Windowsドメインサーバーのイベントに関するレポート

net use Q: \\nas-srv\BACKUP cscript //nologo "c:\script\LogParser_bat_4.vbs" %1 %2 %3 net use Q: /delete 

 '       '    ' luzhin.kirill@yandex.ru 'On Error Resume Next const gsReportFolder = "F:\Reports\" const gsFrom = "admin1@domain.com" const gsSubject = "send report" const gsHelpFile = "c:\script\LogParser_bat.txt" const gbDebugModeON = false Dim oLogQuery Dim oMyInputFormat Dim oCSVOutputFormat Dim strQuery Dim giErrorCode Dim gsFileNameLog Dim gsNormalDate Dim gsTo Dim gArrNumberOfFunctions gArrNumberOfFunctions = Array ("1", "1", "1", "1", "1", "1", "1", "1", "1", "1", "1") gsTo = "admin1@domain.com" gsEMail = "n" '      (  ): ' gsNormalDate = fuNormalizeSystemDate(cStr(Date)) '      ( ): gsNormalDate = fuNormalizeSystemDate(cStr(DateAdd("d", -1, Date))) gsDate = gsNormalDate gsNumberOfFunctions = "all" gsCheckDate = DateAdd("d", -1, Date) gsLogFilename = fuGetFilename(gsCheckDate) Set objFSO = CreateObject("Scripting.FileSystemObject") gsFileNameLog = gsReportFolder & gsNormalDate & ".log" Set objTextFileWriteLog = objFSO.OpenTextFile(gsFileNameLog, 8, True) '    33 : fuWritedown "*  : " & Now, 4 gsPastDate = DateAdd("h", -33, Now) fuWritedown "*     " & gsPastDate, 4 '    2 : ' gsPastDate = DateAdd("d", -2, Date) if Wscript.Arguments.Count >= 1 then if lCase(Wscript.Arguments(0)) = "nothing" then gArrNumberOfFunctions = Array ("0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0") gsNumberOfFunctions = "nothing" elseif InStr(Wscript.Arguments(0), ",") then gArrNumberOfFunctions = split(Wscript.Arguments(0), ",") gsNumberOfFunctions = "different" elseif fuNeedHelp(lCase(Wscript.Arguments(0))) then fuTypeTextfile(gsHelpFile) WScript.Quit 0 'else gArrNumberOfFunctions = Array ("1", "1", "1", "1", "1", "1", "1", "1", "1", "1", "1") end if if Wscript.Arguments.Count >= 2 then if InStr(Wscript.Arguments(1), "@") then gsEMail = "y" gsTo = Wscript.Arguments(1) else gsEMail = lCase(Wscript.Arguments(1)) end if if Wscript.Arguments.Count = 3 then gsDate = Wscript.Arguments(2) end if end if end if fuWritedown "*   : " & gsFileNameLog, 2 gStartTime = fuStartTimer("") if gsNumberOfFunctions <> "nothing" then gArrProcNamesList = Array (_ "   ", _ " AccauntManage", _ "    ", _ "  ", _ "   ", _ "  ", _ "  ", _ " ", _ "  ", _ "    RDP",_ "       AD") gArrReportfilesList = Array (_ gsReportFolder & "logged_Administrator_" & gsNormalDate & ".html", _ gsReportFolder & "new_AD_" & gsNormalDate & ".html", _ gsReportFolder & "logonFailuresStats_" & gsNormalDate & ".html", _ gsReportFolder & "group_Manage_" & gsNormalDate & ".html", _ gsReportFolder & "logonFailure_" & gsNormalDate & ".html", _ gsReportFolder & "change_password_" & gsNormalDate & ".html", _ gsReportFolder & "new_Comp_AD_" & gsNormalDate & ".html", _ gsReportFolder & "audit_" & gsNormalDate & ".html", _ gsReportFolder & "auditStat_" & gsNormalDate & ".html", _ gsReportFolder & "logged_Rdp_" & gsNormalDate & ".html", _ gsReportFolder & "AD_objects_" & gsNormalDate & ".html") for gix = 0 to UBound(gArrNumberOfFunctions) gsFunctionName = gArrProcNamesList(gix) gsReportfile = gArrReportfilesList(gix) if gArrNumberOfFunctions(gix) = "1" then startTime = fuStartTimer(gsFunctionName) gArrServerList = Array ("DC1", "DC2") Select Case gix Case 0: giErrorCode = fuLogonAdministrator(gArrServerList, gsReportfile) Case 1: giErrorCode = fuAccauntManage(gArrServerList, gsReportfile) Case 2: giErrorCode = fuLogonFailureStats(gArrServerList, gsReportfile) Case 3: gArrServerList = Array ("DC1","DC2","EXCH1","EXCH2") giErrorCode = fuGroupManage(gArrServerList, gsReportfile) Case 4: giErrorCode = fuLogonFailures(gArrServerList, gsReportfile) Case 5: giErrorCode = fuPasswordManage(gArrServerList, gsReportfile) Case 6: giErrorCode = fuCompManage(gArrServerList, gsReportfile) Case 7: gArrServerList = Array ("FILE-SRV1","FILE-SRV2") giErrorCode = fuAudit(gArrServerList, gsReportfile) Case 8: gArrServerList = Array ("FILE-SRV1","FILE-SRV2") giErrorCode = fuAuditStat(gArrServerList, gsReportfile) Case 9: gArrServerList = Array ("DC1","DC2","EXCH1","EXCH2") giErrorCode = fuLogonRdp(gArrServerList, gsReportfile, gsFunctionName) Case 10: giErrorCode = fuADObjects(gArrServerList, gsReportfile) Case else fuWritedown "*  : " & gix, 4 End Select fuCheckErrorCode giErrorCode, gArrServerList, gsReportfile, gsFunctionName, startTime else fuWritedown gsFunctionName & " ", 4 end if next else fuWritedown "*     ", 4 end if fuStopTimer(gStartTime) if gsEMail = "y" then fuSendReportMail gsReportFolder & "*_" & gsDate & ".