We have a need to see login failures on a IIS 6 & 7 server farm. I would assume that some sort of log parsing will be required to make this work. Could someone point me in the right direction?
Created on Sep 13, 2011 6:43:12 PM by
Best Answer
Accepted Answer
Here is a small batch file to get you going, with a few remarks:
- You will have to set the "logfolder" variable to your own log file location.
- The script assumes log files are created on a daily basis and therefore returns the number of failed logins in the last created log file.
- The script is provided "as is" and you are of cause free to make your own modifications and improvements.
@ECHO OFF
SET logfolder=\\YOUR_COMPUTER\c$\WINDOWS\system32\LogFiles\W3SVC1
SET /a counter=0
:: get newest file
FOR /F %%f IN ('DIR %logfolder% /B /O:D') DO SET newestfile=%%f
:: copy newest file to temp file
COPY "%logfolder%\%newestfile%" c:\temp\xx.log > NUL
:: process each line in the file
FOR /F "usebackq delims=" %%l in (c:\temp\xx.log) DO (
:: get the 12th column in the line
FOR /F "tokens=12 delims= " %%a in ("%%l") DO (
IF %%a == 401 SET /a counter+=1
)
)
:: delete temp file
DEL c:\temp\xx.log > NUL
:: output to PRTG
ECHO %counter%:Ok
Created on Sep 16, 2011 11:03:42 AM by
5 Replies
If you have enabled logging in IIS for your "web site", the log files by default reside in C:\WINDOWS\system32\LogFiles
Here you can examine the xx.log files and find the lines with 401 in the sc-status column.
(401 stands for Unauthorized login attempt)
Created on Sep 14, 2011 12:32:07 PM by
How could I automate this process with PRTG?
Created on Sep 14, 2011 2:18:10 PM by
Depending on what you exactly want to monitor, for example the total number of failed attempts for the last hour, you will have to write a Custom Sensor (script, batch or exe) that counts the 401's over the last hour.
The /api.htm page on your PRTG server can give you more detail on how to write such a sensor.
Created on Sep 14, 2011 3:05:34 PM by
Accepted Answer
Here is a small batch file to get you going, with a few remarks:
- You will have to set the "logfolder" variable to your own log file location.
- The script assumes log files are created on a daily basis and therefore returns the number of failed logins in the last created log file.
- The script is provided "as is" and you are of cause free to make your own modifications and improvements.
@ECHO OFF
SET logfolder=\\YOUR_COMPUTER\c$\WINDOWS\system32\LogFiles\W3SVC1
SET /a counter=0
:: get newest file
FOR /F %%f IN ('DIR %logfolder% /B /O:D') DO SET newestfile=%%f
:: copy newest file to temp file
COPY "%logfolder%\%newestfile%" c:\temp\xx.log > NUL
:: process each line in the file
FOR /F "usebackq delims=" %%l in (c:\temp\xx.log) DO (
:: get the 12th column in the line
FOR /F "tokens=12 delims= " %%a in ("%%l") DO (
IF %%a == 401 SET /a counter+=1
)
)
:: delete temp file
DEL c:\temp\xx.log > NUL
:: output to PRTG
ECHO %counter%:Ok
Created on Sep 16, 2011 11:03:42 AM by
Thanks! That worked perfectly.
Created on Sep 19, 2011 4:28:51 PM by
Please log in or register to enter your reply.
Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.
Add comment