Отчёт по событиям на Windows серверах домена

net use Q: \\nas-srv\BACKUP cscript //nologo "c:\script\LogParser_bat_4.vbs" %1 %2 %3 net use Q: /delete 

' Ежедневный отчет по событиям на серверах ' Автор Лужин Кирилл ' luzhin.kirill@yandex.ru  'On Error Resume Next  const gsReportFolder = "F:\Reports\" const gsFrom = "admin1@domain.com" const gsSubject = "send report" const gsHelpFile = "c:\script\LogParser_bat.txt" const gbDebugModeON = false  Dim oLogQuery Dim oMyInputFormat Dim oCSVOutputFormat  Dim strQuery Dim giErrorCode Dim gsFileNameLog Dim gsNormalDate Dim gsTo Dim gArrNumberOfFunctions gArrNumberOfFunctions = Array ("1", "1", "1", "1", "1", "1", "1", "1", "1", "1", "1")   gsTo = "admin1@domain.com" gsEMail = "n" ' Это для отчета за сегодня (на всякий случай): ' gsNormalDate = fuNormalizeSystemDate(cStr(Date)) ' Это для отчета за вчера (нормальный режим): gsNormalDate = fuNormalizeSystemDate(cStr(DateAdd("d", -1, Date))) gsDate = gsNormalDate gsNumberOfFunctions = "all"   gsCheckDate = DateAdd("d", -1, Date) gsLogFilename = fuGetFilename(gsCheckDate)   Set objFSO = CreateObject("Scripting.FileSystemObject") gsFileNameLog = gsReportFolder & gsNormalDate & ".log" Set objTextFileWriteLog = objFSO.OpenTextFile(gsFileNameLog, 8, True)   ' отчет за последние 33 часа: fuWritedown "* Дата отчета: " & Now, 4 gsPastDate = DateAdd("h", -33, Now)  fuWritedown "* Отчеты создаются начиная с " & gsPastDate, 4 ' отчет за последние 2 дня: ' gsPastDate = DateAdd("d", -2, Date) 	 if Wscript.Arguments.Count >= 1 then 	if lCase(Wscript.Arguments(0)) = "nothing" then 		gArrNumberOfFunctions = Array ("0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0") 		gsNumberOfFunctions = "nothing" 	elseif InStr(Wscript.Arguments(0), ",") then 		gArrNumberOfFunctions = split(Wscript.Arguments(0), ",") 		gsNumberOfFunctions = "different" 	elseif fuNeedHelp(lCase(Wscript.Arguments(0))) then 		fuTypeTextfile(gsHelpFile) 		WScript.Quit 0 	'else gArrNumberOfFunctions = Array ("1", "1", "1", "1", "1", "1", "1", "1", "1", "1", "1") 	end if 	 	if Wscript.Arguments.Count >= 2 then 		if InStr(Wscript.Arguments(1), "@") then 			gsEMail = "y" 			gsTo = Wscript.Arguments(1) 		else 			gsEMail = lCase(Wscript.Arguments(1)) 		end if 		 		if Wscript.Arguments.Count = 3 then 			gsDate = Wscript.Arguments(2) 		end if 	end if end if   fuWritedown "* Имя файла журнала: " & gsFileNameLog, 2  gStartTime = fuStartTimer("")  if gsNumberOfFunctions <> "nothing" then 	gArrProcNamesList = Array (_ 		"Процедура поиска логинов администраторов", _ 		"Процедура AccauntManage", _ 		"Процедура создания статистики неудачных логинов", _ 		"Процедура управления группами", _ 		"Процедура поиска неудачных логинов", _ 		"Процедура управления паролями", _ 		"Процедура управления компьютерами", _ 		"Процедура аудита", _ 		"Процедура статистики аудита", _ 		"Процедура поиска логинов к RDP",_ 		"Процедура слежения за действиями над объектами в AD") 		 	gArrReportfilesList = Array (_ 		gsReportFolder & "logged_Administrator_" & gsNormalDate & ".html", _ 		gsReportFolder & "new_AD_" & gsNormalDate & ".html", _ 		gsReportFolder & "logonFailuresStats_" & gsNormalDate & ".html", _ 		gsReportFolder & "group_Manage_" & gsNormalDate & ".html", _ 		gsReportFolder & "logonFailure_" & gsNormalDate & ".html", _ 		gsReportFolder & "change_password_" & gsNormalDate & ".html", _ 		gsReportFolder & "new_Comp_AD_" & gsNormalDate & ".html", _ 		gsReportFolder & "audit_" & gsNormalDate & ".html", _ 		gsReportFolder & "auditStat_" & gsNormalDate & ".html", _ 		gsReportFolder & "logged_Rdp_" & gsNormalDate & ".html", _ 		gsReportFolder & "AD_objects_" & gsNormalDate & ".html") 		   	for gix = 0 to UBound(gArrNumberOfFunctions) 		gsFunctionName = gArrProcNamesList(gix) 		gsReportfile = gArrReportfilesList(gix) 		 		if gArrNumberOfFunctions(gix) = "1" then	 			startTime = fuStartTimer(gsFunctionName) 			gArrServerList = Array ("DC1", "DC2") 			Select Case gix 				Case 0: giErrorCode = fuLogonAdministrator(gArrServerList, gsReportfile) 				Case 1: giErrorCode = fuAccauntManage(gArrServerList, gsReportfile) 				Case 2: giErrorCode = fuLogonFailureStats(gArrServerList, gsReportfile) 				Case 3: gArrServerList = Array ("DC1","DC2","EXCH1","EXCH2") 						giErrorCode = fuGroupManage(gArrServerList, gsReportfile) 				Case 4: giErrorCode = fuLogonFailures(gArrServerList, gsReportfile) 				Case 5: giErrorCode = fuPasswordManage(gArrServerList, gsReportfile) 				Case 6: giErrorCode = fuCompManage(gArrServerList, gsReportfile) 				Case 7: gArrServerList = Array ("FILE-SRV1","FILE-SRV2") 						giErrorCode = fuAudit(gArrServerList, gsReportfile) 				Case 8: gArrServerList = Array ("FILE-SRV1","FILE-SRV2") 						giErrorCode = fuAuditStat(gArrServerList, gsReportfile) 				Case 9: gArrServerList = Array ("DC1","DC2","EXCH1","EXCH2") 						giErrorCode = fuLogonRdp(gArrServerList, gsReportfile, gsFunctionName) 				Case 10: giErrorCode = fuADObjects(gArrServerList, gsReportfile) 				Case else fuWritedown "* Некорректный индекс: " & gix, 4 			End Select 			fuCheckErrorCode giErrorCode, gArrServerList, gsReportfile, gsFunctionName, startTime 		else 			fuWritedown gsFunctionName & " пропущена", 4 		end if 	next else 	fuWritedown "* Выбран вариант без создания отчетов", 4 end if  fuStopTimer(gStartTime)  if gsEMail = "y" then 	fuSendReportMail gsReportFolder & "*_" & gsDate & ".