*", gsFrom, gsTo, gsSubject, gsDate else fuWritedown "*     ", 4 end if fuWritedown "*     '" & gsFileNameLog & "'", 1 fuDeleteEvtxFiles "F:\Logi_ForADReports\*.evtx" 'MsgBox "    '" & gsFileNameLog & "'", vbInformation, "" objTextFileWriteLog.Close '     function fuLogonAdministrator(lArrServerList, lsReport) liErrorCode = -1 lsFROM = fuCollectFileList(lArrServerList, false) if lsFROM <> "" then Set oLogQuery = CreateObject("MSUtil.LogQuery") ' Create Input Format object Set oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") oEVTInputFormat.direction = "BW" ' Create Output Format object ' Set oCSVOutputFormat = CreateObject("MSUtil.LogQuery.CSVOutputFormat") Set oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") 'oCSVOutputFormat.tabs = TRUE oTPLOutputFormat.tpl = "c:\script\Tamplates\logonAdministrator.tpl" '    strQuery = "SELECT TO_LOWERCASE(EXTRACT_TOKEN(Strings,5,'|')) as UserName, eventid, TimeGenerated, ComputerName as DC, " & _ "TO_LOWERCASE(EXTRACT_TOKEN(Strings,5,'|')) AS LogonName, " & _ "TO_LOWERCASE(EXTRACT_TOKEN(Strings,6,'|')) AS Domain, " & _ "TO_LOWERCASE(EXTRACT_TOKEN(Strings,13,'|')) AS LogonWKS, " & _ "extract_token(trim(extract_token(Message, 18, ':' )), 0, ' ') as LogonIP, " & _ "CASE TO_INT(EXTRACT_TOKEN(Strings,10,'|')) " & _ " WHEN 2 THEN 'Interactive - Intended for users who will be interactively using the machine, such as a user being logged on by a terminal server, remote shell, or similar process.'" & _ " WHEN 3 THEN 'Network - Intended for high performance servers to authenticate clear text passwords. LogonUser does not cache credentials for this logon type.'" & _ " WHEN 4 THEN 'Batch - Intended for batch servers, where processes may be executing on behalf of a user without their direct intervention; or for higher performance servers that process many clear-text authentication attempts at a time, such as mail or web servers. LogonUser does not cache credentials for this logon type.'" & _ " WHEN 5 THEN 'Service - Indicates a service-type logon. The account provided must have the service privilege enabled.'" & _ " WHEN 6 THEN 'Proxy - Indicates a proxy-type logon.'" & _ " WHEN 7 THEN 'Unlock - This logon type is intended for GINA DLLs logging on users who will be interactively using the machine. This logon type allows a unique audit record to be generated that shows when the workstation was unlocked.'" & _ " WHEN 8 THEN 'NetworkCleartext - Windows 2000; Windows XP and Windows Server 2003 family: Preserves the name and password in the authentication packages, allowing the server to make connections to other network servers while impersonating the client. This allows a server to accept clear text credentials from a client, call LogonUser, verify that the user can access the system across the network, and still communicate with other servers.'" & _ " WHEN 9 THEN 'NewCredentials - Windows 2000; Windows XP and Windows Server 2003 family: Allows the caller to clone its current token and specify new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.'" & _ " WHEN 10 THEN 'RemoteInteractive - Terminal Server session that is both remote and interactive.'" & _ " WHEN 11 THEN 'CachedInteractive - Attempt cached credentials without accessing the network.'" & _ " WHEN 12 THEN 'CachedRemoteInteractive - Same as RemoteInteractive. This is used for internal auditing.'" & _ " WHEN 13 THEN 'CachedUnlock - Workstation logon'" & _ " ELSE EXTRACT_TOKEN(Strings,10,'|') " & _ "END AS LogonType, " & _ "extract_token(strings, 4, '|' ) as LogonProc, " & _ "extract_token(strings, 11, '|' ) as ProcessID " & _ "INTO " & lsReport & " " & _ "FROM " & lsFROM & " " & _ "WHERE EventID IN (4624;4636) " & _ "AND TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss') " & _ "AND ((TO_LOWERCASE(LogonName) = TO_LOWERCASE('administrator')) " & _ " OR (TO_LOWERCASE(LogonName) = TO_LOWERCASE('')) " & _ " OR (TO_LOWERCASE(LogonName) = TO_LOWERCASE('admin'))) " fuWritedown "*    : '" & strQuery & "'", 4 ' Execute query oLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat liErrorCode = 0 else liErrorCode = 1 end if fuLogonAdministrator = liErrorCode end function ' AccauntManage function fuAccauntManage(lArrServerList, lsReport) liErrorCode = -1 lsFROM = fuCollectFileList(lArrServerList, false) 'lsFROM = "\\DC1\c$\WINDOWS\system32\winevt\Logs\Archive-Security-2010-08-03-09-34-11-527.evtx" 'lsFROM = "\\DC1\security" if lsFROM <> "" then Set oLogQuery = CreateObject("MSUtil.LogQuery") Set oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") oEVTInputFormat.direction = "BW" Set oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") oTPLOutputFormat.tpl = "c:\script\Tamplates\accauntManage.tpl" strQuery = "select extract_token(extract_token(Message, 3, ':' ), 0, ' Account ') as UserName, TimeGenerated, SourceName, Message as EventCategoryName, " & _ "extract_token(extract_token(Message, 0, ':' ),0,'.') as Description, EventID, ComputerName, " & _ "extract_token(extract_token(Message, 8, ':' ), 1, ' ') as Name " & _ "INTO " & lsReport & " " & _ "FROM " & lsFROM & " " & _ "WHERE EventID IN (4720;4722;4725;4726;4738;4740;4767;4780;4781;4782) " &_ "AND TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss')" fuWritedown "*  AccauntManage: '" & strQuery & "'", 4 if not gbDebugModeON then oLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat end if liErrorCode = 0 else liErrorCode = 1 end if fuAccauntManage = liErrorCode end function '     function fuLogonFailureStats(lArrServerList, lsReport) liErrorCode = -1 lsFROM = fuCollectFileList(lArrServerList, false) if lsFROM <> "" then Set oLogQuery = CreateObject("MSUtil.LogQuery") Set oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") oEVTInputFormat.direction = "BW" Set oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") oTPLOutputFormat.tpl = "c:\script\Tamplates\logonFailuresStats.tpl" strQuery = "SELECT TO_LOWERCASE(EXTRACT_TOKEN(Strings,5,'|')) AS User, " & _ "COUNT(*) AS Total " & _ "INTO " & lsReport & " " & _ "FROM " & lsFROM & " " & _ "WHERE EventID IN (4625) " & _ "AND TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss') " & _ "GROUP BY User " & _ "ORDER BY Total DESC" fuWritedown "*    : '" & strQuery & "'", 4 if not gbDebugModeON then oLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat end if liErrorCode = 0 else liErrorCode = 1 end if fuLogonFailureStats = liErrorCode end function '   function fuGroupManage(lArrServerList, lsReport) liErrorCode = -1 lsFROM = fuCollectFileList(lArrServerList, false) if lsFROM <> "" then Set oLogQuery = CreateObject("MSUtil.LogQuery") Set oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") oEVTInputFormat.direction = "BW" Set oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") oTPLOutputFormat.tpl = "c:\script\Tamplates\groupManage.tpl" strQuery = "SELECT extract_token(extract_token(Message, 3, ':' ), 0, ' Account ') as UserName, TimeGenerated, SourceName, EventCategoryName, " & _ "extract_token(extract_token(Message, 0, ':' ), 0, '.') as EventIDName, " & _ "COALESCE(extract_token(extract_token(strings, 0, ',' ), 1, '='), extract_token(strings, 0, '|' ), strings) as Name, " & _ "COALESCE(extract_token(extract_token(strings, 0, ',' ), 1, '='), extract_token(strings, 1, '|' ), strings) as SIDName, " & _ "extract_token(strings, 2, '|' ) as Name_Group, " & _ "EventID, extract_token(ComputerName, 0, '.') " & _ "INTO " & lsReport & " " & _ "FROM " & lsFROM & " " & _ "WHERE EventID IN (4727;4728;4729;4730;4731;4732;4733;4734;4735;4737;4744;4745;4746;4747;4748;4749;4750;4751;4752;4753;4754;4755;4756;4757;4758;4759;4760;4761;4762;4764;4783;4784;4785;4786;4787;4788;4789;4790) " & _ "AND TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss')" fuWritedown "*   : '" & strQuery & "'", 4 if not gbDebugModeON then oLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat end if liErrorCode = 0 else liErrorCode = 1 end if fuGroupManage = liErrorCode end function '    function fuLogonFailures(lArrServerList, lsReport) liErrorCode = -1 lsFROM = fuCollectFileList(lArrServerList, false) if lsFROM <> "" then Set oLogQuery = CreateObject("MSUtil.LogQuery") Set oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") oEVTInputFormat.direction = "BW" Set oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") oTPLOutputFormat.tpl = "c:\script\Tamplates\logonFailures.tpl" strQuery = "SELECT COUNT(EventID) AS TotalLogonFailures, " & _ "TO_LOWERCASE(EXTRACT_TOKEN(Strings,5,'|')) AS User, " & _ "TO_LOWERCASE(EXTRACT_TOKEN(Strings,6,'|')) AS Domain, " & _ "TO_LOWERCASE(EXTRACT_TOKEN(Strings,13,'|')) AS WorkStation, " & _ "CASE TO_INT(EXTRACT_TOKEN(Strings,10,'|')) " & _ " WHEN 2 THEN 'Interactive - Intended for users who will be interactively using the machine, such as a user being logged on by a terminal server, remote shell, or similar process.'" & _ " WHEN 3 THEN 'Network - Intended for high performance servers to authenticate clear text passwords. LogonUser does not cache credentials for this logon type.'" & _ " WHEN 4 THEN 'Batch - Intended for batch servers, where processes may be executing on behalf of a user without their direct intervention; or for higher performance servers that process many clear-text authentication attempts at a time, such as mail or web servers. LogonUser does not cache credentials for this logon type.'" & _ " WHEN 5 THEN 'Service - Indicates a service-type logon. The account provided must have the service privilege enabled.'" & _ " WHEN 6 THEN 'Proxy - Indicates a proxy-type logon.'" & _ " WHEN 7 THEN 'Unlock - This logon type is intended for GINA DLLs logging on users who will be interactively using the machine. This logon type allows a unique audit record to be generated that shows when the workstation was unlocked.'" & _ " WHEN 8 THEN 'NetworkCleartext - Windows 2000; Windows XP and Windows Server 2003 family: Preserves the name and password in the authentication packages, allowing the server to make connections to other network servers while impersonating the client. This allows