PowerShell + Logparser to extract successful authentication attempts for Exchange Protocols

Scenario: You want to use LogParser via PowerShell to extract the usernames for all successful authentication attempts to Exchange On-Premises.

Scriptlet:


#Servers
$Servers = get-exchangeserver | Sort Name

#results
$EWS_Results = @()
$MAPI_Results = @()
$OWA_Results = @()
$ECP_Results = @()
$PS_Results = @()
$EAS_Results = @()


#LogParser Loop
$servers.name | %{
    $n = $_
    $logs = get-childitem \\$_\c$\inetpub\logs\logfiles\W3SVC1\*.log

    $logs.fullname | %{
        $l = $_ 
"Searching logs on $l"
"...EWS"
$ews_results += & "C:\Program Files (x86)\Log Parser 2.2\logparser.exe" -i:IISW3C -q:on -rtp:-1 @"
SELECT count(*) as hits, cs-username  from '$l' Where SC-Status=200  AND  cs-uri-stem LIKE '%ews%' AND cs-username NOT LIKE '%healthmailbox%' AND cs-username NOT LIKE 'S-1%' GROUP BY cs-username order by hits desc
"@
"...MAPI"
$MAPI_results += & "C:\Program Files (x86)\Log Parser 2.2\logparser.exe" -i:IISW3C -q:on -rtp:-1 @"
SELECT count(*) as hits, cs-username  from '$l' Where SC-Status=200  AND  cs-uri-stem LIKE '%mapi%' AND cs-username NOT LIKE '%healthmailbox%' AND cs-username NOT LIKE 'S-1%' GROUP BY cs-username order by hits desc
"@

"...OWA"
$OWA_results += & "C:\Program Files (x86)\Log Parser 2.2\logparser.exe" -i:IISW3C -q:on -rtp:-1 @"
SELECT count(*) as hits, cs-username  from '$l' Where SC-Status=200  AND  cs-uri-stem LIKE '%owa%' AND cs-username NOT LIKE '%healthmailbox%' AND cs-username NOT LIKE 'S-1%' GROUP BY cs-username order by hits desc
"@

"...ECP"
$ecp_results += & "C:\Program Files (x86)\Log Parser 2.2\logparser.exe" -i:IISW3C -q:on -rtp:-1 @"
SELECT count(*) as hits, cs-username  from '$l' Where SC-Status=200  AND  cs-uri-stem LIKE '%ecp%' AND cs-username NOT LIKE '%healthmailbox%' AND cs-username NOT LIKE 'S-1%' GROUP BY cs-username order by hits desc
"@

"...PS"
$PS_results += & "C:\Program Files (x86)\Log Parser 2.2\logparser.exe" -i:IISW3C -q:on -rtp:-1 @"
SELECT count(*) as hits, cs-username  from '$l' Where SC-Status=200  AND  cs-uri-stem LIKE '%powershell%' AND cs-username NOT LIKE '%healthmailbox%' AND cs-username NOT LIKE 'S-1%' GROUP BY cs-username order by hits desc
"@

"...EAS"
$EAS_results += & "C:\Program Files (x86)\Log Parser 2.2\logparser.exe" -i:IISW3C -q:on -rtp:-1 @"
SELECT count(*) as hits, cs-username  from '$l' Where SC-Status=200  AND  cs-uri-stem LIKE '%activesync%' AND cs-username NOT LIKE '%healthmailbox%' AND cs-username NOT LIKE 'S-1%' GROUP BY cs-username order by hits desc
"@
    }
}

#View:
$EWS_Results
$MAPI_Results
$OWA_Results 
$ECP_Results 
$PS_Results 
$EAS_Results

Share this:

Related

Leave a comment Cancel reply