2012-06-28 109 views
1

我幾乎已經完成了這個Powershell腳本,但我堅持在最後一部分,可以真正使用一些幫助的最後一步。下面是我寫到目前爲止Powershell IIS日誌analasys

$t1 =(get-date).AddMinutes(-10) 
$t2 =$t1.ToUniversalTime().ToString("HH:mm:ss") 
$IISLogPath = "C:\inetpub\logs\LogFiles\W3SVC1\"+"u_ex"+(get-date).ToString("yyMMdd")+".log" 
$IISLogFileRaw = [System.IO.File]::ReadAllLines($IISLogPath) 
$headers = $IISLogFileRaw[3].split(" ") 
$headers = $headers | where {$_ -ne "#Fields:"} 
$IISLogFileCSV = Import-Csv -Delimiter " " -Header $headers -Path $IISLogPath 
$IISLogFileCSV = $IISLogFileCSV | where {$_.date -notlike "#*"} 
$timeTaken = $IISLogFileCSV | where {$_.("cs-uri-stem") -eq '/Login.aspx' -AND $_.("time") -gt '$t2' } | Format-Table time,s-ip 

所以基本上是着眼於當前天IIS日誌和過濾器,當用戶獲取到登錄頁面,在過去10分鐘我的PS腳本。我堅持的部分是我想通過電子郵件發送當IP在10分鐘內擊中它10次以上(基本上是在發生暴力攻擊時發出警報)。我寫的代碼中的電子郵件部分只需要說明s-ip命中/login.aspx的時間大於10次的部分。此外,在我的「測試箱」我已經改變$t2$IISLogPath爲以下

$t2 = 20:00:00 
$IISLogPath = C:\test\log.log 

下面是我的示例日誌文件:

#Software: Microsoft Internet Information Services 7.5 
#Version: 1.0 
#Date: 2012-06-27 15:05:24 
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken 
2012-06-27 20:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240 
2012-06-27 20:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240 
2012-06-27 20:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240 
2012-06-27 20:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240 
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240 
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240 
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240 
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240 
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240 
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240 
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240 
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240 
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240 
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240 
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240 

回答

2

經過對腳本的修改,我找到了解決方案。下面是整個腳本

$t1 =(get-date).AddMinutes(-10) 
$t2 =$t1.ToUniversalTime().ToString("HH:mm:ss") 
$IISLogPath = "C:\inetpub\logs\LogFiles\W3SVC1\"+"u_ex"+(get-date).ToString("yyMMdd")+".log" 
$IISLogFileRaw = [System.IO.File]::ReadAllLines($IISLogPath) 
$headers = $headers | where {$_ -ne "#Fields:"} 
$IISLogFileCSV = Import-Csv -Delimiter " " -Header $headers -Path $IISLogPath 
$IISLogFileCSV = $IISLogFileCSV | where {$_.date -notlike "#*"} 
$timeTaken = ($IISLogFileCSV | where {$_.("cs-uri-stem") -eq '/Login.aspx' -AND $_.("time") -gt '$t2' -AND $_.("cs-method") -eq 'Get'}).count 
$count = $timeTaken 
if($count -ge 8) 
{ 
Send-MailMessage -From [email protected] -To [email protected] -Subject "IIS Alert" -BodyAsHtml "Email body goes here" -Attachments $IISLogPath -SmtpServer ip.add.re.ss 
} 
2

你應該使用Microsoft LogParser大多數繁重的工作在解析/查詢您的日誌文件。它會爲你節省很多的痛苦,並且可能會更快地啓動。

你可以用PowerShell包裝它來解析你的查詢結果。

+0

是的,但我認爲微軟並不支持它在Server 2008平臺上。另外,因爲我不會坐着每10分鐘運行一次這個腳本(但是任務調度器),那麼嚴格使用powershell而不是將其他程序導入它會更有意義?另一方面,如果我坐在服務器上,我會選擇LP :) – jladd

+0

@jladd - 僅供參考,我在Windows Server 2012上使用[LogParser 2.2 + Log Parser Studio](http://blogs.technet .com/b/karywa/archive/tags/log + parser + studio/default.aspx)解析IIS日誌。它具有「導出到PowerShell」功能。 – anon