Syed Jahanzaib Personal Blog to Share Knowledge !

January 19, 2017

Windows User Login Logs

Filed under: Microsoft Related — Tags: — Syed Jahanzaib / Pinochio~:) @ 7:12 PM

Disclaimer:
This is a reference post for myself, to recall it later when i need it.
There are tons of tools/apps that can automate such tasks,Example you can do it via GPO (if you are in domain environment), or use dedicated tools, or just simply sort views in event viewer.

But being lazy/blockhead or fond of fetching result using out of the box approach, I try to select method that works for me and which seems easy to me plus with some learning. You may follow the internet to get more elegant / less complicated solution. Read it just to add ideas on how dumb-heads like me doing there work in other dimension approach , lean so that you may enhance it or at least not follow it for many reasons ;). This was a drafted version, later I modified this task for more presentable formatting. Windows batch file is far behind in advance coding as compare to bash, but we understand the limitation dueo to Microsoft platform.

I used WINTAIL to view real time logging of the specific system. we can modify the scripting to any level we want it to be. example we can log this info at our linux based mysql server, email the event, etc etc 😀

Sky is the only limit !

Zaib!


Scenario#1:

We have a domain environment in our office. At one windows 7 workstation, we have some important application installed which is access by specific users Remote (RDP and Dameware remote app) session & dueto some specific issues, the management wanted to store its full logs for following events only …

  1. When user login to the workstation
  2. When user logoff from the workstation
  3. When user connect to any previous session, either local or by remote
  4. When user re-login to the system (unlock)

Following information should be recorded in simple log file at remote server

  1. Event Type: LOGIN OR LOGOFF
  2. RDP Client IP: If the user is logged in via RDP, his ip should be logged
  3. DAMEWARE IP: If the user is logged in using DAMEWARE remote app, his IP should be logged
  4. Remote Client PC DNS Name: Remote client windows DNS name should be logged
  5. Username: Domain User ID which is being used to logging to the workstation
  6. Computername: name of workstation on which user is logging to
  7. Date / Time

 


Solution using Windows Batch File [Drafted but tested Version on Windows 7 / 64bit]

Requirements:

  • grep
    [Linux tool for windows version]
  • sed
    [Linux tool for windows version]
  • login-log.cmd
    our batch file
  • task scheduler task to trigger it on different events we required

Download grep/sed and place all contents in its bin folder to C:\windows\system32 so that it can be accessed from any path.

login-log.cmd

@echo off
rem ### Batch file to be configured in Task Manager to log events 
rem ### to remote server log file
rem ### Syed Jahanzaib
cls
rem Create Backup folder if not exists already
set TEMPLOC="C:\BACKUP"
if not exist "%TEMPLOC%" mkdir %TEMPLOC%
set LOGLOCAL="%TEMPLOC%\LOCAL.LOG"
rem ### Log Server Folder where logs will be saved
set LOGSERVER="\\LOGSERVER\userlog\%USERNAME%.log"
set IPFILE="%TEMPLOC%\IP.TXT"
set COMPFILE="%TEMPLOC%\COMPNAME.TXT"
set IPADD=
set DAMWIP=
set COMPNAME=
rem ### Delete old holders adn tasks if any
del %IPFILE% 2> nul
del %COMPFILE% 2> nul
taskkill /F /IM nslookup.exe 2> nul

rem ### 
::# Get IP Address of local PC
for /f "skip=1 tokens=2 delims=[]" %%* in (
'ping.exe -n 1 %Computername%') Do (set "LOCALIP=%%*" & goto:exitFor1)
:exitFor1

rem ### Get IP address for any RDP session, IF ANY, 
netstat -na | find "3389" | find "ESTABLISHED" | awk "{print $3}" | sed s/:.*// > %IPFILE%
set /p IPADD=<%IPFILE%
IF "%IPADD%"=="" (
set IPADD=x
)

rem ### If no RDP session found, then skip nslookup to avoid any delay
set "filter=c:\backup/ip.txt"
for %%A in (%filter%) do if %%~zA==0 goto :skipname
nslookup %IPADD% | sed -n "4p" | awk "{print $2}" > %COMPFILE%
set /p COMPNAME=<%COMPFILE%

rem ### Check for any DAMEWARE remote app session and log its ip/name
:skipname
netstat -na | find "6129" | find "ESTABLISHED" | sed -n "2p" | awk "{print $3}" | sed s/:.*// > c:\damwip.txt
set /p DAMWIP=<c:\damwip.txt
rem echo %DAMWIP%
set "filter=c:\damwip.txt"
rem for %%A in (%filter%) do if %%~zA==0 echo no damw
REM goto :skipdamw
rem ### if no damware ip session found, make it null x
IF "%DAMWIP%"=="127.0.0.1" (
set DAMWIP=x
)

