinytext | YES | | NULL|| | User | tinytext | YES | | NULL|| | Host | tinytext | YES | | NULL|| | string | tinytext | YES | | NULL|| +--+--+--+-+-++ One runs the toy periodically, with $0 -H fully qualified target name across all the possible client machines, and build up this DB. IIRC, I had a watchdog program that would maintain a table of all the clients, and then poll this for all the TimeWritten and poll the clients based upon the order of the TimeWritten. That way, I could have five or six instances of the toy running, cover all my clients, and still not hang dead on missing machines. Then, at your leisure, you can ask questions like what machines have event ID 528 or 540 and logon type 2? These would be the local clients. The more interesting query would be are there network logins from sources that I don't know about -- the debian laptop that someone is using a remote login from, for example, that you hadn't expected. Designing that SQL query is left as an exercise.. :-) --woody -- Dr. Robert Woody Weaver GBS Cybersecurity Privacy IT Security Architect Cell: 301-524-8138 -- I have hardly ever known a mathematician who was capable of reasoning. -- Plato pullFromEventLog.pl Description: Binary data ___ Perl-Win32-Users mailing list Perl-Win32-Users@listserv.ActiveState.com To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs
Re: Perl-Win32-Users Digest, Vol 70, Issue 1
perl-win32-users-boun...@listserv.activestate.com wrote on 06/04/2012 03:00:03 PM: I have a need to determine which client machine a given user (or all users) has logged into the domain from. I'm willing to back into it by starting with all client machines. I'm If you can access via WMI, there is a mib Win32_SystemUsers that is helpful. I'm including some code from another project. Build @Hosts with the client machines. This just outputs the data in tab delimited format (this was just for a dozen machines and that made sense) but throwing into a DB for queries might make sense. Sample output: hostuserdomain FredGuest Fred FredAdministrator Fred Fredpingsweep Fred FredSUPPORT_388945a0Fred FredBob AD FredAlice AD FredChuck AD FredDaveAD That is, Administrator logged into the machine Fred locally, user Bob logged into the machine from the domain, etc. This is answering the question of to. On the other hand, if you are really asking the question from, you have to go to the event logs; there, you can get if a login was local or via the network. The problem, of course, is that it is very transitory; on machine B you can find out that person logged in from machine A, but then you have to go back to see who logged into A at that time. print join( \t, 'host', 'user', 'domain' ), \n; foreach my $server (@Hosts) { warn Connecting to $server\n; my $locatorObj = Win32::OLE-new('WbemScripting.SWbemLocator') || die Error creating locator object: . Win32::OLE-LastError() . \n; $locatorObj-{Security_}-{impersonationlevel} = 3; my $serverObj = $locatorObj-ConnectServer(# connect to WMI server $server, # on this host '\root\cimv2', # this namespace $opts{'u'}, # user $opts{'p'} )# password || die Error connecting to $server: . Win32::OLE-LastError() . \n; warn Connected.\n; my $users = 0; foreach my $obj ( in $serverObj-InstancesOf('Win32_SystemUsers') ) { $users++; my $group = $obj-{GroupComponent}; my $part = $obj-{PartComponent}; my $host = pullRefs($group); my $user = pullRefs($part); my ( $tmp, $subpart ) = split( /,/, $part ); my $domain = pullRefs($subpart); print join( \t, $host, $user, $domain ), \n; } warn $users users found.\n; } ## end foreach my $server (@Hosts) sub pullRefs { my $str = shift; my $tmp; my $rv; ( $tmp, $rv, $tmp ) = split( /\/, $str ); return $rv; } -- Dr. Robert Woody Weaver GBS Cybersecurity Privacy IT Security Architect Cell: 301-524-8138 -- Anything else you wish to draw to my attention, Mr. Holmes ? The curious incident of the stable dog in the nighttime. But the dog did nothing in the nighttime. That was the curious incident. -- A. Conan Doyle, Silver Blaze ___ Perl-Win32-Users mailing list Perl-Win32-Users@listserv.ActiveState.com To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs
RE: Perl-Win32-Users Digest, Vol 70, Issue 1
Thank you for the detailed response, even if it is depressing. Barry Brevik On the other hand, if you are really asking the question from, you have to go to the event logs; there, you can get if a login was local or via the network. The problem, of course, is that it is very transitory; on machine B you can find out that person logged in from machine A, but then you have to go back to see who logged into A at that time. print join( \t, 'host', 'user', 'domain' ), \n; foreach my $server (@Hosts) { warn Connecting to $server\n; my $locatorObj = Win32::OLE-new('WbemScripting.SWbemLocator') || die Error creating locator object: ___ Perl-Win32-Users mailing list Perl-Win32-Users@listserv.ActiveState.com To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs