alexmartin Posted September 4, 2011 Posted September 4, 2011 Guys, I am worried about how to track an IP address from event viewer which is having more than 100 or 200 incoming connections to my server. But I am afraid as I can track those suspected IP address by using netstat but this is used to track the live connections only. But I want suspected IP address which was affected my server past. Thanks. Quote
ICTCity Posted September 4, 2011 Posted September 4, 2011 Hi, it's easy. From technet: strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!\\" _ & strComputer & "\root\cimv2") Set colLoggedEvents = objWMIService.ExecQuery _ ("Select * from Win32_NTLogEvent " _ & "Where Logfile = 'System'") For Each objEvent in colLoggedEvents Wscript.Echo "Category: " & objEvent.Category & VBNewLine _ & "Computer Name: " & objEvent.ComputerName & VBNewLine _ & "Event Code: " & objEvent.EventCode & VBNewLine _ & "Message: " & objEvent.Message & VBNewLine _ & "Record Number: " & objEvent.RecordNumber & VBNewLine _ & "Source Name: " & objEvent.SourceName & VBNewLine _ & "Time Written: " & objEvent.TimeWritten & VBNewLine _ & "Event Type: " & objEvent.Type & VBNewLine _ & "User: " & objEvent.User Next Also, if you need something more complex... http://gallery.technet.microsoft.com/scriptcenter/site/search?f%5B0%5D.Type=RootCategory&f%5B0%5D.Value=logs&f%5B0%5D.Text=Logs%20and%20monitoring There are plenty of examples you can use :) Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
alexmartin Posted September 4, 2011 Author Posted September 4, 2011 Hi, Thank you! But I haven't much knowledge in Windows in spcefically Event Viewer. Can you please let me know do i need to make this as batch file and run it in command prompt. Can you able to point me clearly to find such connection IP addresses in Event viewer. Thanks again. Quote
ICTCity Posted September 4, 2011 Posted September 4, 2011 Ok, do you have any knowledge of PowerShell or VBScript? Starting from here: http://gallery.technet.microsoft.com/scriptcenter/ccc4f445-6c19-4300-9210-d8b200ab18ef you can easily retrieve all the events that you need and then, decide: write to file, send an e-mail, ... Everything depends on what do you want to do AND your knowledge. Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
alexmartin Posted September 4, 2011 Author Posted September 4, 2011 Hi, Sorry, I haven't knowledge anything about this, If you provide some steps to make this successfuly that would be great. Quote
ICTCity Posted September 4, 2011 Posted September 4, 2011 Well... Copy this code in a text file: $Log = "Application" $Computer ="." $ID = "1002" $Type = "Error" ##The above are your standard Event Viewer attributes, to choose the system log, replace the word Application ##To view Warnings or Information, replace the word Error $Objlog = New-Object system.diagnostics.eventLog($Log, $Computer) #$Objlog = $Objlog | Where-object { $_.EntryType -like $Type } #$Objlog.entries | select -last 5000 $result = $Objlog.entries | where { $_.EntryType -like "[$Type]*" } | select -last 2 | out-string ## On the above, you can amend the 'select -last 2 to whichever number of entries you would like to pull back write-host $result As written in the code itself, replace APPLICATION with the event log you need to check. Same thing for ERROR and ID. Save this file as WHATEVER.ps Run it from powershell and notice that you will have an output with the information needed. Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
Recommended Posts