Une demande m’a été faite récemment pour la détection de l’occurrence de deux events distinct a la même seconde, ce cas particulier traduisant un problème de sécurité spécifique.
Indépendamment de l’objectif final, il s’agit d’un cas intéressant auquel le script ci-dessous a répondu. Il contient des éléments propre a l’api scom mais peux bien sur être adapté pour être utilisé indépendamment.
##############################################################
### SCRIPT TO DETECT SPECIFIC TWO EVENTS OCCURING AT SAME TIME #####
############################################################## # PARAMETERS:
### $EventLog: Event Log to look in
### $EventSource: Event Source to search for ### $FirstEventId: First event to correlate
### $SecondEventId: second event to correlate ### $LastMinutes: Last Time Window to search in
### $DayOfWeekToExclude: Day Of Week To Exclude (Example: « (‘Saturday’,’Sunday’) » ) param(
$Arguments,
$EventLog,
$EventSource,
$FirstEventId,
$SecondEventId,
$LastMinutes,
$DayOfWeekToExclude
) $ScriptName = « CorrelateTwoSpecEvent.ps1 » #FUNCTIONS #Check for the existence of an event source with script name in operation manager eventlog to log some events
Function NewEventSource
{
if(!(Test-Path « HKLM:\SYSTEM\CurrentControlSet\services\eventlog\Operations Manager\$ScriptName »))
{
New-EventLog -LogName « Operations Manager » -Source $ScriptName
}
} #END FUNCTIONS #Log of script execution
NewEventSource
write-eventlog -logname « Operations Manager » -Source $ScriptName -EventID 1000 -Message « Execution du script $ScriptName » -EntryType Information # Create local variables from override value
.([Scriptblock]::Create($Arguments)) # Determine the moment in the week
if ((Get-date).DayOfWeek -in $DayOfWeekToExclude)
{
# If the day is in $DayOfWeekToExclude -> NO ACTION – END OF SCRIPT
Write-Host « $((Get-date).DayOfWeek) : NO ACTION – END OF SCRIPT »
Exit 0
} # Create the Scom property bag
$ScomAPI = New-Object -comObject « MOM.ScriptAPI »
$PropertyBag = $ScomAPI.CreatePropertyBag() $Message = « SEARCH CRITERIAS: Log: $EventLog – Source: $EventSource – EventId: $FirstEventId or $SecondEventId `n »
$Message try
{
New-Variable -Name « $($FirstEventId)_Events » -Force -Value $(Get-WinEvent -ErrorAction SilentlyContinue -FilterHashtable @{logname=$EventLog;ProviderName=$EventSource;id=$FirstEventId;StartTime=$(get-date).AddMinutes(-$LastMinutes)})
New-Variable -Name « $($SecondEventId)_Events » -Force -Value $(Get-WinEvent -ErrorAction SilentlyContinue -FilterHashtable @{logname=$EventLog;ProviderName=$EventSource;id=$SecondEventId;StartTime=$(get-date).AddMinutes(-$LastMinutes)})
}
catch
{
$Message = « Error during retrieve of events in the $ScriptName script »
$Message
NewEventSource
Write-EventLog -LogName « operations manager » -Source $ScriptName -EventId 1001 -EntryType Warning -Message « $Message »
Exit 1
} #If no one of the two events id have occurence no need to continue
if (!$(Get-Variable « $($FirstEventId)_Events »).Value -and !$(Get-Variable « $($SecondEventId)_Events »).Value)
{
$Message = « No one of the two events id have occurences in last $LastMinutes minutes – END OF SCRIPT »
$Message
Write-EventLog -LogName « operations manager » -Source $ScriptName -EventId 1002 -EntryType Information -Message « $Message »
} #If Only one of the two events id have occurences no need to continue
if (!$(Get-Variable « $($FirstEventId)_Events »).Value -or !$(Get-Variable « $($SecondEventId)_Events »).Value)
{