a server to accept clear text credentials from a client, call LogonUser, verify that the user can access the system across the network, and still communicate with other servers.'" & _ " WHEN 9 THEN 'NewCredentials - Windows 2000; Windows XP and Windows Server 2003 family: Allows the caller to clone its current token and specify new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.'" & _ " WHEN 10 THEN 'RemoteInteractive - Terminal Server session that is both remote and interactive.'" & _ " WHEN 11 THEN 'CachedInteractive - Attempt cached credentials without accessing the network.'" & _ " WHEN 12 THEN 'CachedRemoteInteractive - Same as RemoteInteractive. This is used for internal auditing.'" & _ " WHEN 13 THEN 'CachedUnlock - Workstation logon'" & _ " ELSE EXTRACT_TOKEN(Strings,10,'|') " & _ "END AS Type " & _ "INTO " & lsReport & " " & _ "FROM " & lsFROM & " " & _ "WHERE EventID IN (4625) " & _ "AND TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss') " & _ "GROUP BY User,Domain,WorkStation,Type " & _ "ORDER BY TotalLogonFailures DESC" fuWritedown "*     : '" & strQuery & "'", 4 if not gbDebugModeON then oLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat end if liErrorCode = 0 else liErrorCode = 1 end if fuLogonFailures = liErrorCode end function '   function fuPasswordManage(lArrServerList, lsReport) liErrorCode = -1 lsFROM = fuCollectFileList(lArrServerList, false) if lsFROM <> "" then Set oLogQuery = CreateObject("MSUtil.LogQuery") Set oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") oEVTInputFormat.direction = "BW" Set oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") oTPLOutputFormat.tpl = "c:\script\Tamplates\PasswordManage.tpl" strQuery = "SELECT extract_token(extract_token(Message, 3, ':' ), 0, ' Account ') as UserName, TimeGenerated, SourceName, EventCategoryName, " & _ "extract_token(extract_token(Message, 0, ':' ),0,'.') as Description, EventID, ComputerName, " & _ "extract_token(extract_token(Message, 8, ':' ), 0, ' Account ') as Name " & _ "INTO " & lsReport & " " & _ "FROM " & lsFROM & " " & _ "WHERE EventID IN (4723;4724;4782;4793) " & _ "AND TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss')" fuWritedown "*   : '" & strQuery & "'", 4 if not gbDebugModeON then oLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat end if liErrorCode = 0 else liErrorCode = 1 end if fuPasswordManage = liErrorCode end function '   function fuCompManage(lArrServerList, lsReport) liErrorCode = -1 lsFROM = fuCollectFileList(lArrServerList, false) if lsFROM <> "" then Set oLogQuery = CreateObject("MSUtil.LogQuery") Set oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") oEVTInputFormat.direction = "BW" Set oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") oTPLOutputFormat.tpl = "c:\script\Tamplates\compManage.tpl" strQuery = "SELECT extract_token(extract_token(Message, 3, ':' ), 0, ' Account ') as UserName, TimeGenerated, SourceName, EventCategoryName, " & _ "extract_token(extract_token(Message, 0, ':' ),0,'.') as Description, EventID, ComputerName, " & _ "extract_token(extract_token(Message, 8, ':' ), 0, ' Account ') as Name " & _ "INTO " & lsReport & " " & _ "FROM " & lsFROM & " " & _ "WHERE EventID in (4720;4742;4743) " & _ "and Name like '%%$%%' " & _ "AND TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss')" fuWritedown "*   : '" & strQuery & "'", 4 if not gbDebugModeON then oLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat end if liErrorCode = 0 else liErrorCode = 1 end if fuCompManage = liErrorCode end function '  function fuAudit(lArrServerList, lsReport) liErrorCode = -1 lsFROM = fuCollectFileList(lArrServerList, false) if lsFROM <> "" then Set oLogQuery = CreateObject("MSUtil.LogQuery") Set oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") oEVTInputFormat.direction = "BW" Set oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") oTPLOutputFormat.tpl = "c:\script\Tamplates\audit.tpl" strQuery = "select TimeGenerated, EventID, " & _ "extract_token(Strings, 0, '|' ) as UserSID, " & _ "extract_token(Strings, 6, '|' ) as ObjectName, " & _ "extract_token(Strings, 1, '|' ) as User, " & _ "extract_token(Strings, 2, '|' ) as Domain, " & _ "extract_token(Strings, 5, '|' ) as ObjectType, " & _ "extract_token(Strings, 11, '|' ) as ProgramName, " & _ "extract_token(Message, 0, '.' ) as Event " & _ "into " & lsReport & " " & _ "from " & lsFROM & " " & _ "where EventId in (4656;4659;4660;4661;4663;4691) " & _ "and TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss') " & _ "and User <> 'NT AUTHORITY\SYSTEM' " & _ "and extract_token(Strings, 6, '|' ) not like '%%HarddiskVolumeShadowCopy%%' " & _ "and extract_token(Strings, 6, '|' ) not like '%%ShadowCopyVolume%%' " & _ "and TO_LOWERCASE(extract_token(Strings, 6, '|' )) like '%%Top-Secret-Documents%%' " & _ "and User <> 'FILE-SRV1$' " & _ "and