{"id":205128,"date":"2013-12-09T17:06:03","date_gmt":"2013-12-09T13:06:03","guid":{"rendered":"http:\/\/savepearlharbor.com\/?p=205128"},"modified":"-0001-11-30T00:00:00","modified_gmt":"-0001-11-29T21:00:00","slug":"","status":"publish","type":"post","link":"https:\/\/savepearlharbor.com\/?p=205128","title":{"rendered":"\u041e\u0442\u0447\u0451\u0442 \u043f\u043e \u0441\u043e\u0431\u044b\u0442\u0438\u044f\u043c \u043d\u0430 Windows \u0441\u0435\u0440\u0432\u0435\u0440\u0430\u0445 \u0434\u043e\u043c\u0435\u043d\u0430<\/span>"},"content":{"rendered":"
\t\u0412\u0441\u0435\u043c \u043f\u0440\u0438\u0432\u0435\u0442!
\u0423\u0434\u043e\u0431\u043d\u043e \u043f\u043e\u043b\u0443\u0447\u0430\u0442\u044c \u0432 \u043f\u043e\u0447\u0442\u0443 \u0435\u0436\u0435\u0434\u043d\u0435\u0432\u043d\u044b\u0439 \u043e\u0442\u0447\u0451\u0442 \u043e \u0441\u043e\u0431\u044b\u0442\u0438\u044f\u0445 \u043d\u0430 \u0441\u0435\u0440\u0432\u0435\u0440\u0430\u0445 \u0434\u043e\u043c\u0435\u043d\u0430 \u0437\u0430 \u043f\u0440\u0435\u0434\u044b\u0434\u0443\u0449\u0438\u0439 \u0434\u0435\u043d\u044c. \u041c\u043e\u0436\u043d\u043e \u0438 \u0437\u0430 \u0442\u0435\u043a\u0443\u0449\u0438\u0439, \u043d\u0435 \u0441\u0443\u0442\u044c \u0432\u0430\u0436\u043d\u043e. \u041a\u043e\u0433\u0434\u0430 \u0442\u0430\u043a\u0438\u0435 \u043e\u0442\u0447\u0451\u0442\u044b \u0441\u043e\u0431\u0438\u0440\u0430\u044e\u0442\u0441\u044f \u0437\u0430 \u0434\u043b\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0439 \u043f\u0440\u043e\u043c\u0435\u0436\u0443\u0442\u043e\u043a \u0432\u0440\u0435\u043c\u0435\u043d\u0438 (\u0437\u0430 \u043d\u0435\u0441\u043a\u043e\u043b\u044c\u043a\u043e \u043b\u0435\u0442, \u043d\u0430\u043f\u0440\u0438\u043c\u0435\u0440), \u043c\u043e\u0436\u043d\u043e \u043d\u0430\u0439\u0442\u0438, \u043a\u0442\u043e \u0437\u0430\u0432\u0451\u043b \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0451\u043d\u043d\u043e\u0433\u043e \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f, \u043a\u0442\u043e \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f \u0434\u043e\u0431\u0430\u0432\u0438\u043b\/\u0443\u0434\u0430\u043b\u0438\u043b \u0438\u0437 \u0433\u0440\u0443\u043f\u043f\u044b, \u043a\u0442\u043e \u043f\u043e\u043c\u0435\u043d\u044f\u043b \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044e \u043f\u0430\u0440\u043e\u043b\u044c (\u0438\u043b\u0438 \u043a\u043e\u0433\u0434\u0430 \u043e\u043d \u0441\u0430\u043c \u0441\u0435\u0431\u0435 \u043f\u043e\u043c\u0435\u043d\u044f\u043b), \u043b\u043e\u0433\u0438\u043d\u044b \u043d\u0430 \u0441\u0435\u0440\u0432\u0435\u0440\u044b, \u043d\u0435\u0443\u0434\u0430\u0447\u043d\u044b\u0435 \u043b\u043e\u0433\u0438\u043d\u044b \u0438 \u0442\u0430\u043a \u0434\u0430\u043b\u0435\u0435. \u0412 \u043f\u0440\u0438\u043d\u0446\u0438\u043f\u0435, \u043a\u0430\u0436\u0434\u044b\u0439 \u0441\u0430\u043c \u0434\u043b\u044f \u0441\u0435\u0431\u044f \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u044f\u0435\u0442 \u043d\u0430\u0431\u043e\u0440 \u0441\u043e\u0431\u044b\u0442\u0438\u0439 \u0434\u043b\u044f \u043e\u0442\u0447\u0451\u0442\u043e\u0432. \u0413\u043b\u0430\u0432\u043d\u043e\u0435 \u043f\u0440\u0438\u043d\u0446\u0438\u043f.
\u041d\u0430\u043c, \u043d\u0430\u043f\u0440\u0438\u043c\u0435\u0440, \u0432 \u043f\u043e\u0447\u0442\u0443 \u043f\u0440\u0438\u0445\u043e\u0434\u0438\u0442 \u0432\u043e\u0442 \u0442\u0430\u043a\u043e\u0439 \u043e\u0442\u0447\u0451\u0442:

\u041a\u043e\u043c\u0443 \u043d\u0443\u0436\u043d\u043e, \u043f\u043e\u0434 \u043a\u0430\u0442\u043e\u043c \u0440\u0435\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u044f.