$Message = « Only one of the two events id have occurences – END OF SCRIPT »
$Message
Write-EventLog -LogName « operations manager » -Source $ScriptName -EventId 1003 -EntryType Information -Message $Message
} $Message = « $($(Get-Variable « $($FirstEventId)_Events« ).Value.count) occurence of event $FirstEventId and $($(Get-Variable « $($SecondEventId)_Events« ).Value.count) occurence of event $SecondEventId in the last $LastMinutes minutes »
$Message += « `nSTART OF COMPARAISON…`n »
#$Message #Compare DateTimes at second level
try
{
$CompareResult = Compare-Object -ReferenceObject $(Get-Variable -Name « $($FirstEventId)_Events »).Value.timecreated.second -DifferenceObject $(Get-Variable -Name « $($SecondEventId)_Events »).Value.timecreated.second -ExcludeDifferent -IncludeEqual -Verbose
}
catch
{
$Message += « Error during comparaison of Date Creation »
$Message
NewEventSource
Write-EventLog -LogName « operations manager » -Source $ScriptName -EventId 1004 -EntryType Warning -Message $Message
Exit 1
} #If $CompareResult is null, Events have not occureat the same time
If (!($CompareResult))
{
$Message += « Events $FirstEventId and $SecondEventId have not occured at the same second – No correlation »
$Message
NewEventSource
Write-EventLog -LogName « operations manager » -Source $ScriptName -EventId 1004 -EntryType Information -Message $Message
exit 0
} Else
{
NewEventSource
#
$Message += « EVENT $FirstEventId and $SecondEventId have occured at same second $($CompareResult.count) times `n »
$Message += « `nEVENTS OF LAST $LastMinutes MINUTES:`n »
$Message += $(Get-Variable « $($FirstEventId)_Events »).value | foreach {$_} | Out-String
$Message += $(Get-Variable « $($SecondEventId)_Events »).value | foreach {$_} | Out-String
$Message
Write-EventLog -LogName « operations manager » -Source $ScriptName -EventId 1005 -EntryType Information -Message $Message
$PropertyBag.AddValue(« State »,« CRITICAL »)
$PropertyBag.AddValue(« Message »,$Message)
$PropertyBag
}
### SCRIPT TO DETECT SPECIFIC TWO EVENTS OCCURING AT SAME TIME #####
############################################################## # PARAMETERS:
### $EventLog: Event Log to look in
### $EventSource: Event Source to search for ### $FirstEventId: First event to correlate
### $SecondEventId: second event to correlate ### $LastMinutes: Last Time Window to search in
### $DayOfWeekToExclude: Day Of Week To Exclude (Example: « (‘Saturday’,’Sunday’) » ) param(
$Arguments,
$EventLog,
$EventSource,
$FirstEventId,
$SecondEventId,
$LastMinutes,
$DayOfWeekToExclude
) $ScriptName = « CorrelateTwoSpecEvent.ps1 » #FUNCTIONS #Check for the existence of an event source with script name in operation manager eventlog to log some events
Function NewEventSource
{
if(!(Test-Path « HKLM:\SYSTEM\CurrentControlSet\services\eventlog\Operations Manager\$ScriptName »))
{
New-EventLog -LogName « Operations Manager » -Source $ScriptName
}
} #END FUNCTIONS #Log of script execution
NewEventSource
write-eventlog -logname « Operations Manager » -Source $ScriptName -EventID 1000 -Message « Execution du script $ScriptName » -EntryType Information # Create local variables from override value
.([Scriptblock]::Create($Arguments)) # Determine the moment in the week
if ((Get-date).DayOfWeek -in $DayOfWeekToExclude)
{
# If the day is in $DayOfWeekToExclude -> NO ACTION – END OF SCRIPT
Write-Host « $((Get-date).DayOfWeek) : NO ACTION – END OF SCRIPT »
Exit 0
} # Create the Scom property bag
$ScomAPI = New-Object -comObject « MOM.ScriptAPI »