*", gsFrom, gsTo, gsSubject, gsDate else 	fuWritedown "* Выбран вариант без отсылания отчетов", 4 end if  fuWritedown "* Журнал сохранен в Файл '" & gsFileNameLog & "'", 1 fuDeleteEvtxFiles "F:\Logi_ForADReports\*.evtx" 'MsgBox "Журнал сохранен в Файл '" & gsFileNameLog & "'", vbInformation, "Информация" objTextFileWriteLog.Close  ' Процедура поиска логинов администраторов function fuLogonAdministrator(lArrServerList, lsReport) 	liErrorCode = -1 	lsFROM = fuCollectFileList(lArrServerList, false)  	if lsFROM <> "" then 		Set oLogQuery = CreateObject("MSUtil.LogQuery")  		' Create Input Format object 		Set oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") 		oEVTInputFormat.direction = "BW"  		' Create Output Format object 		' Set oCSVOutputFormat = CreateObject("MSUtil.LogQuery.CSVOutputFormat") 		Set oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") 		'oCSVOutputFormat.tabs = TRUE 		oTPLOutputFormat.tpl = "c:\script\Tamplates\logonAdministrator.tpl"  		' Создание текста запроса 		strQuery = "SELECT TO_LOWERCASE(EXTRACT_TOKEN(Strings,5,'|')) as UserName, eventid, TimeGenerated, ComputerName as DC, " & _ 			"TO_LOWERCASE(EXTRACT_TOKEN(Strings,5,'|')) AS LogonName, " & _ 			"TO_LOWERCASE(EXTRACT_TOKEN(Strings,6,'|')) AS Domain, " & _ 			"TO_LOWERCASE(EXTRACT_TOKEN(Strings,13,'|')) AS LogonWKS, " & _ 			"extract_token(trim(extract_token(Message, 18, ':' )), 0, ' ') as LogonIP, " & _ 			"CASE TO_INT(EXTRACT_TOKEN(Strings,10,'|')) " & _ 			"	WHEN 2 THEN  'Interactive - Intended for users who will be interactively using the machine, such as a user being logged on by a terminal server, remote shell, or similar process.'" & _ 			"	WHEN 3 THEN  'Network - Intended for high performance servers to authenticate clear text passwords. LogonUser does not cache credentials for this logon type.'" & _ 			"	WHEN 4 THEN  'Batch - Intended for batch servers, where processes may be executing on behalf of a user without their direct intervention; or for higher performance servers that process many clear-text authentication attempts at a time, such as mail or web servers. LogonUser does not cache credentials for this logon type.'" & _ 			"	WHEN 5 THEN  'Service - Indicates a service-type logon. The account provided must have the service privilege enabled.'" & _ 			"	WHEN 6 THEN  'Proxy - Indicates a proxy-type logon.'" & _ 			"	WHEN 7 THEN  'Unlock - This logon type is intended for GINA DLLs logging on users who will be interactively using the machine. This logon type allows a unique audit record to be generated that shows when the workstation was unlocked.'" & _ 			"	WHEN 8 THEN  'NetworkCleartext - Windows 2000; Windows XP and Windows Server 2003 family:  Preserves the name and password in the authentication packages, allowing the server to make connections to other network servers while impersonating the client. This allows a server to accept clear text credentials from a client, call LogonUser, verify that the user can access the system across the network, and still communicate with other servers.'" & _ 			"	WHEN 9 THEN  'NewCredentials - Windows 2000; Windows XP and Windows Server 2003 family:  Allows the caller to clone its current token and specify new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.'" & _ 			"	WHEN 10 THEN 'RemoteInteractive - Terminal Server session that is both remote and interactive.'" & _ 			"	WHEN 11 THEN 'CachedInteractive - Attempt cached credentials without accessing the network.'" & _ 			"	WHEN 12 THEN 'CachedRemoteInteractive - Same as RemoteInteractive. This is used for internal auditing.'" & _ 			"	WHEN 13 THEN 'CachedUnlock - Workstation logon'" & _ 			"	ELSE EXTRACT_TOKEN(Strings,10,'|') " & _ 			"END AS LogonType, " & _ 			"extract_token(strings, 4, '|' ) as LogonProc, " & _ 			"extract_token(strings, 11, '|' ) as ProcessID " & _ 			"INTO " & lsReport & " " & _ 			"FROM " & lsFROM & " " & _ 			"WHERE EventID IN (4624;4636) " & _ 			"AND TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss') " & _ 			"AND ((TO_LOWERCASE(LogonName) = TO_LOWERCASE('administrator')) " & _ 			" OR  (TO_LOWERCASE(LogonName) = TO_LOWERCASE('администратор')) " & _ 			" OR  (TO_LOWERCASE(LogonName) = TO_LOWERCASE('admin'))) " 		 		fuWritedown "* Запрос поиска логинов администраторов: '" & strQuery & "'", 4  		' Execute query 		oLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat  		liErrorCode = 0 	else 		liErrorCode = 1 	end if  	fuLogonAdministrator = liErrorCode end function  'Процедура AccauntManage function fuAccauntManage(lArrServerList, lsReport) 	liErrorCode = -1 	lsFROM = fuCollectFileList(lArrServerList, false) 	'lsFROM = "\\DC1\c$\WINDOWS\system32\winevt\Logs\Archive-Security-2010-08-03-09-34-11-527.evtx" 	'lsFROM = "\\DC1\security"  	if lsFROM <> "" then 		Set oLogQuery = CreateObject("MSUtil.LogQuery")  		Set oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") 		oEVTInputFormat.direction = "BW"  		Set oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") 		oTPLOutputFormat.tpl = "c:\script\Tamplates\accauntManage.tpl" 			 		strQuery = "select extract_token(extract_token(Message, 3, ':' ), 0, ' Account ') as UserName, TimeGenerated, SourceName, Message as EventCategoryName, " & _ 			"extract_token(extract_token(Message, 0, ':' ),0,'.') as Description, EventID, ComputerName, " & _ 			"extract_token(extract_token(Message, 8, ':' ), 1, ' ') as Name " & _ 			"INTO " & lsReport & " " & _ 			"FROM " & lsFROM & " " & _ 			"WHERE EventID IN (4720;4722;4725;4726;4738;4740;4767;4780;4781;4782) " &_ 			