User <> 'FILE-SRV2$' " & _ "order by Timegenerated" fuWritedown "*  " & lsFunctionName & ": '" & strQuery & "'", 4 if not gbDebugModeON then oLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat end if liErrorCode = 0 else lsFROM = fuCollectFileList(lArrServerList, true) if lsFROM <> "" then Set oLogQuery = CreateObject("MSUtil.LogQuery") Set oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") oEVTInputFormat.direction = "BW" Set oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") oTPLOutputFormat.tpl = "c:\script\Tamplates\audit.tpl" strQuery = "select TimeGenerated, EventID, " & _ "extract_token(Strings, 0, '|' ) as UserSID, " & _ "extract_token(Strings, 6, '|' ) as ObjectName, " & _ "extract_token(Strings, 1, '|' ) as User, " & _ "extract_token(Strings, 2, '|' ) as Domain, " & _ "extract_token(Strings, 5, '|' ) as ObjectType, " & _ "extract_token(Strings, 11, '|' ) as ProgramName, " & _ "extract_token(Message, 0, '.' ) as Event " & _ "into " & lsReport & " " & _ "from " & lsFROM & " " & _ "where EventId in (4656;4659;4660;4661;4663;4691) " & _ "and TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss') " & _ "and User <> 'NT AUTHORITY\SYSTEM' " & _ "and extract_token(Strings, 6, '|' ) not like '%%HarddiskVolumeShadowCopy%%' " & _ "and extract_token(Strings, 6, '|' ) not like '%%ShadowCopyVolume%%' " & _ "and TO_LOWERCASE(extract_token(Strings, 6, '|' )) like '%%Top-Secret-Documents%%' " & _ "and User <> 'FILE-SRV1$' " & _ "and User <> 'FILE-SRV2$' " & _ "order by Timegenerated" fuWritedown "*  " & lsFunctionName & ": '" & strQuery & "'", 4 if not gbDebugModeON then oLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat end if else fuWritedown "* -    .", 4 end if liErrorCode = 1 end if fuAudit = liErrorCode end function '   function fuAuditStat(lArrServerList, lsReport) liErrorCode = -1 lsFROM = fuCollectFileList(lArrServerList, false) if lsFROM <> "" then Set oLogQuery = CreateObject("MSUtil.LogQuery") Set oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") oEVTInputFormat.direction = "BW" Set oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") oTPLOutputFormat.tpl = "c:\script\Tamplates\auditStat.tpl" strQuery = "select extract_token(Strings, 1, '|' ) as User, " & _ "COUNT(*) as Qty, " & _ "MAX(TimeGenerated) as MaxTime " & _ "into " & lsReport & " " & _ "from " & lsFROM & " " & _ "where EventId in (4656;4659;4660;4661;4663;4691) " & _ "and TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss') " & _ "and User <> 'NT AUTHORITY\SYSTEM' " & _ "and extract_token(Strings, 6, '|' ) not like '%%HarddiskVolumeShadowCopy%%' " & _ "and extract_token(Strings, 6, '|' ) not like '%%ShadowCopyVolume%%' " & _ "and TO_LOWERCASE(extract_token(Strings, 6, '|' )) like '%%Top-Secret-Documents%%' " & _ "group by User " & _ "order by User" fuWritedown "*  " & lsFunctionName & ": '" & strQuery & "'", 4 if not gbDebugModeON then oLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat end if liErrorCode = 0 else lsFROM = fuCollectFileList(lArrServerList, true) if lsFROM <> "" then Set oLogQuery = CreateObject("MSUtil.LogQuery") Set oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") oEVTInputFormat.direction = "BW" Set oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") oTPLOutputFormat.tpl = "c:\script\Tamplates\auditStat.tpl" strQuery = "select extract_token(Strings, 1, '|' ) as User, " & _ "COUNT(*) as Qty, " & _ "MAX(TimeGenerated) as MaxTime " & _ "into " & lsReport & " " & _ "from " & lsFROM & " " & _ "where EventId in (4656;4659;4660;4661;4663;4691) " & _ "and TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss') " & _ "and User <> 'NT AUTHORITY\SYSTEM' " & _ "and extract_token(Strings, 6, '|' ) not like '%%HarddiskVolumeShadowCopy%%' " & _ "and extract_token(Strings, 6, '|' ) not like '%%ShadowCopyVolume%%' " & _ "and TO_LOWERCASE(extract_token(Strings, 6, '|' )) like '%%Top-Secret-Documents%%' " & _ "group by User " & _ "order by User" fuWritedown "*  " & lsFunctionName & ": '" & strQuery & "'", 4 if not gbDebugModeON then oLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat end if else fuWritedown "* -     .", 4 end if liErrorCode = 1 end if fuAuditStat = liErrorCode end function '    RDP function fuLogonRdp(lArrServerList, lsReport, lsFunctionName) liErrorCode = -1 lsFROM = fuCollectFileList(lArrServerList, false) if lsFROM <> "" then Set oLogQuery = CreateObject("MSUtil.LogQuery") Set oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") oEVTInputFormat.direction = "BW" Set oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") oTPLOutputFormat.tpl = "c:\script\Tamplates\logonRdp.tpl" strQuery = "SELECT DISTINCT resolve_sid(SID) as UserName, eventid, TimeGenerated, extract_token(ComputerName, 0, '.') as NormComputerName, " & _ "extract_token(strings, 5, '|' ) as LogonName, " & _ "extract_token(strings, 13, '|' ) as