[Logwatch-Devel] a first work on windows

william roumier w.roumier at hotmail.fr
Fri Feb 24 01:01:54 MST 2006


Hi all,
here's my first work on windows syslog finding bad logins,
hope this helps.

William

#!/usr/bin/perl -w
##########################################################################
# $Id: windows,v 1.0 2006/02/17 15:07:21 wrouk Exp $
##########################################################################

########################################################
# This was written and is maintained by:
#    William Roumier <w.roumier at hotmail.fr>
#    based on the work of
#    Kirk Bauer <kirk at kaybee.org>
#
########################################################

use Logwatch ':all';
#$Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;

my ($month,$day,$time,$host,$process,$conn,$msg);


while (defined($ThisLine = <STDIN>)) {

($month,$day,$time,$host,$process,$conn,$msg)=split(/ +/,$ThisLine,7);

   if  ($ThisLine =~ /0x18/ )
     {
      $testline = $ThisLine;
      chomp $testline;
      @testfields = split(/ /,$testline);
      $name=$testfields[14];
      $domain=$testfields[22];
      $fip=$testfields[33];
      #print "DEBUG name=" . $name . "domain =" . $domain . "ip =" . $fip . 
"\n";
      $LoginFail{$domain}{$name}{$fip}++;
   }
   else  {
      # will code this later
     }

}
if (keys %LoginFail) {
   print "\n\tWindows failed Logins:\n";
   foreach $LDomain (keys %LoginFail) {
      print "\nDOMAIN:   " . $LDomain . ":\n";
      foreach $LName (keys %{$LoginFail{$LDomain}}) {
         print "\tName: " .$LName . "\n " ;
      		foreach $LFip (keys %{$LoginFail{$LDomain}{$LName}}) {
			print  "\t\tFrom :" .LookupIP($LFip)."\t ". 
$LoginFail{$LDomain}{$LName}{$LFip} . " Time(s)\n";
      			}
   	print "\n";}
   }
}

exit(0);

_________________________________________________________________
10 Mo pour vos pièces jointes avec MSN Hotmail ! 
http://www.imagine-msn.com/hotmail/default.aspx?locale=fr-fr



More information about the Logwatch-Devel mailing list