"AND TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss')"  		fuWritedown "* Запрос AccauntManage: '" & strQuery & "'", 4 		 		if not gbDebugModeON then 			oLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat  		end if 		 		liErrorCode = 0 	else 		liErrorCode = 1 	end if  	fuAccauntManage = liErrorCode end function  'Процедура создания статистики неудачных логинов function fuLogonFailureStats(lArrServerList, lsReport) 	liErrorCode = -1 	lsFROM = fuCollectFileList(lArrServerList, false)  	if lsFROM <> "" then 		Set oLogQuery = CreateObject("MSUtil.LogQuery")  		Set oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") 		oEVTInputFormat.direction = "BW"  		Set oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") 		oTPLOutputFormat.tpl = "c:\script\Tamplates\logonFailuresStats.tpl"  		strQuery = "SELECT TO_LOWERCASE(EXTRACT_TOKEN(Strings,5,'|')) AS User, " & _ 		"COUNT(*) AS Total " & _ 		"INTO " & lsReport & " " & _ 		"FROM " & lsFROM & " " & _ 		"WHERE EventID IN (4625) " & _ 		"AND TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss') " & _ 		"GROUP BY User " & _ 		"ORDER BY Total DESC" 			 		fuWritedown "* Запрос статистики неудачных логинов: '" & strQuery & "'", 4  		if not gbDebugModeON then 			oLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat  		end if 		 		liErrorCode = 0 	else 		liErrorCode = 1 	end if 	 	fuLogonFailureStats = liErrorCode end function  'Процедура управления группами function fuGroupManage(lArrServerList, lsReport) 	liErrorCode = -1 	lsFROM = fuCollectFileList(lArrServerList, false)  	if lsFROM <> "" then 		Set oLogQuery = CreateObject("MSUtil.LogQuery")  		Set oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") 		oEVTInputFormat.direction = "BW"  		Set oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") 		oTPLOutputFormat.tpl = "c:\script\Tamplates\groupManage.tpl"  		strQuery = "SELECT extract_token(extract_token(Message, 3, ':' ), 0, ' Account ') as UserName, TimeGenerated, SourceName, EventCategoryName, " & _  			"extract_token(extract_token(Message, 0, ':' ), 0, '.') as EventIDName, " & _ 			"COALESCE(extract_token(extract_token(strings, 0, ',' ), 1, '='), extract_token(strings, 0, '|' ), strings) as Name, " & _ 			"COALESCE(extract_token(extract_token(strings, 0, ',' ), 1, '='), extract_token(strings, 1, '|' ), strings) as SIDName, " & _ 			"extract_token(strings, 2, '|' ) as Name_Group, " & _ 			"EventID, extract_token(ComputerName, 0, '.') " & _ 			"INTO " & lsReport & " " & _ 			"FROM " & lsFROM & " " & _ 			"WHERE EventID IN (4727;4728;4729;4730;4731;4732;4733;4734;4735;4737;4744;4745;4746;4747;4748;4749;4750;4751;4752;4753;4754;4755;4756;4757;4758;4759;4760;4761;4762;4764;4783;4784;4785;4786;4787;4788;4789;4790) " & _ 			"AND TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss')" 			 		fuWritedown "* Запрос управления группами: '" & strQuery & "'", 4  		if not gbDebugModeON then 			oLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat  		end if 		 		liErrorCode = 0 	else 		liErrorCode = 1 	end if 	 	fuGroupManage = liErrorCode end function  'Процедура поиска неудачных логинов function fuLogonFailures(lArrServerList, lsReport) 	liErrorCode = -1 	lsFROM = fuCollectFileList(lArrServerList, false)  	if lsFROM <> "" then 		Set oLogQuery = CreateObject("MSUtil.LogQuery")  		Set oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") 		oEVTInputFormat.direction = "BW"  		Set oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") 		oTPLOutputFormat.tpl = "c:\script\Tamplates\logonFailures.tpl"  		strQuery = "SELECT COUNT(EventID) AS TotalLogonFailures, " & _ 			"TO_LOWERCASE(EXTRACT_TOKEN(Strings,5,'|')) AS User, " & _ 			"TO_LOWERCASE(EXTRACT_TOKEN(Strings,6,'|')) AS Domain, " & _ 			"TO_LOWERCASE(EXTRACT_TOKEN(Strings,13,'|')) AS WorkStation, " & _ 			"CASE TO_INT(EXTRACT_TOKEN(Strings,10,'|')) " & _ 			"	WHEN 2 THEN  'Interactive - Intended for users who will be interactively using the machine, such as a user being logged on by a terminal server, remote shell, or similar process.'" & _ 			"	WHEN 3 THEN  'Network - Intended for high performance servers to authenticate clear text passwords. LogonUser does not cache credentials for this logon type.'" & _ 			"	WHEN 4 THEN  'Batch - Intended for batch servers, where processes may be executing on behalf of a user without their direct intervention; or for higher performance servers that process many clear-text authentication attempts at a time, such as mail or web servers. LogonUser does not cache credentials for this logon type.'" & _ 			"	WHEN 5 THEN  'Service - Indicates a service-type logon. The account provided must have the service privilege enabled.'" & _ 			"	WHEN 6 THEN  'Proxy - Indicates a proxy-type logon.'" & _ 			"	WHEN 7 THEN  'Unlock - This logon type is intended for GINA DLLs logging on users who will be interactively using the machine. This logon type allows a unique audit record to be generated that shows when the workstation was unlocked.'" & _ 			"	WHEN 8 THEN  'NetworkCleartext - Windows 2000; Windows XP and Windows Server 2003 family:  Preserves the name and password in the authentication packages, allowing the server to make connections to other network servers while impersonating the client. This allows a server to accept clear text credentials from a client, call LogonUser, verify that the user can access the system across the network, and still communicate with other servers.'" & _ 			