LogonWKS, " & _ "extract_token(strings, 18, '|' ) as LogonIP, " & _ "case extract_token(strings, 8, '|' ) " & _ " WHEN '2' THEN 'interactive' " & _ " WHEN '3' THEN 'network' " & _ " WHEN '4' THEN 'batch' " & _ " WHEN '5' THEN 'service' " & _ " WHEN '7' THEN 'unlocked workstation' " & _ " WHEN '8' THEN 'network logon using a cleartext password' " & _ " WHEN '9' THEN 'impersonated logons' " & _ " WHEN '10' THEN 'remote access' " & _ " ELSE extract_token(strings, 8, '|' ) " & _ "end as LogonType, " & _ "extract_token(strings, 17, '|' ) as LogonProc, " & _ "extract_token(strings, 16, '|' ) as ProcessID " & _ "INTO " & lsReport & " " & _ "FROM " & lsFROM & " " & _ "WHERE EventID IN (4624;4625;4648;4675) " & _ "AND TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss') " & _ "AND LogonType = 'remote access' " & _ "order by Timegenerated DESC" fuWritedown "*  " & lsFunctionName & ": '" & strQuery & "'", 4 if not gbDebugModeON then oLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat end if liErrorCode = 0 else liErrorCode = 1 end if fuLogonRdp = liErrorCode end function function fuADObjects(lArrServerList, lsReport) liErrorCode = -1 lsFROM = fuCollectFileList(lArrServerList, false) 'lsFROM = "\\DC1\c$\WINDOWS\system32\winevt\Logs\Archive-Security-2010-12-09-09-55-23-631.evtx" 'lsFROM = "\\DC1\security" if lsFROM <> "" then Set oLogQuery = CreateObject("MSUtil.LogQuery") Set oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") oEVTInputFormat.direction = "BW" Set oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") oTPLOutputFormat.tpl = "c:\script\Tamplates\adobjects.tpl" strQuery = "select extract_token(extract_token(Message, 3, ':' ), 0, ' Account ') as UserName, TimeGenerated, SourceName, Message as EventCategoryName, " & _ "extract_token(extract_token(Message, 0, ':' ),0,'.') as Description, EventID, ComputerName, " & _ "extract_token(extract_token(Message, 8, ':' ), 1, ' ') as Name " & _ "INTO " & lsReport & " " & _ "FROM " & lsFROM & " " & _ "WHERE EventID IN (4928;4929;4930;4931;4934;4935;4936;4937;4662;5136;5137;" & _ "5138;5139;5141;4932;4933) " & _ "AND TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss') " & _ "AND UserName not like '%%RTCService%%' " fuWritedown "*  ADObjects: '" & strQuery & "'", 4 if not gbDebugModeON then oLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat end if liErrorCode = 0 else liErrorCode = 1 end if fuADObjects = liErrorCode end function '   function fuSendReportMail(lsFileMask, lsFrom, lsTo, lsSubject, lsDate) Set objEmail = CreateObject("CDO.Message") objEmail.From = lsFrom objEmail.To = lsTo objEmail.Subject = lsSubject objEmail.HTMLBody = "<span style='font-family:Tahoma,Arial,sans-serif;font-size:14pt;'>  " & _ lsDate & "</span>" fuCheckfileSizeAndZIP lsDate Set oLogQuery = CreateObject("MSUtil.LogQuery") Set oFormat = CreateObject("MSUtil.LogQuery.FileSystemInputFormat") Set oRecordSet = oLogQuery.Execute("SELECT * FROM " & lsFileMask, oFormat) i = 0 While Not oRecordSet.atEnd Set oRecord = oRecordSet.getRecord() strValue = oRecord.getValue("Path") objEmail.AddAttachment strValue i = i + 1 oRecordSet.moveNext Wend oRecordSet.Close objEmail.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2 objEmail.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpserver")="MAIL-SRV" objEmail.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25 objEmail.Configuration.Fields.Update objEmail.Send fuWritedown "*    '" & lsFrom & "'  '" & lsTo & "'.  -: " & i, 4 end function function fuCheckErrorCode(liErrorCode, lArrServerList, lsReportfile, lsFunctionName, startTime) select case liErrorCode case -1: fuWritedown "* " & lsFunctionName & "   (   )", 4 case 0: fuWritedown "* " & lsFunctionName & " ", 4 fuCheckResultFile(lsReportfile) case 1: fuWritedown "*   '" & Join(lArrServerList, ",") & "'    /,     ( FROM ).     .", 4 fuCheckResultFile(lsReportfile) case else fuWritedown "*    " & lsFunctionName & "!", 4 end select fuStopTimer(startTime) fuWritedown "", 4 end function function fuPing(NetworkDevice) lBoo = false set objPING = GetObject("winmgmts:{impersonationLevel=impersonate}")._ ExecQuery ("select * from Win32_PingStatus where address ='" & NetworkDevice & "'") For Each PING In objPing if PING.StatusCode = 0 then lBoo = true end if next fuPing = lBoo end function function fuCollectFileList(lArrServerList, lbFindOnServer) ' true     , false     : ' lbFindOnServer = true ' lbFindOnServer = false lsTmp = Join(lArrServerList, ",") fuWritedown "*  : " & lsTmp, 4 lsList = "" lsListFiles = "" lsTmpPath = "" lbServerHaveArchive = false for lix = 0 to UBound(lArrServerList) lsServer = lArrServerList(lix) fuWritedown "*  '" & lsServer & "'", 4 if lbFindOnServer then if fuPing(lsServer) then fuWritedown "*   ", 4 lsList = lsList & "\\" & lsServer & "\Security" if fuServerHaveArchive(lsServer, lsListFiles) then