rem ### If there is no remote session for both RDP and DW , then set variable accordingly
:skipdamw
if "%DAMWIP%"=="x" goto :1
nslookup %DAMWIP% | sed -n "4p" | awk "{print $2}" > c:\backup\damwip.txt
set /p COMPNAME=<c:\backup\damwip.txt
goto :skip
:1
if "%IPADD%"=="x" goto :cond
goto :skip
:cond
set IPADD=LOCAL-LOGIN
set DAMWIP=LOCAL-LOGIN
:skip

if "%COMPNAME%"=="" set COMPNAME=LOCAL-LOGIN
REM --- SERVER LOG FILE
echo --------------------------------- >> %LOGSERVER%
ECHO LOGIN >> %LOGSERVER%
echo RDP Client IP: %IPADD% - / DW IP: %DAMWIP% / Remote Client PC: %COMPNAME%
echo Login User: %USERNAME% / To: %COMPUTERNAME% / Local IP: %LOCALIP% / %DATE% %TIME%
echo RDP Client IP: %IPADD% - DW IP: %DAMWIP% / Remote Client PC: %COMPNAME% >> %LOGSERVER%
echo Username - %USERNAME% / Computer - %COMPUTERNAME% / %DATE% %TIME% >> %LOGSERVER%
echo --------------------------------- >> %LOGSERVER%

REM --- LOCAL LOG FILE
echo --------------------------------- >> %LOGLOCAL%
ECHO LOGIN >> %LOGLOCAL%
echo RDP Client IP: %IPADD% - DW IP: %DAMWIP% / Remote Client PC: %COMPNAME% >> %LOGLOCAL%
echo Username - %USERNAME% / Computer - %COMPUTERNAME% / %DATE% %TIME% >> %LOGLOCAL%

echo --------------------------------- >> %LOGLOCAL%


Windows Task Scheduler Configuration >

task1

task-1

task2

 


Result:

Now you can open the log file at log server, or local pc as well.

 


LOGIN
RDP Client IP: x - DW IP: 10.0.0.58 / Remote Client PC: zaib.pc
Username - user.id / Computer - APPSRV / Thu 01/19/2017 14:31:36.68
---------------------------------
---------------------------------
LOGOFF -- APPSRV APPSRV Thu 01/19/2017 14:31:41.09
---------------------------------
---------------------------------
LOGIN
RDP Client IP: LOCAL-LOGIN - DW IP: LOCAL-LOGIN / Remote Client PC: LOCAL-LOGIN
Username - user.id / Computer - APPSRV / Thu 01/19/2017 14:33:11.35
---------------------------------
LOGIN -- user.id APPSRV Thu 01/19/2017 14:33:16.02
---------------------------------
LOGOFF -- user.id APPSRV Thu 01/19/2017 14:33:23.14
---------------------------------
LOGIN -- user.id APPSRV Thu 01/19/2017 15:35:03.51
---------------------------------
LOGIN
RDP Client IP: 10.1.2.250 - DW IP: x / Remote Client PC: seconduser.domain
Username - APPSRV / Computer - APPSRV / Thu 01/19/2017 15:35:04.54
---------------------------------


Scenario#2:

Log information of every user login/logout in %username%.txt in remote server folder .

Using Domain GPO , set it to execute login-log.cmd file at Startup


@echo off
echo LOGIN -- %USERNAME% %COMPUTERNAME% %CLIENTNAME% %DATE% %TIME% >> \\LOGSERVER\userlog\%USERNAME%.log

at remote log server, you can set permission so that user can only write in it, but not explore it.

permission


blah blah blah

Syed.Jahanzaib

January 6, 2017

Gathering Stats from remote Windows via Linux Shell

Filed under: Linux Related, Uncategorized — Tags: , , , , , , , — Syed Jahanzaib / Pinochio~:) @ 2:43 PM

Reference Post:

Following are few simple methods to query information for various instances like remote windows service status , performance monitor instance result with trimming , , execute commands on remote windows box , all being done from our beloved Linux boX 😉

I must admit that even after spending years in this field, I still feel myself very doodle, blockhead & light brain in almost every topic or subject I get confronted with ! STML plays an important role in my Deficiency  ‘_’    – 😉

ots1087__97717-1410905363-1280-1280


Executing command on remote windows server, and get its result in output

$WINEXE --user=$DOMAIN/$ADMINID%$ADMINPASS //$SERVERIP "C:\TEMP\COMMAND.EXE -syntax-if-any"