"	WHEN 9 THEN  'NewCredentials - Windows 2000; Windows XP and Windows Server 2003 family:  Allows the caller to clone its current token and specify new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.'" & _ 			"	WHEN 10 THEN 'RemoteInteractive - Terminal Server session that is both remote and interactive.'" & _ 			"	WHEN 11 THEN 'CachedInteractive - Attempt cached credentials without accessing the network.'" & _ 			"	WHEN 12 THEN 'CachedRemoteInteractive - Same as RemoteInteractive. This is used for internal auditing.'" & _ 			"	WHEN 13 THEN 'CachedUnlock - Workstation logon'" & _ 			"	ELSE EXTRACT_TOKEN(Strings,10,'|') " & _ 			"END AS Type " & _ 			"INTO " & lsReport & " " & _ 			"FROM " & lsFROM & " " & _ 			"WHERE EventID IN (4625) " & _ 			"AND TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss') " & _ 			"GROUP BY User,Domain,WorkStation,Type " & _ 			"ORDER BY TotalLogonFailures DESC" 			 		fuWritedown "* Запрос создания статистики неудачных логинов: '" & strQuery & "'", 4  		if not gbDebugModeON then 			oLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat  		end if 		 		liErrorCode = 0 	else 		liErrorCode = 1 	end if 	 	fuLogonFailures = liErrorCode end function  'Процедура управления паролями function fuPasswordManage(lArrServerList, lsReport) 	liErrorCode = -1 	lsFROM = fuCollectFileList(lArrServerList, false)  	if lsFROM <> "" then 		Set oLogQuery = CreateObject("MSUtil.LogQuery")  		Set oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") 		oEVTInputFormat.direction = "BW"  		Set oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") 		oTPLOutputFormat.tpl = "c:\script\Tamplates\PasswordManage.tpl" 		 		strQuery = "SELECT extract_token(extract_token(Message, 3, ':' ), 0, ' Account ') as UserName, TimeGenerated, SourceName, EventCategoryName, " & _ 			"extract_token(extract_token(Message, 0, ':' ),0,'.') as Description, EventID, ComputerName, " & _ 			"extract_token(extract_token(Message, 8, ':' ), 0, ' Account ') as Name " & _ 			"INTO " & lsReport & " " & _ 			"FROM " & lsFROM & " " & _ 			"WHERE EventID IN (4723;4724;4782;4793) " & _ 			"AND TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss')" 			 		fuWritedown "* Запрос управления паролями: '" & strQuery & "'", 4  		if not gbDebugModeON then 			oLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat  		end if 		 		liErrorCode = 0 	else 		liErrorCode = 1 	end if 	 	fuPasswordManage = liErrorCode end function  'Процедура управления компьютерами function fuCompManage(lArrServerList, lsReport) 	liErrorCode = -1 	lsFROM = fuCollectFileList(lArrServerList, false)  	if lsFROM <> "" then 		Set oLogQuery = CreateObject("MSUtil.LogQuery")  		Set oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") 		oEVTInputFormat.direction = "BW"  		Set oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") 		oTPLOutputFormat.tpl = "c:\script\Tamplates\compManage.tpl" 		 		strQuery = "SELECT extract_token(extract_token(Message, 3, ':' ), 0, ' Account ') as UserName, TimeGenerated, SourceName, EventCategoryName, " & _ 			"extract_token(extract_token(Message, 0, ':' ),0,'.') as Description, EventID, ComputerName, " & _ 			"extract_token(extract_token(Message, 8, ':' ), 0, ' Account ') as Name " & _ 			"INTO " & lsReport & " " & _ 			"FROM " & lsFROM & " " & _ 			"WHERE EventID in (4720;4742;4743) " & _ 			"and Name like '%%$%%' " & _ 			"AND TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss')" 			 		fuWritedown "* Запрос управления компьютерами: '" & strQuery & "'", 4  		if not gbDebugModeON then 			oLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat  		end if 		 		liErrorCode = 0 	else 		liErrorCode = 1 	end if 	 	fuCompManage = liErrorCode end function  'Процедура аудита function fuAudit(lArrServerList, lsReport) 	liErrorCode = -1 	lsFROM = fuCollectFileList(lArrServerList, false)  	if lsFROM <> "" then 		Set oLogQuery = CreateObject("MSUtil.LogQuery")  		Set oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") 		oEVTInputFormat.direction = "BW"  		Set oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") 		oTPLOutputFormat.tpl = "c:\script\Tamplates\audit.tpl"  		strQuery = "select TimeGenerated, EventID, " & _ 			"extract_token(Strings, 0, '|' ) as UserSID,  " & _ 			"extract_token(Strings, 6, '|' ) as ObjectName, " & _ 			"extract_token(Strings, 1, '|' ) as User, " & _ 			"extract_token(Strings, 2, '|' ) as Domain, " & _ 			"extract_token(Strings, 5, '|' ) as ObjectType, " & _ 			"extract_token(Strings, 11, '|' ) as ProgramName, " & _ 			"extract_token(Message, 0, '.' ) as Event " & _ 			"into " & lsReport & " " & _ 			"from " & lsFROM & " " & _ 			"where EventId in (4656;4659;4660;4661;4663;4691) " & _ 			"and TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss') " & _ 			"and User <> 'NT AUTHORITY\SYSTEM' " & _ 			"and extract_token(Strings, 6, '|' ) not like '%%HarddiskVolumeShadowCopy%%' " & _ 			"and extract_token(Strings, 6, '|' ) not like '%%ShadowCopyVolume%%' " & _ 			"and TO_LOWERCASE(extract_token(Strings, 6, '|' )) like '%%Top-Secret-Documents%%' " & _ 			"and User <> 'FILE-SRV1$' " & _ 			"and User <> 'FILE-SRV2$' " & _ 			"order by Timegenerated" 			 		fuWritedown "* Запрос " & lsFunctionName & ": '" & strQuery & "'", 4  		if not gbDebugModeON then 			oLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat  		end if 		 		liErrorCode = 0 	else 		lsFROM = fuCollectFileList(lArrServerList, true) 		 		if lsFROM <> "" then 			Set oLogQuery = CreateObject("MSUtil.LogQuery")  			Set oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") 			oEVTInputFormat.direction = "BW"  			Set oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") 			oTPLOutputFormat.tpl = "c:\script\Tamplates\audit.tpl"  			strQuery = "select TimeGenerated, EventID, " & _ 				"extract_token(Strings, 0, '|' ) as UserSID,  " & _ 				"extract_token(Strings, 6, '|' ) as ObjectName, " & _ 				"extract_token(Strings, 1, '|' ) as User, " & _ 				"extract_token(Strings, 2, '|' ) as Domain, " & _ 				"extract_token(Strings, 5, '|' ) as ObjectType, " & _ 				"extract_token(Strings, 11, '|' ) as ProgramName, " & _ 				"extract_token(Message, 0, '.' ) as Event " & _ 				"into " & lsReport & " " & _ 				"from " & lsFROM & " " & _ 				"where EventId in (4656;4659;4660;4661;4663;4691) " & _ 				"and TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss') " & _ 				"and User <> 'NT AUTHORITY\SYSTEM' " & _ 				"and extract_token(Strings, 6, '|' ) not like '%%HarddiskVolumeShadowCopy%%' " & _ 				"and extract_token(Strings, 6, '|' ) not like '%%ShadowCopyVolume%%' " & _ 				"and TO_LOWERCASE(extract_token(Strings, 6, '|' )) like '%%Top-Secret-Documents%%' " & _ 				"and User <> 'FILE-SRV1$' " & _ 				"and User <> 'FILE-SRV2$' " & _ 				"order by Timegenerated" 				 			fuWritedown "* Запрос " & lsFunctionName & ": '" & strQuery & "'", 4  			if not gbDebugModeON then 				oLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat  			end if 		else 			fuWritedown "* Что-то с аудитом совсем плохо.", 4 		end if 		 		liErrorCode = 1 	end if 	 	fuAudit = liErrorCode end function  'Процедура статистики аудита function fuAuditStat(lArrServerList, lsReport) 	liErrorCode = -1 	lsFROM = fuCollectFileList(lArrServerList, false)  	if lsFROM <> "" then 		Set oLogQuery = CreateObject("MSUtil.LogQuery")  		Set oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") 		oEVTInputFormat.direction = "BW"  		Set oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") 		oTPLOutputFormat.tpl = "c:\script\Tamplates\auditStat.tpl"  		strQuery = "select extract_token(Strings, 1, '|' ) as User, " & _ 			"COUNT(*) as Qty, " & _ 			"MAX(TimeGenerated) as MaxTime  " & _ 			"into " & lsReport & " " & _ 			"from " & lsFROM & " " & _ 			"where EventId in (4656;4659;4660;4661;4663;4691) " & _ 			"and TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss') " & _ 			"and User <> 'NT AUTHORITY\SYSTEM' " & _ 			"and extract_token(Strings, 6, '|' ) not like '%%HarddiskVolumeShadowCopy%%' " & _ 			"and extract_token(Strings, 6, '|' ) not like '%%ShadowCopyVolume%%' " & _ 			"and TO_LOWERCASE(extract_token(Strings, 6, '|' )) like '%%Top-Secret-Documents%%' " & _ 			"group by User " & _ 			"order by User" 		 		fuWritedown "* Запрос " & lsFunctionName & ": '" & strQuery & "'", 4  		if not gbDebugModeON then 			oLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat  		end if 		 		liErrorCode = 0 	else 		lsFROM = fuCollectFileList(lArrServerList, true) 		 		if lsFROM <> "" then 			Set oLogQuery = CreateObject("MSUtil.LogQuery")  			Set oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") 			oEVTInputFormat.direction = "BW"  			Set oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") 			oTPLOutputFormat.tpl = "c:\script\Tamplates\auditStat.tpl"  			strQuery = "select extract_token(Strings, 1, '|' ) as User, " & _ 				"COUNT(*) as Qty, " & _ 				"MAX(TimeGenerated) as MaxTime  " & _ 				"into " & lsReport & " " & _ 				"from " & lsFROM & " " & _ 				"where EventId in (4656;4659;4660;4661;4663;4691) " & _ 				"and TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss') " & _ 				"and User <> 'NT AUTHORITY\SYSTEM' " & _ 				"and extract_token(Strings, 6, '|' ) not like '%%HarddiskVolumeShadowCopy%%' " & _ 				"and extract_token(Strings, 6, '|' ) not like '%%ShadowCopyVolume%%' " & _ 				"and TO_LOWERCASE(extract_token(Strings, 6, '|' )) like '%%Top-Secret-Documents%%' " & _ 				"group by User " & _ 				"order by User" 			 			fuWritedown "* Запрос " & lsFunctionName & ": '" & strQuery & "'", 4  			if not gbDebugModeON then 				oLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat  			end if 		else 			fuWritedown "* Что-то со статистикой аудитом совсем плохо.", 4 		end if 	 		liErrorCode = 1 	end if 	 	fuAuditStat = liErrorCode end function  'Процедура поиска логинов к RDP function fuLogonRdp(lArrServerList, lsReport, lsFunctionName) 	liErrorCode = -1 	lsFROM = fuCollectFileList(lArrServerList, false)  	if lsFROM <> "" then 		Set oLogQuery = CreateObject("MSUtil.LogQuery")  		Set oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") 		oEVTInputFormat.direction = "BW"  		Set oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") 		oTPLOutputFormat.tpl = "c:\script\Tamplates\logonRdp.tpl"  		strQuery = "SELECT DISTINCT resolve_sid(SID) as UserName, eventid, TimeGenerated, extract_token(ComputerName, 0, '.') as NormComputerName, " & _ 			"extract_token(strings, 5, '|' ) as LogonName, " & _ 			"extract_token(strings, 13, '|' ) as LogonWKS, " & _ 			"extract_token(strings, 18, '|' ) as LogonIP, " & _ 			"case extract_token(strings, 8, '|' ) " & _ 			" WHEN '2' THEN 'interactive' " & _ 			" WHEN '3' THEN 'network' " & _ 			" WHEN '4' THEN 'batch' " & _ 			" WHEN '5' THEN 'service' " & _ 			" WHEN '7' THEN 'unlocked workstation' " & _ 			" WHEN '8' THEN 'network logon using a cleartext password' " & _ 			" WHEN '9' THEN 'impersonated