1

我几乎完成了这个 Powershell 脚本,但我被困在最后一部分,并且在最后一步真的可以使用一些帮助。以下是我迄今为止编写的 PS 脚本

$t1 =(get-date).AddMinutes(-10)
$t2 =$t1.ToUniversalTime().ToString("HH:mm:ss")
$IISLogPath = "C:\inetpub\logs\LogFiles\W3SVC1\"+"u_ex"+(get-date).ToString("yyMMdd")+".log" 
$IISLogFileRaw = [System.IO.File]::ReadAllLines($IISLogPath) 
$headers = $IISLogFileRaw[3].split(" ") 
$headers = $headers | where {$_ -ne "#Fields:"}
$IISLogFileCSV = Import-Csv -Delimiter " " -Header $headers -Path $IISLogPath
$IISLogFileCSV = $IISLogFileCSV | where {$_.date -notlike "#*"}
$timeTaken = $IISLogFileCSV | where {$_.("cs-uri-stem") -eq '/Login.aspx' -AND $_.("time") -gt '$t2' } | Format-Table time,s-ip

所以基本上它会查看当前的 IIS 日志,并在用户在过去 10 分钟内进入登录页面时进行过滤。我坚持的部分是我想在这 10 分钟内收到超过 10 次 IP 的电子邮件(基本上是在发生蛮力攻击时收到警报)。我编写的代码的电子邮件部分只需要说明当 s-ip 命中 /login.aspx 超过 10 次时的部分。同样在我的“测试箱”中,我已经改变$t2$IISLogPath成为以下

$t2 = 20:00:00
$IISLogPath = C:\test\log.log

下面是我的示例日志文件:

#Software: Microsoft Internet Information Services 7.5
#Version: 1.0
#Date: 2012-06-27 15:05:24
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken
2012-06-27 20:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 20:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 20:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 20:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
4

2 回答 2

3

在稍微修改了脚本之后,我找到了解决方案。下面是整个脚本

$t1 =(get-date).AddMinutes(-10)
$t2 =$t1.ToUniversalTime().ToString("HH:mm:ss")
$IISLogPath = "C:\inetpub\logs\LogFiles\W3SVC1\"+"u_ex"+(get-date).ToString("yyMMdd")+".log" 
$IISLogFileRaw = [System.IO.File]::ReadAllLines($IISLogPath) 
$headers = $headers | where {$_ -ne "#Fields:"} 
$IISLogFileCSV = Import-Csv -Delimiter " " -Header $headers -Path $IISLogPath 
$IISLogFileCSV = $IISLogFileCSV | where {$_.date -notlike "#*"} 
$timeTaken = ($IISLogFileCSV | where {$_.("cs-uri-stem") -eq '/Login.aspx' -AND $_.("time") -gt '$t2' -AND $_.("cs-method") -eq 'Get'}).count  
$count = $timeTaken
if($count -ge 8)
{
 Send-MailMessage -From from@domain.com -To to@domain.com -Subject "IIS Alert" -BodyAsHtml "Email body goes here" -Attachments $IISLogPath  -SmtpServer ip.add.re.ss
}
于 2012-06-29T20:30:40.357 回答
2

在解析/查询日志文件时,您应该使用Microsoft LogParser来完成大部分繁重的工作。它会为您节省很多痛苦,并且可能会更快启动。

你可以用 PowerShell 包装它来解析你的查询结果。

于 2012-06-29T13:07:19.393 回答