Note: above command requires WINEXE tool (Linux tools to execute command on remote windows)

Querying Remote Windows Performance Monitor Instances

Example, we have Forefront TMG 2010 and we want to see its Cache Hit % from our linux box shell, so we can use following command (It was real hard to escape nested double quotes :O )

This is very very useful command and it took few hours for me to trim the required result for plotting graph.

winexe -U domain/admin%"password" //MYSERVER 'typeperf -sc 1 -si 1 "\\MYSERVER\Forefront TMG Web Proxy\Cache Hit Ratio (%)"'

and with bash script I used it like

root@linux:/temp# cat tmg-cachehit.sh

#!/bin/bash
# Script to query TMG cache HIT after trimming
#set -x
IP="10.0.0.1"
DOMAIN="MYDOMIN"
ID="ADMIN"
PASS="PASSWORD"
TMP_HOLDER="/tmp/$IP.cache.hit.txt"
winexe -U $DOMAIN/$ID%"$PASS" //$IP 'typeperf -sc 1 -si 1 "\\101.11.11.6\Forefront TMG Web Proxy\Cache Hit Ratio (%)"' > $TMP_HOLDER
RESULT=`cat $TMP_HOLDER | sed -n 3p | awk '{print $2}' | cut -d "," -f 2 | tr -d '"' | cut -f1 -d"."`
echo $RESULT
echo $RESULT

Result:

tmg-cache-hit


Check remote windows service status

Example if we want to query service status result of Lotus domino mail server  from our linux box …

root@linux:/temp# net rpc service status "Lotus Domino Server (DLotusDominodata)" -I 10.0.0.1 --user=DOMAIN/ADMINID%PASSWORD

RESULT:

Lotus Domino Server (DLotusDominodata) service is running.
Configuration details:
Controls Accepted = 0x5
Service Type = 0x110
Start Type = 0x2
Error Control = 0x0
Tag ID = 0x0
Executable Path = "X:\Lotus\nservice.exe" "=X:\Lotus\notes.ini" "-jc" "-c"
Load Order Group =
Dependencies = /
Start Name = LocalSystem
Display Name = Lotus Domino Server (DLotusDominodata)

Allah Shuker


I used all above commands in various script for alerts and mrtg graphing. you can use it to fulfill any customized requirements.

Regard’s
Syed Jahanzaib

January 3, 2017

Ubiquiti Unifi Notes & Odd methods of acquiring Info

Filed under: Ubiquiti — Syed Jahanzaib / Pinochio~:) @ 9:49 AM

ubiquity


1- Odd method to acquire total number of active WiFi Clients

Bash script to acquire some info via UniFi controller like active number of WiFi clients connected with different UniFi AP LR in the company.


#!/bin/bash
# Script to query active clients by curl from unifi controller
# Syed jahanzaib / aacable . wordpress . com / aacable at hotmail dot com
# 2nd-January-2017
#set -x
# UniFi Controller IP and Port
IP="10.0.0.1"
PORT="8443"
COOKIE="/tmp/cookies.txt"
TMP_HOLDER="/tmp/$IP.active.wifi.clients.txt"
# pattern to match to count active clients using string matching
PATTERN="hostname"

# First Login to controller via CURL
curl -s "https://$IP:$PORT/api/login" --data-binary '{"username":"admin","password":"CONTROLLERPASSWORD","strict":true}' --compressed --insecure -c $COOKIE > /dev/null

# Download Statistics from controller using CURL
curl -s --insecure -b $COOKIE -c $COOKIE "https://$IP:$PORT/api/s/default/stat/sta" > $TMP_HOLDER

# Count active users by pattern match,  what an odd method, may not work correctly, but so far working for me
ACTIVE=`cat $TMP_HOLDER | grep -o $PATTERN | wc -l`
echo $ACTIVE
echo $ACTIVE


Result in command …

unifi-active

 