$PropertyBag = $ScomAPI.CreatePropertyBag() $Message = « SEARCH CRITERIAS: Log: $EventLog – Source: $EventSource – EventId: $FirstEventId or $SecondEventId `n »
$Message try
{
New-Variable -Name « $($FirstEventId)_Events » -Force -Value $(Get-WinEvent -ErrorAction SilentlyContinue -FilterHashtable @{logname=$EventLog;ProviderName=$EventSource;id=$FirstEventId;StartTime=$(get-date).AddMinutes(-$LastMinutes)})
New-Variable -Name « $($SecondEventId)_Events » -Force -Value $(Get-WinEvent -ErrorAction SilentlyContinue -FilterHashtable @{logname=$EventLog;ProviderName=$EventSource;id=$SecondEventId;StartTime=$(get-date).AddMinutes(-$LastMinutes)})
}
catch
{
$Message = « Error during retrieve of events in the $ScriptName script »
$Message
NewEventSource
Write-EventLog -LogName « operations manager » -Source $ScriptName -EventId 1001 -EntryType Warning -Message « $Message »
Exit 1
} #If no one of the two events id have occurence no need to continue
if (!$(Get-Variable « $($FirstEventId)_Events »).Value -and !$(Get-Variable « $($SecondEventId)_Events »).Value)
{
$Message = « No one of the two events id have occurences in last $LastMinutes minutes – END OF SCRIPT »
$Message
Write-EventLog -LogName « operations manager » -Source $ScriptName -EventId 1002 -EntryType Information -Message « $Message »
Exit 0
} #If Only one of the two events id have occurences no need to continue
if (!$(Get-Variable « $($FirstEventId)_Events »).Value -or !$(Get-Variable « $($SecondEventId)_Events »).Value)
{
$Message = « Only one of the two events id have occurences – END OF SCRIPT »
$Message
Write-EventLog -LogName « operations manager » -Source $ScriptName -EventId 1003 -EntryType Information -Message $Message
Exit 0
} $Message = « $($(Get-Variable « $($FirstEventId)_Events« ).Value.count) occurence of event $FirstEventId and $($(Get-Variable « $($SecondEventId)_Events« ).Value.count) occurence of event $SecondEventId in the last $LastMinutes minutes »
$Message += « `nSTART OF COMPARAISON…`n »
#$Message #Compare DateTimes at second level
try
{
$CompareResult = Compare-Object -ReferenceObject $(Get-Variable -Name « $($FirstEventId)_Events »).Value.timecreated.second -DifferenceObject $(Get-Variable -Name « $($SecondEventId)_Events »).Value.timecreated.second -ExcludeDifferent -IncludeEqual -Verbose
}
catch
{
$Message += « Error during comparaison of Date Creation »
$Message
NewEventSource
Write-EventLog -LogName « operations manager » -Source $ScriptName -EventId 1004 -EntryType Warning -Message $Message
Exit 1
} #If $CompareResult is null, Events have not occureat the same time
If (!($CompareResult))
{
$Message += « Events $FirstEventId and $SecondEventId have not occured at the same second – No correlation »
$Message
NewEventSource
Write-EventLog -LogName « operations manager » -Source $ScriptName -EventId 1004 -EntryType Information -Message $Message
exit 0
} Else
{
NewEventSource
#
$Message += « EVENT $FirstEventId and $SecondEventId have occured at same second $($CompareResult.count) times `n »
$Message += « `nEVENTS OF LAST $LastMinutes MINUTES:`n »
$Message += $(Get-Variable « $($FirstEventId)_Events »).value | foreach {$_} | Out-String
$Message += $(Get-Variable « $($SecondEventId)_Events »).value | foreach {$_} | Out-String
$Message
Write-EventLog -LogName « operations manager » -Source $ScriptName -EventId 1005 -EntryType Information -Message $Message
$PropertyBag.AddValue(« State »,« CRITICAL »)
$PropertyBag.AddValue(« Message »,$Message)
$PropertyBag
}
0 commentaires