What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

How can I monitor login failures on a web server?

Votes:

0

We have a need to see login failures on a IIS 6 & 7 server farm. I would assume that some sort of log parsing will be required to make this work. Could someone point me in the right direction?

iis login microsoft prtg username

Created on Sep 13, 2011 6:43:12 PM



Best Answer

Accepted Answer

Votes:

0

Here is a small batch file to get you going, with a few remarks:

  1. You will have to set the "logfolder" variable to your own log file location.
  2. The script assumes log files are created on a daily basis and therefore returns the number of failed logins in the last created log file.
  3. The script is provided "as is" and you are of cause free to make your own modifications and improvements. 
@ECHO OFF
SET logfolder=\\YOUR_COMPUTER\c$\WINDOWS\system32\LogFiles\W3SVC1
SET /a counter=0

:: get newest file
FOR /F  %%f IN ('DIR %logfolder% /B /O:D') DO SET newestfile=%%f

:: copy newest file to temp file
COPY "%logfolder%\%newestfile%" c:\temp\xx.log > NUL

:: process each line in the file
FOR /F "usebackq delims=" %%l in (c:\temp\xx.log) DO (
  :: get the 12th column in the line
  FOR /F "tokens=12 delims= " %%a in ("%%l") DO (
     IF %%a == 401 SET /a counter+=1
   )
)

:: delete temp file
DEL c:\temp\xx.log > NUL

:: output to PRTG
ECHO %counter%:Ok

Created on Sep 16, 2011 11:03:42 AM



5 Replies

Votes:

0

If you have enabled logging in IIS for your "web site", the log files by default reside in C:\WINDOWS\system32\LogFiles

Here you can examine the xx.log files and find the lines with 401 in the sc-status column.

(401 stands for Unauthorized login attempt)

Created on Sep 14, 2011 12:32:07 PM



Votes:

0

How could I automate this process with PRTG?

Created on Sep 14, 2011 2:18:10 PM



Votes:

0

Depending on what you exactly want to monitor, for example the total number of failed attempts for the last hour, you will have to write a Custom Sensor (script, batch or exe) that counts the 401's over the last hour.

The /api.htm page on your PRTG server can give you more detail on how to write such a sensor.

Created on Sep 14, 2011 3:05:34 PM



Accepted Answer

Votes:

0

Here is a small batch file to get you going, with a few remarks:

  1. You will have to set the "logfolder" variable to your own log file location.
  2. The script assumes log files are created on a daily basis and therefore returns the number of failed logins in the last created log file.
  3. The script is provided "as is" and you are of cause free to make your own modifications and improvements. 
@ECHO OFF
SET logfolder=\\YOUR_COMPUTER\c$\WINDOWS\system32\LogFiles\W3SVC1
SET /a counter=0

:: get newest file
FOR /F  %%f IN ('DIR %logfolder% /B /O:D') DO SET newestfile=%%f

:: copy newest file to temp file
COPY "%logfolder%\%newestfile%" c:\temp\xx.log > NUL

:: process each line in the file
FOR /F "usebackq delims=" %%l in (c:\temp\xx.log) DO (
  :: get the 12th column in the line
  FOR /F "tokens=12 delims= " %%a in ("%%l") DO (
     IF %%a == 401 SET /a counter+=1
   )
)

:: delete temp file
DEL c:\temp\xx.log > NUL

:: output to PRTG
ECHO %counter%:Ok

Created on Sep 16, 2011 11:03:42 AM



Votes:

0

Thanks! That worked perfectly.

Created on Sep 19, 2011 4:28:51 PM




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.