logons' " & _ 			" WHEN '10' THEN 'remote access' " & _ 			" ELSE extract_token(strings, 8, '|' ) " & _ 			"end as LogonType, " & _ 			"extract_token(strings, 17, '|' ) as LogonProc, " & _ 			"extract_token(strings, 16, '|' ) as ProcessID " & _ 			"INTO " & lsReport & " " & _ 			"FROM " & lsFROM & " " & _ 			"WHERE EventID IN (4624;4625;4648;4675) " & _ 			"AND TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss') " & _ 			"AND LogonType = 'remote access' " & _ 			"order by Timegenerated DESC" 			 		fuWritedown "* Запрос " & lsFunctionName & ": '" & strQuery & "'", 4  		if not gbDebugModeON then 			oLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat  		end if 		 		liErrorCode = 0 	else 		liErrorCode = 1 	end if 	 	fuLogonRdp = liErrorCode end function  function fuADObjects(lArrServerList, lsReport) 	liErrorCode = -1 	lsFROM = fuCollectFileList(lArrServerList, false) 	'lsFROM = "\\DC1\c$\WINDOWS\system32\winevt\Logs\Archive-Security-2010-12-09-09-55-23-631.evtx" 	'lsFROM = "\\DC1\security"  	if lsFROM <> "" then 		Set oLogQuery = CreateObject("MSUtil.LogQuery")  		Set oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") 		oEVTInputFormat.direction = "BW"  		Set oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") 		oTPLOutputFormat.tpl = "c:\script\Tamplates\adobjects.tpl" 			 		strQuery = "select extract_token(extract_token(Message, 3, ':' ), 0, ' Account ') as UserName, TimeGenerated, SourceName, Message as EventCategoryName, " & _ 			"extract_token(extract_token(Message, 0, ':' ),0,'.') as Description, EventID, ComputerName, " & _ 			"extract_token(extract_token(Message, 8, ':' ), 1, ' ') as Name " & _ 			"INTO " & lsReport & " " & _ 			"FROM " & lsFROM & " " & _ 			"WHERE EventID IN (4928;4929;4930;4931;4934;4935;4936;4937;4662;5136;5137;" & _ 			"5138;5139;5141;4932;4933) " & _ 			"AND TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss') " & _ 			"AND UserName not like '%%RTCService%%' "  		fuWritedown "* Запрос ADObjects: '" & strQuery & "'", 4 		 		if not gbDebugModeON then 			oLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat  		end if 		 		liErrorCode = 0 	else 		liErrorCode = 1 	end if 	 	fuADObjects = liErrorCode end function   ' Служебные функции function fuSendReportMail(lsFileMask, lsFrom, lsTo, lsSubject, lsDate) 	Set objEmail = CreateObject("CDO.Message") 	objEmail.From = lsFrom 	objEmail.To = lsTo 	objEmail.Subject = lsSubject 	objEmail.HTMLBody = "<span style='font-family:Tahoma,Arial,sans-serif;font-size:14pt;'>Отчёты за " & _ 		lsDate & "</span>"  	fuCheckfileSizeAndZIP lsDate 	 	Set oLogQuery = CreateObject("MSUtil.LogQuery") 	Set oFormat = CreateObject("MSUtil.LogQuery.FileSystemInputFormat") 	Set oRecordSet = oLogQuery.Execute("SELECT * FROM " & lsFileMask, oFormat)  	i = 0 	While Not oRecordSet.atEnd 	    Set oRecord = oRecordSet.getRecord() 	    strValue = oRecord.getValue("Path") 	    objEmail.AddAttachment strValue 	    i = i + 1 	    oRecordSet.moveNext 	Wend 	oRecordSet.Close  	objEmail.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2 	objEmail.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpserver")="MAIL-SRV"  	objEmail.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25 	objEmail.Configuration.Fields.Update 	objEmail.Send  	fuWritedown "* Отчеты отправлены от '" & lsFrom & "' на '" & lsTo & "'. Количество файлов-отчетов: " & i, 4 end function  function fuCheckErrorCode(liErrorCode, lArrServerList, lsReportfile, lsFunctionName, startTime) 	select case liErrorCode 		case -1:  fuWritedown "* " & lsFunctionName & " не выполнилась (функция не отработала корректно)", 4 		case 0:   fuWritedown "* " & lsFunctionName & " завершена", 4 				  fuCheckResultFile(lsReportfile) 		case 1:   fuWritedown "* Для серверов '" & Join(lArrServerList, ",") & "' не найдены архивные папки/файлы, по которым делать отчет (блок FROM пустой). Поиск выполняется по текущим журналам.", 4 				  fuCheckResultFile(lsReportfile) 		case else fuWritedown "* Непридвиденная ошибка в " & lsFunctionName & "!", 4 	end select 	 	fuStopTimer(startTime) 	fuWritedown "", 4 end function  function fuPing(NetworkDevice) 	lBoo = false 	set objPING = GetObject("winmgmts:{impersonationLevel=impersonate}")._ 		ExecQuery ("select * from Win32_PingStatus where address ='" & NetworkDevice & "'")  	For Each PING In objPing 		if PING.StatusCode = 0 then 			lBoo = true 		end if 	next 	 	fuPing = lBoo end function  function fuCollectFileList(lArrServerList, lbFindOnServer) 	' true для поиска в текущих журналах, false для поиска в архивных журналах: 	' lbFindOnServer = true 	' lbFindOnServer = false 	 	lsTmp = Join(lArrServerList, ",") 	fuWritedown "* Список компьютеров: " & lsTmp, 4 	lsList = "" 	lsListFiles = "" 	lsTmpPath = "" 	lbServerHaveArchive = false  	for lix = 0 to UBound(lArrServerList) 		lsServer = lArrServerList(lix) 		fuWritedown "* Компьютер '" & lsServer & "'", 4 		 		if lbFindOnServer then		 			if fuPing(lsServer) then 				fuWritedown "* Есть в сети", 4 				lsList = lsList & "\\" & lsServer & "\Security" 				 					if fuServerHaveArchive(lsServer, lsListFiles) then 						lbServerHaveArchive = true 						'lsList = lsList & "," & "\\" & lsServer & "\c$\WINDOWS\system32\config\archive-security-*.evtx" 						if len(lsListFiles) <> 0 then 							'lsList = lsList & "," & lsListFiles 						end if 					end if 				 				if lix < UBound(lArrServerList) then 					lsList = lsList & "," 				end if 			else 				fuWritedown "* Нет в сети", 4 			end if 		else 			lbServerHaveArchive = false 			 			if Len(lsListFiles) = 0 then 				lsListFiles = fuGetLogFolder(lsServer) 			else 				lsTmpPath = fuGetLogFolder(lsServer) 				if Len(lsTmpPath) <> 0 then 					lsListFiles = lsListFiles & "," & lsTmpPath 				end if 			end if 		end if 		 	next  	if Right(lsList, 2) = ", " then 		lsList = Left(lsList, Len(lsList)-2) 	end if 	 	'\\dc1\Security, \\dc1\c$\WINDOWS\system32\config\Archive-Security-*.evt,  	'\\dc2\Security, \\dc2\c$\WINDOWS\system32\config\Archive-Security-*.evt 	 	if lbServerHaveArchive then 		lsList = lsList & "," & lsListFiles 	end if 	 	if not lbFindOnServer then 		lsList = lsListFiles 	end if 	 	fuWritedown "* Блок FROM из функции: '" & lsList & "'", 4 	fuCollectFileList = lsList end function  function fuServerHaveArchive(lsServerName, lsListFiles_a) 	Const FILE_NAME = 0  	dim gbFoo 	dim gsFilename  	gbFoo = false  	Set objShell = CreateObject ("Shell.Application") 	Set objFolder = objShell.Namespace ("\\" & lsServerName & "\c$\Windows\System32\winevt\Logs")  	For Each strFileName in objFolder.Items 		gsFilename = trim(lCase(objFolder.GetDetailsOf (strFileName, FILE_NAME))) 		' fuWritedown "* gsFilename: " & gsFilename, 1 	    if ((InStr(gsFilename, "archive-security-")) and (Right(gsFilename, 4) = "evtx")) then 			fuWritedown "* Архив найден! \\" & lsServerName & "\c$\Windows\System32\winevt\Logs\"&gsFilename, 4 			if len(lsListFiles_a) = 0 then 				lsListFiles_a = "f:\Logi_ForADReports\" & gsFilename 			else  				lsListFiles_a = lsListFiles_a & "," & "f:\Logi_ForADReports\" & gsFilename 			end if 			fuWritedown "* lsListFiles_a: " & lsListFiles_a, 2 			'fuConvertEvt2Evtx "\\" & lsServerName & "\c$\WINDOWS\system32\config\" & gsFilename, gsFilename 			fuCopyEvtx "\\" & lsServerName & "\c$\Windows\System32\winevt\Logs\" & gsFilename, gsFilename 			gbFoo = true 		end if 	Next  	if gbFoo then 		fuWritedown "* На компьютере '" & lsServerName & "' архивы журналов есть", 4 	else 		fuWritedown "* На компьютере '" & lsServerName & "' архивов журналов нет", 4 	end if  	 	fuServerHaveArchive = gbFoo end function  function fuConvertEvt2Evtx(lsFilenamePath, lsFilename) 	lbTmp = true 	 	if (fuIsFileExists("f:\Logi_ForADReports\" & lsFilename) and (fuIsFileExists("f:\Logi_ForADReports\" & lsFilename & "x"))) then 		fuWritedown "* Конвертация файла " & lsFilename & " не нужна, уже есть сконвертированный", 4 	else 		fuWritedown "* Конвертируем файл " & lsFilename & "...", 4  		Set WshShell = CreateObject("WScript.Shell")  		gsRunCmd = "c:\script\convert_evt_to_evtx.bat " & lsFilenamePath & " " & lsFilename  		fuWritedown "* Выполняется команда: '" & gsRunCmd & "'", 2 		WshShell.Run gsRunCmd 		 		WScript.Sleep 300000 	end if 	 	fuConvertEvt2Evtx = lbTmp end function   function fuCopyEvtx(lsFilenamePath, lsFilename) 	lbTmp = true  	if not fuIsFileExists("f:\Logi_ForADReports\" & lsFilename) then 		Set WshShell = CreateObject("WScript.Shell") 		 		gsRunCmd = "c:\script\copy_evtx.bat " & lsFilenamePath & " " & lsFilename 		fuWritedown "* Выполняется команда: '" & gsRunCmd & "'", 4 		WshShell.Run gsRunCmd 			 		WScript.Sleep 25000 	else 		fuWritedown "* Архивный журнал " & lsFilename & " копировать не нужно, уже есть скопированный", 4 	end if 	 	fuCopyEvtx = lbTmp end function   function fuDeleteEvtxFiles(lsFromList) 	fuWritedown "* Удаление временных файлов: " & lsFromList, 4 	lbTmp = true 	 	Set WshShell = CreateObject("WScript.Shell") 	 	if InStr(lsFromList, ",") then 		lArrFrom = Split(lsFromList, ",") 		 		for lix = 0 to uBound(lArrFrom) 			if InStr(lCase(lArrFrom(lix)), "archive-security-") then 				gsRunCmd = "c:\script\del_evtx.bat " & lArrFrom(lix)  				fuWritedown "* Выполняется команда: '" & gsRunCmd & "'", 4 				WshShell.Run gsRunCmd 			end if 		next 	else 		gsRunCmd = "c:\script\del_evtx.bat " & lsFromList  		fuWritedown "* Выполняется команда: '" & gsRunCmd & "'", 4 		WshShell.Run gsRunCmd 	end if 	 	WScript.Sleep 60000 	 	fuDeleteEvtxFiles = lbTmp end function    function fuIsFileExists(lsFilename) 	lBoo = false 	 	Set FSO = CreateObject("Scripting.FileSystemObject") 	if FSO.FileExists(lsFilename) then 		' Файл существует 		lBoo = true 	else  		' Файла не существует 	end if 	Set FSO = nothing 	 	fuIsFileExists = lBoo end function  function fuWritedown(lsToWrite, liCase) 	Select Case liCase 		Case 0: ' ничего не делать. Сообщение уходит в никуда. 		Case 1: WScript.Echo lsToWrite ' сообщение только на экран 		Case 2: objTextFileWriteLog.WriteLine lsToWrite ' сообщение только в журнал 		Case 4: WScript.Echo lsToWrite ' сообщение и на экран, и в журнал 				objTextFileWriteLog.WriteLine lsToWrite 		Case else WScript.Echo lsToWrite 	End Select end function   function fuNormalizeSystemDate(lsDate) 	lsNormalizeDate = lsDate 	 	if InStr(lsDate, ".") then 		lArrDate = Split(lsDate, ".") 		lsNormalizeDate = lArrDate(2) & "." & lArrDate(1) & "." & lArrDate(0) 	elseif InStr(lsDate, "/") then 		lArrDate = Split(lsDate, "/") 		lsNormalizeDate = fuCheckDatePart(lArrDate(2)) & "." & fuCheckDatePart(lArrDate(0)) & "." & fuCheckDatePart(lArrDate(1)) 	end if 	 	fuNormalizeSystemDate = lsNormalizeDate end function   function fuNormalizeDate(lsDate) 	lsNormalizeDate = lsDate 	 	if InStr(lsDate, ".") then 		lArrDate = Split(lsDate, ".") 		