CFG file for MRTG …

# Unifi Controller - WiFi Active WiFi Clients - syed.jahanzaib
Target[unifi_wifi_active_users]: `/temp/unifi-client.sh`
Title[unifi_wifi_active_users]: Active Wifi Clients via Unifi Controller
PageTop[unifi_wifi_active_users]: <H1>Active Wifi Clients via Unifi Controller</H1>
MaxBytes[unifi_wifi_active_users]: 50000
Colours[unifi_wifi_active_users]: B#8888ff,B#0813B7,B#5398ff,B#0813B7
Options[unifi_wifi_active_users]: growright,nopercent,gauge,integer,nobanner,printrouter,pngdate,noo
LegendI[unifi_wifi_active_users]: Active Wifi Users
LegendO[unifi_wifi_active_users]:
YLegend[unifi_wifi_active_users]: Active Wifi Users
Legend1[unifi_wifi_active_users]: Active Wifi Users
Legend2[unifi_wifi_active_users]:
ShortLegend[unifi_wifi_active_users]:
#Unscaled[unifi_wifi_active_users]: dwmy

MRTG Graph for Active WiFi Clients via UniFi Controller …

1-wifi

  •  – – – – – – – – –
  •  – – – – – – – – –
  •  – – – – – – – – –
  •  – – – – – – – – –

Following are some snapshots from the UniFi Controller for some comparison that script is working accurate so far …
(However it is still under observation to monitor its accuracy result / zaib)

1

2


2- Odd method to acquire total number of Active Access Points Vs Down [Registered in UniFi Controller]

Bash script to acquire total number of registered access points (unifi AP-LR) and there status as well to compare Active vs down.


#!/bin/bash
# Script to query active clients by curl from unifi controller
#set -x
IP="10.0.0.1"
PORT="8443"
COOKIE="/tmp/cookies.txt"
TMP_HOLDER="/tmp/$IP.total.ap.txt"
PATTERN="adopted"
curl -s "https://$IP:$PORT/api/login" --data-binary '{"username":"admin","password":"CONTROLLERPASSWORD","strict":true}' --compressed --insecure -c $COOKIE > /dev/null
curl -s --insecure -b $COOKIE -c $COOKIE "https://$IP:$PORT/api/s/default/stat/device" > $TMP_HOLDER
ACTIVE=`cat $TMP_HOLDER | grep -o $PATTERN | wc -l`
DOWN=`grep -oP '\"state\" : \K[^ ]*' $TMP_HOLDER | grep 0 | wc -l`
echo $DOWN
echo $ACTIVE

Result in command …

[Total access points  vs DOWN]

ap-up-vs-down

CFG file for MRTG …


# Unifi Controller - UniFi AP-LR - Active Access Points vs DOWN
Target[unifi_ap_total_vs_down]: `/temp/unifi-devices.sh`
Title[unifi_ap_total_vs_down]: UniFi AP-LR - Active Access Points vs DOWN
PageTop[unifi_ap_total_vs_down]: <H1>UniFi AP-LR - Active Access Points vs DOWN</H1>
MaxBytes[unifi_ap_total_vs_down]: 5000
Colours[unifi_ap_total_vs_down]: B#0000FF,R#FF0000,B#0000FF,R#FF0000
Options[unifi_ap_total_vs_down]: growright,nopercent,gauge,integer,nobanner,printrouter,pngdate
LegendI[unifi_ap_total_vs_down]: Active AP -->
LegendO[unifi_ap_total_vs_down]: Down AP -->
YLegend[unifi_ap_total_vs_down]: Active vs Down
Legend1[unifi_ap_total_vs_down]: Active Access Points
Legend2[unifi_ap_total_vs_down]: Down Access Points
ShortLegend[unifi_ap_total_vs_down]:
#Unscaled[unifi_ap_total_vs_down]: dwmy

MRTG Graph for Active WiFi AP DEVICES via UniFi Controller …

3-active-vs-down-ap


3# Upgrade UniFi AP LR Access Point via SSH/CLI

We have few unifi AP-LR  Wireless Access Points in our company which are connected with the Unifi Controller ver 5.2.9.0 on windows 2008 r2 / x64 server. For some unknown reasons I was unable to upgrade the access point’s firmware from the controller. Therefore I upgraded all AP’s via SSH method which is posted below …

First download the appropriate firmware and upload it to some web server. (at the time of upgrading the latest firmware version was  3.7.21.5389 , you make sure to download latest one available)
Select your model / download from following link …

https://www.ubnt.com/download/unifi/

[Luckily I had local web server available so I simply put this file into my /var/www folder (for ubuntu)]

 

Now login in the access point via SSH , and issue this command

upgrade http://101.0.0.1/BZ.ar7240.v3.7.21.5389.161017.0923.bin

Make sure to change the path or ip according to your network. Once its upgraded it rebooted and new Firmware was 3.7.21.5389


I will post more info later … 3.7.21.5389

Regard’s
Syed Jahanzaib

Blog at WordPress.com.