What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

How can I monitor login failures on a web server?

Votes:

0

Your Vote:

Up

Down

We have a need to see login failures on a IIS 6 & 7 server farm. I would assume that some sort of log parsing will be required to make this work. Could someone point me in the right direction?

iis login microsoft prtg username

Created on Sep 13, 2011 6:43:12 PM by  Drew Heath (0) 1



Best Answer

Accepted Answer

Votes:

0

Your Vote:

Up

Down

Here is a small batch file to get you going, with a few remarks:

  1. You will have to set the "logfolder" variable to your own log file location.
  2. The script assumes log files are created on a daily basis and therefore returns the number of failed logins in the last created log file.
  3. The script is provided "as is" and you are of cause free to make your own modifications and improvements.
@ECHO OFF
SET logfolder=\\YOUR_COMPUTER\c$\WINDOWS\system32\LogFiles\W3SVC1
SET /a counter=0

:: get newest file
FOR /F  %%f IN ('DIR %logfolder% /B /O:D') DO SET newestfile=%%f

:: copy newest file to temp file
COPY "%logfolder%\%newestfile%" c:\temp\xx.log > NUL

:: process each line in the file
FOR /F "usebackq delims=" %%l in (c:\temp\xx.log) DO (
  :: get the 12th column in the line
  FOR /F "tokens=12 delims= " %%a in ("%%l") DO (
     IF %%a == 401 SET /a counter+=1
   )
)

:: delete temp file
DEL c:\temp\xx.log > NUL

:: output to PRTG
ECHO %counter%:Ok

Created on Sep 16, 2011 11:03:42 AM by  PRTG Tools Family [prtgtoolsfamily.com] (13,413) 3 4



5 Replies

Votes:

0

Your Vote:

Up

Down

If you have enabled logging in IIS for your "web site", the log files by default reside in C:\WINDOWS\system32\LogFiles

Here you can examine the xx.log files and find the lines with 401 in the sc-status column.

(401 stands for Unauthorized login attempt)

Created on Sep 14, 2011 12:32:07 PM by  PRTG Tools Family [prtgtoolsfamily.com] (13,413) 3 4



Votes:

0

Your Vote:

Up

Down

How could I automate this process with PRTG?

Created on Sep 14, 2011 2:18:10 PM by  Drew Heath (0) 1



Votes:

0

Your Vote:

Up

Down

Depending on what you exactly want to monitor, for example the total number of failed attempts for the last hour, you will have to write a Custom Sensor (script, batch or exe) that counts the 401's over the last hour.

The /api.htm page on your PRTG server can give you more detail on how to write such a sensor.

Created on Sep 14, 2011 3:05:34 PM by  PRTG Tools Family [prtgtoolsfamily.com] (13,413) 3 4



Accepted Answer

Votes:

0

Your Vote:

Up

Down

Here is a small batch file to get you going, with a few remarks:

  1. You will have to set the "logfolder" variable to your own log file location.
  2. The script assumes log files are created on a daily basis and therefore returns the number of failed logins in the last created log file.
  3. The script is provided "as is" and you are of cause free to make your own modifications and improvements.
@ECHO OFF
SET logfolder=\\YOUR_COMPUTER\c$\WINDOWS\system32\LogFiles\W3SVC1
SET /a counter=0

:: get newest file
FOR /F  %%f IN ('DIR %logfolder% /B /O:D') DO SET newestfile=%%f

:: copy newest file to temp file
COPY "%logfolder%\%newestfile%" c:\temp\xx.log > NUL

:: process each line in the file
FOR /F "usebackq delims=" %%l in (c:\temp\xx.log) DO (
  :: get the 12th column in the line
  FOR /F "tokens=12 delims= " %%a in ("%%l") DO (
     IF %%a == 401 SET /a counter+=1
   )
)

:: delete temp file
DEL c:\temp\xx.log > NUL

:: output to PRTG
ECHO %counter%:Ok

Created on Sep 16, 2011 11:03:42 AM by  PRTG Tools Family [prtgtoolsfamily.com] (13,413) 3 4



Votes:

0

Your Vote:

Up

Down

Thanks! That worked perfectly.

Created on Sep 19, 2011 4:28:51 PM by  Drew Heath (0) 1



Please log in or register to enter your reply.


Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.