lsNormalizeDate = lArrDate(2) & "." & lArrDate(1) & "." & lArrDate(0) 	end if 	 	fuNormalizeDate = lsNormalizeDate end function   function fuCheckDatePart(lsDate) 	lsNormalizeDate = lsDate 	 	if len(lsDate) <= 1 then 		lsNormalizeDate = "0" & lsDate 	end if 	 	fuCheckDatePart = lsNormalizeDate end function   function fuStartTimer(lsFunctionName) 	fuStartTimer = Now() 	if lsFunctionName <> "" then 		fuWritedown VBNewLine & lsFunctionName & " запущена", 4 	end if end function   function fuStopTimer(startTime) 	EndTime = Now() 	timeDiff = CDate(EndTime - startTime) 	fuWritedown "* Поиск выполнялся: " & timeDiff & " (" & startTime & "/" & EndTime & ").", 4 end function   function fuCheckResultFile(lsReportfile) 	if objFSO.FileExists(lsReportfile) then 		fuWritedown "* Результат сохранен в файл '" & lsReportfile & "'", 4 	else  		fuWritedown "* Файл результатов '" & lsReportfile & "' не был создан, так как поиск не дал результатов", 4 	end if end function   function fuTypeTextfile(lsTextfile) 	'fuWritedown "Распечатать файл помощи '" & lsTextfile & "'", 1 	Set objTextFileShowHelp = objFSO.OpenTextFile(lsTextfile, 1) 	Do Until objTextFileShowHelp.AtEndOfStream 		fuWritedown objTextFileShowHelp.Readline, 1 	Loop 	objTextFileShowHelp.Close end function   function fuNeedHelp(lsPar) 	lbFoo = false 	if  lsPar = "h" or lsPar = "help" or InStr(lsPar, "?") then 		lbFoo = true 	end if 	fuNeedHelp = lbFoo end function    function fuGetFilename(lsDate) 	lsTmp = "Archive-Security-2013-12-01-*.evtx" 	 	if InStr(lsDate, ".") then 		lArrDate = Split(lsDate, ".") 		lsTmp = "Archive-Security-" & fuCheckDatePart(lArrDate(2)) & "-" & fuCheckDatePart(lArrDate(1)) & "-" & fuCheckDatePart(lArrDate(0)) & "-*.evtx" 	elseif InStr(lsDate, "/") then 		lArrDate = Split(lsDate, "/") 		lsTmp = "Archive-Security-" & fuCheckDatePart(lArrDate(2)) & "-" & fuCheckDatePart(lArrDate(1)) & "-" & fuCheckDatePart(lArrDate(0)) & "-*.evtx" 	end if 	 	fuGetFilename = lsTmp end function   function fuGetLogFolder(lsServer) 	lsTmp = "" 	 	Select Case lsServer 		Case "DC1": lsTmp = "Q:\Logi_DC1\" 		Case "DC2": lsTmp = "Q:\Logi_DC2\" 		Case "FILE-SRV1": lsTmp = "Q:\Logi_FILE-SRV1\" 		Case "FILE-SRV2": lsTmp = "Q:\Logi_FILE-SRV2\" 		Case "EXCH1": lsTmp = "Q:\Logi_EXCH1\" 		Case "EXCH2": lsTmp = "Q:\Logi_EXCH2\" 		Case else  			fuWritedown "* В скрипте папка с архивами сервера " & lsServer & " не указана. Пытаюсь папку угадать 'Q:\Logi_" & lsServer & "\'", 4 			lsTmp = "Q:\Logi_" & lsServer & "\" 	End Select 	 	 	lsPath = Left(lsTmp, Len(lsTmp)-1) 	'lsPath = lsTmp 	lsFile = gsLogFilename  	lsBoo = fuNASHaveArchive(lsServer, lsPath, lsFile)  	if lsBoo then 		lsTmp = lsTmp & gsLogFilename 	else 		lsTmp = "" 	end if 	 	fuGetLogFolder = lsTmp end function    function fuNASHaveArchive(Server, Path, File) 	wscript.echo Server & ", " & Path & ", " & File  	Const FILE_NAME = 0  	dim gbFoo 	dim gsFilename  	gbFoo = false 	 	lsF = lCase(Left(File, Len(File)-6))  	Set objShell = CreateObject("Shell.Application") 	Set objFolder = objShell.Namespace(Path)  	For Each strFileName in objFolder.Items 		gsFilename = trim(lCase(objFolder.GetDetailsOf (strFileName, FILE_NAME))) 		' wscript.echo  "* gsFilename: " & gsFilename 	    if InStr(gsFilename, lsF) then 			gbFoo = true 		end if 	Next  	fuNASHaveArchive = gbFoo end function   function fuCheckfileSizeAndZIP(lsDate) 	lsReportFolder = "F:\Reports\" 	lArrReportfilesList = Array (_ 		lsReportFolder & "logged_Administrator_" & lsDate & ".html", _ 		lsReportFolder & "new_AD_" & lsDate & ".html", _ 		lsReportFolder & "logonFailuresStats_" & lsDate & ".html", _ 		lsReportFolder & "group_Manage_" & lsDate & ".html", _ 		lsReportFolder & "logonFailure_" & lsDate & ".html", _ 		lsReportFolder & "change_password_" & lsDate & ".html", _ 		lsReportFolder & "new_Comp_AD_" & lsDate & ".html", _ 		lsReportFolder & "audit_" & lsDate & ".html", _ 		lsReportFolder & "auditStat_" & lsDate & ".html", _ 		lsReportFolder & "logged_Rdp_" & lsDate & ".html", _ 		gsReportFolder & "AD_objects_" & gsNormalDate & ".html")  	for lix = 0 to UBound(lArrReportfilesList) 		lbTmp = false 		 		lsFilenamePath = lArrReportfilesList(lix) 		ArcName = Left(lsFilenamePath, Len(lsFilenamePath)-5) & ".zip" 		 		if fuIsFileExists(lsFilenamePath) then 			Set File = objFSO.GetFile(lsFilenamePath)  			 lsFilenameSize =  File.Size 			 if lsFilenameSize > 3000000 then 				fuWritedown "* Размер файла '" & lsFilenamePath & "' больше 3 МБ (размер " & lsFilenameSize & " байт), необходимо его заархивировать", 4 				fuWritedown "* Идет архивация...", 1 				'--[ Архивирование отчета ]------------------------------------------------------------------- 				Set Shell=CreateObject("WScript.Shell") 				Set Zip=Shell.Exec("C:\Program Files\7-Zip\7z.exe a " & ArcName & " " & lsFilenamePath)  				'Необходимо ожидание, пока архивирование не закончится 				While (Zip.Status = 0) 					WScript.Sleep 5000 				Wend  				Set Shell = Nothing  				fuWritedown "* Архивирование завершено! Имя архива '" & ArcName & "'", 4 				fuWritedown "* Удаляем файл отчета '" & lsFilenamePath & "'...", 4 				objFSO.DeleteFile lsFilenamePath, true 				fuWritedown "* Удаление завершено!", 1 				lbTmp = true 				'WScript.Sleep 2000 				'--------------------------------------------------------------------------------------------- 			 end if 		else  			' файла не существует, ничего не делаем. 		end if 	next 	 	fuCheckfileSizeAndZIP = lbTmp end function  

copy %1 f:\Logi_ForADReports\%2 wevtutil epl f:\Logi_ForADReports\%2 f:\Logi_ForADReports\%2x /lf:true 

copy %1 f:\Logi_ForADReports\%2 

del %1