lbServerHaveArchive = true 'lsList = lsList & "," & "\\" & lsServer & "\c$\WINDOWS\system32\config\archive-security-*.evtx" if len(lsListFiles) <> 0 then 'lsList = lsList & "," & lsListFiles end if end if if lix < UBound(lArrServerList) then lsList = lsList & "," end if else fuWritedown "*   ", 4 end if else lbServerHaveArchive = false if Len(lsListFiles) = 0 then lsListFiles = fuGetLogFolder(lsServer) else lsTmpPath = fuGetLogFolder(lsServer) if Len(lsTmpPath) <> 0 then lsListFiles = lsListFiles & "," & lsTmpPath end if end if end if next if Right(lsList, 2) = ", " then lsList = Left(lsList, Len(lsList)-2) end if '\\dc1\Security, \\dc1\c$\WINDOWS\system32\config\Archive-Security-*.evt, '\\dc2\Security, \\dc2\c$\WINDOWS\system32\config\Archive-Security-*.evt if lbServerHaveArchive then lsList = lsList & "," & lsListFiles end if if not lbFindOnServer then lsList = lsListFiles end if fuWritedown "*  FROM  : '" & lsList & "'", 4 fuCollectFileList = lsList end function function fuServerHaveArchive(lsServerName, lsListFiles_a) Const FILE_NAME = 0 dim gbFoo dim gsFilename gbFoo = false Set objShell = CreateObject ("Shell.Application") Set objFolder = objShell.Namespace ("\\" & lsServerName & "\c$\Windows\System32\winevt\Logs") For Each strFileName in objFolder.Items gsFilename = trim(lCase(objFolder.GetDetailsOf (strFileName, FILE_NAME))) ' fuWritedown "* gsFilename: " & gsFilename, 1 if ((InStr(gsFilename, "archive-security-")) and (Right(gsFilename, 4) = "evtx")) then fuWritedown "*  ! \\" & lsServerName & "\c$\Windows\System32\winevt\Logs\"&gsFilename, 4 if len(lsListFiles_a) = 0 then lsListFiles_a = "f:\Logi_ForADReports\" & gsFilename else lsListFiles_a = lsListFiles_a & "," & "f:\Logi_ForADReports\" & gsFilename end if fuWritedown "* lsListFiles_a: " & lsListFiles_a, 2 'fuConvertEvt2Evtx "\\" & lsServerName & "\c$\WINDOWS\system32\config\" & gsFilename, gsFilename fuCopyEvtx "\\" & lsServerName & "\c$\Windows\System32\winevt\Logs\" & gsFilename, gsFilename gbFoo = true end if Next if gbFoo then fuWritedown "*   '" & lsServerName & "'   ", 4 else fuWritedown "*   '" & lsServerName & "'   ", 4 end if fuServerHaveArchive = gbFoo end function function fuConvertEvt2Evtx(lsFilenamePath, lsFilename) lbTmp = true if (fuIsFileExists("f:\Logi_ForADReports\" & lsFilename) and (fuIsFileExists("f:\Logi_ForADReports\" & lsFilename & "x"))) then fuWritedown "*   " & lsFilename & "  ,   ", 4 else fuWritedown "*   " & lsFilename & "...", 4 Set WshShell = CreateObject("WScript.Shell") gsRunCmd = "c:\script\convert_evt_to_evtx.bat " & lsFilenamePath & " " & lsFilename fuWritedown "*  : '" & gsRunCmd & "'", 2 WshShell.Run gsRunCmd WScript.Sleep 300000 end if fuConvertEvt2Evtx = lbTmp end function function fuCopyEvtx(lsFilenamePath, lsFilename) lbTmp = true if not fuIsFileExists("f:\Logi_ForADReports\" & lsFilename) then Set WshShell = CreateObject("WScript.Shell") gsRunCmd = "c:\script\copy_evtx.bat " & lsFilenamePath & " " & lsFilename fuWritedown "*  : '" & gsRunCmd & "'", 4 WshShell.Run gsRunCmd WScript.Sleep 25000 else fuWritedown "*   " & lsFilename & "   ,   ", 4 end if fuCopyEvtx = lbTmp end function function fuDeleteEvtxFiles(lsFromList) fuWritedown "*   : " & lsFromList, 4 lbTmp = true Set WshShell = CreateObject("WScript.Shell") if InStr(lsFromList, ",") then lArrFrom = Split(lsFromList, ",") for lix = 0 to uBound(lArrFrom) if InStr(lCase(lArrFrom(lix)), "archive-security-") then gsRunCmd = "c:\script\del_evtx.bat " & lArrFrom(lix) fuWritedown "*  : '" & gsRunCmd & "'", 4 WshShell.Run gsRunCmd end if next else gsRunCmd = "c:\script\del_evtx.bat " & lsFromList fuWritedown "*  : '" & gsRunCmd & "'", 4 WshShell.Run gsRunCmd end if WScript.Sleep 60000 fuDeleteEvtxFiles = lbTmp end function function fuIsFileExists(lsFilename) lBoo = false Set FSO = CreateObject("Scripting.FileSystemObject") if FSO.FileExists(lsFilename) then '   lBoo = true else '    end if Set FSO = nothing fuIsFileExists = lBoo end function function fuWritedown(lsToWrite, liCase) Select Case liCase Case 0: '   .    . Case 1: WScript.Echo lsToWrite '     Case 2: objTextFileWriteLog.WriteLine lsToWrite '     Case 4: WScript.Echo lsToWrite '    ,    objTextFileWriteLog.WriteLine lsToWrite Case else WScript.Echo lsToWrite End Select end function function fuNormalizeSystemDate(lsDate) lsNormalizeDate = lsDate if InStr(lsDate, ".") then lArrDate = Split(lsDate, ".") lsNormalizeDate = lArrDate(2) & "." & lArrDate(1) & "." & lArrDate(0) elseif InStr(lsDate, "/") then lArrDate = Split(lsDate, "/") lsNormalizeDate = fuCheckDatePart(lArrDate(2)) & "." & fuCheckDatePart(lArrDate(0)) & "." & fuCheckDatePart(lArrDate(1)) end if fuNormalizeSystemDate = lsNormalizeDate end function function fuNormalizeDate(lsDate) lsNormalizeDate = lsDate if InStr(lsDate, ".") then lArrDate = Split(lsDate, ".") lsNormalizeDate = lArrDate(2) & "." & lArrDate(1) & "." & lArrDate(0) end if fuNormalizeDate = lsNormalizeDate end function function fuCheckDatePart(lsDate) lsNormalizeDate = lsDate if len(lsDate) <= 1 then lsNormalizeDate = "0" & lsDate end if fuCheckDatePart = lsNormalizeDate end function function fuStartTimer(lsFunctionName) fuStartTimer = Now() if lsFunctionName <> "" then fuWritedown VBNewLine & lsFunctionName & " ", 4 end if end function function fuStopTimer(startTime) EndTime = Now() timeDiff = CDate(EndTime - startTime) fuWritedown "*  : " & timeDiff & " (" & startTime & "/" & EndTime & ").", 4 end function function fuCheckResultFile(lsReportfile) if objFSO.FileExists(lsReportfile) then fuWritedown "*     '" & lsReportfile & "'", 4 else fuWritedown "*   '" & lsReportfile & "'   ,      ", 4 end if end function function fuTypeTextfile(lsTextfile) 'fuWritedown "   '" & lsTextfile & "'", 1 Set objTextFileShowHelp = objFSO.OpenTextFile(lsTextfile, 1) Do Until objTextFileShowHelp.AtEndOfStream fuWritedown objTextFileShowHelp.Readline, 1 Loop objTextFileShowHelp.Close end function function fuNeedHelp(lsPar) lbFoo = false if lsPar = "h" or lsPar = "help" or InStr(lsPar, "?") then lbFoo = true end if fuNeedHelp = lbFoo end function function fuGetFilename(lsDate) lsTmp = "Archive-Security-2013-12-01-*.evtx" if InStr(lsDate, ".") then lArrDate = Split(lsDate, ".") lsTmp = "Archive-Security-" & fuCheckDatePart(lArrDate(2)) & "-" & fuCheckDatePart(lArrDate(1)) & "-" & fuCheckDatePart(lArrDate(0)) & "-*.evtx" elseif InStr(lsDate, "/") then lArrDate = Split(lsDate, "/") lsTmp = "Archive-Security-" & fuCheckDatePart(lArrDate(2)) & "-" & fuCheckDatePart(lArrDate(1)) & "-" & fuCheckDatePart(lArrDate(0)) & "-*.evtx" end if fuGetFilename = lsTmp end function function fuGetLogFolder(lsServer) lsTmp = "" Select Case lsServer Case "DC1": lsTmp = "Q:\Logi_DC1\" Case "DC2": lsTmp = "Q:\Logi_DC2\" Case "FILE-SRV1": lsTmp = "Q:\Logi_FILE-SRV1\" Case "FILE-SRV2": lsTmp = "Q:\Logi_FILE-SRV2\" Case "EXCH1": lsTmp = "Q:\Logi_EXCH1\" Case "EXCH2": lsTmp = "Q:\Logi_EXCH2\" Case else fuWritedown "*       " & lsServer & "  .    'Q:\Logi_" & lsServer & "\'", 4 lsTmp = "Q:\Logi_" & lsServer & "\" End Select lsPath = Left(lsTmp, Len(lsTmp)-1) 'lsPath = lsTmp lsFile = gsLogFilename lsBoo = fuNASHaveArchive(lsServer, lsPath, lsFile) if lsBoo then lsTmp = lsTmp & gsLogFilename else lsTmp = "" end if fuGetLogFolder = lsTmp end function function fuNASHaveArchive(Server, Path, File) wscript.echo Server & ", " & Path & ", " & File Const FILE_NAME = 0 dim gbFoo dim gsFilename gbFoo = false lsF = lCase(Left(File, Len(File)-6)) Set objShell = CreateObject("Shell.Application") Set objFolder = objShell.Namespace(Path) For Each strFileName in objFolder.Items gsFilename = trim(lCase(objFolder.GetDetailsOf (strFileName, FILE_NAME))) ' wscript.echo "* gsFilename: " & gsFilename if InStr(gsFilename, lsF) then gbFoo = true end if Next fuNASHaveArchive = gbFoo end function function fuCheckfileSizeAndZIP(lsDate) lsReportFolder = "F:\Reports\" lArrReportfilesList = Array (_ lsReportFolder & "logged_Administrator_" & lsDate & ".html", _ lsReportFolder & "new_AD_" & lsDate & ".html", _ lsReportFolder & "logonFailuresStats_" & lsDate & ".html", _ lsReportFolder & "group_Manage_" & lsDate & ".html", _ lsReportFolder & "logonFailure_" & lsDate & ".html", _ lsReportFolder & "change_password_" & lsDate & ".html", _ lsReportFolder & "new_Comp_AD_" & lsDate & ".html", _ lsReportFolder & "audit_" & lsDate & ".html", _ lsReportFolder & "auditStat_" & lsDate & ".html", _ lsReportFolder & "logged_Rdp_" & lsDate & ".html", _ gsReportFolder & "AD_objects_" & gsNormalDate & ".html") for lix = 0 to UBound(lArrReportfilesList) lbTmp = false lsFilenamePath = lArrReportfilesList(lix) ArcName = Left(lsFilenamePath, Len(lsFilenamePath)-5) & ".zip" if fuIsFileExists(lsFilenamePath) then Set File = objFSO.GetFile(lsFilenamePath) lsFilenameSize = File.Size if lsFilenameSize > 3000000 then fuWritedown "*   '" & lsFilenamePath & "'  3  ( " & lsFilenameSize & " ),   ", 4 fuWritedown "*  ...", 1 '--[   ]------------------------------------------------------------------- Set Shell=CreateObject("WScript.Shell") Set Zip=Shell.Exec("C:\Program Files\7-Zip\7z.exe a " & ArcName & " " & lsFilenamePath) ' ,     While (Zip.Status = 0) WScript.Sleep 5000 Wend Set Shell = Nothing fuWritedown "*  !   '" & ArcName & "'", 4 fuWritedown "*    '" & lsFilenamePath & "'...", 4 objFSO.DeleteFile lsFilenamePath, true fuWritedown "*  !", 1 lbTmp = true 'WScript.Sleep 2000 '--------------------------------------------------------------------------------------------- end if else '   ,   . end if next fuCheckfileSizeAndZIP = lbTmp end function 

 copy %1 f:\Logi_ForADReports\%2 wevtutil epl f:\Logi_ForADReports\%2 f:\Logi_ForADReports\%2x /lf:true 

 copy %1 f:\Logi_ForADReports\%2 

 del %1