-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathaudit-hx_access_log.ps1
54 lines (43 loc) · 2.13 KB
/
audit-hx_access_log.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
#Path to folder with all the "messages.*" files
$folder = ".\messages_folder"
#region Logon/off audit
$all=@()
$no_match=@()
[regex]$r=@'
User (?:logout|login): username '(?<username>[a-zA-Z0-9_@.-]+)',( local username '(?<local>[\w\d]+)',)?( full name '(?<fullname>[a-zA-Z ]+)',)? role '(?<role>.+)', client '(?<client>.+)', line '(?<line>.+)', remote (?:address|hostname) '(?<source>.+)', auth method '(?<auth>[a-z]+)',( auth submethod '(?<auth_sub>[a-z]+)',)? session ID (?<sessionid>.+)
'@
Get-ChildItem $folder | ForEach-Object{
Write-Host -ForegroundColor Yellow "Processing $($_.FullName)"
Select-String -Path $_.FullName -Pattern "user log*"|%{
if ($m = [regex]::Match($_,$r)){
#optional fields
if ($m.Groups["fullname"]) {$fullname=$m.Groups["fullname"].Value}else{$fullname=""}
if ($m.Groups["local"]) {$local= $m.Groups["local"].Value} else{$local=""}
if ($m.Groups["auth_sub"]) {$auth_sub=$m.Groups["auth_sub"].Value}else{$auth_sub=""}
$all += [pscustomobject]@{
username = $m.Groups["username"].Value
fullName = $fullname
localName = $local
role = $m.Groups["role"].Value
client = $m.Groups["client"].Value
line = $m.Groups["line"].Value
source = $m.Groups["source"].Value
auth = $m.Groups["auth"].Value
auth_sub = $auth_sub
sessionID = $m.Groups["sessionid"].Value
}
}
else {$no_match += $_}
Clear-Variable m, fullname, local, auth_sub
}
}
$all|Group-Object source, username, fullname, localname, role, client, auth, auth_sub|sort name|ft count,name
#endregion
#region SSH audit
$pam = Get-ChildItem $folder | ForEach-Object{
Write-Host -ForegroundColor Yellow "Processing $($_.FullName)"
Select-String -Path $_.FullName -Pattern "pam_unix" |select line|%{($_ -split "]:")[1]}
}
$pam|group|sort name|ft count, name
#$pam|group|sort count|ft count, name
#endregion