<\/a>
\u0421\u043a\u0440\u0438\u043f\u0442 \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u0435\u0442\u0441\u044f \u043a\u0430\u0436\u0434\u043e\u0435 \u0443\u0442\u0440\u043e \u0432 4 \u0447\u0430\u0441\u0430. \u0414\u043b\u044f \u0435\u0433\u043e \u0440\u0430\u0431\u043e\u0442\u044b \u043d\u0430 \u0441\u0435\u0440\u0432\u0435\u0440\u0435 \u043d\u0430\u0434\u043e \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u0438\u0442\u044c LogParser<\/a> \u0438 7-ZIP<\/a> (\u0435\u0441\u043b\u0438 \u0444\u0430\u0439\u043b \u043e\u0442\u0447\u0451\u0442\u0430 \u0431\u043e\u043b\u044c\u0448\u0435 3 \u041c\u0411, \u0442\u043e \u043e\u043d \u043f\u0430\u043a\u0443\u0435\u0442\u0441\u044f zip\u2019\u043e\u043c).
\u041d\u0430 \u0432\u0441\u044f\u043a\u0438\u0439 \u0441\u043b\u0443\u0447\u0430\u0439 \u0441\u0441\u044b\u043b\u043a\u0430 \u043d\u0430 \u043f\u043e\u043b\u0435\u0437\u043d\u044b\u0439 \u0434\u043e\u043a\u0443\u043c\u0435\u043d\u0442 \u043f\u043e \u0441\u043e\u0431\u044b\u0442\u0438\u044f\u043c 7-\u043a\u0438 \u0438 2008 \u0441\u0435\u0440\u0432\u0435\u0440\u0430 Vista_2008_Security_Event_Descriptions.xlsx<\/a>.
\u0423 \u043c\u0435\u043d\u044f \u0441\u043a\u0440\u0438\u043f\u0442 \u043b\u0435\u0436\u0438\u0442 \u043d\u0430 \u0434\u0438\u0441\u043a\u0435 C \u0432 \u043f\u0430\u043f\u043a\u0435 script. \u0412 \u043f\u0430\u043f\u043a\u0435 script \u043f\u0430\u043f\u043a\u0430 Tamplates \u0434\u043b\u044f \u0448\u0430\u0431\u043b\u043e\u043d\u043e\u0432. \u041f\u043b\u044e\u0441 \u043f\u0430\u043f\u043a\u0438 \u043d\u0430 F Logi_ForADReports \u0434\u043b\u044f \u0432\u0440\u0435\u043c\u0435\u043d\u043d\u044b\u0445 evt-\u0444\u0430\u0439\u043b\u043e\u0432 \u0438 Reports \u0434\u043b\u044f html-\u0444\u0430\u0439\u043b\u043e\u0432 \u043e\u0442\u0447\u0451\u0442\u043e\u0432. \u0412 \u043f\u0430\u043f\u043a\u0435 Reports \u0442\u0430\u043a\u0436\u0435 \u0441\u043e\u0437\u0434\u0430\u0451\u0442\u0441\u044f \u0436\u0443\u0440\u043d\u0430\u043b \u0440\u0430\u0431\u043e\u0442\u044b \u0441\u043a\u0440\u0438\u043f\u0442\u0430. <\/p>\n
Bat-\u0444\u0430\u0439\u043b \u0437\u0430\u043f\u0443\u0441\u043a\u0430 \u0441\u043a\u0440\u0438\u043f\u0442\u0430<\/b><\/p>\n
\n
net use Q: \\\\nas-srv\\BACKUP cscript \/\/nologo "c:\\script\\LogParser_bat_4.vbs" %1 %2 %3 net use Q: \/delete <\/code><\/pre>\n<\/div>\n<\/div>\n
  <\/p>\n
\u0421\u043a\u0440\u0438\u043f\u0442 LogParser_bat_4.vbs<\/b><\/p>\n
\n
' \u0415\u0436\u0435\u0434\u043d\u0435\u0432\u043d\u044b\u0439 \u043e\u0442\u0447\u0435\u0442 \u043f\u043e \u0441\u043e\u0431\u044b\u0442\u0438\u044f\u043c \u043d\u0430 \u0441\u0435\u0440\u0432\u0435\u0440\u0430\u0445 ' \u0410\u0432\u0442\u043e\u0440 \u041b\u0443\u0436\u0438\u043d \u041a\u0438\u0440\u0438\u043b\u043b ' luzhin.kirill@yandex.ru  'On Error Resume Next  const gsReportFolder = "F:\\Reports\\" const gsFrom = "admin1@domain.com" const gsSubject = "send report" const gsHelpFile = "c:\\script\\LogParser_bat.txt" const gbDebugModeON = false  Dim oLogQuery Dim oMyInputFormat Dim oCSVOutputFormat  Dim strQuery Dim giErrorCode Dim gsFileNameLog Dim gsNormalDate Dim gsTo Dim gArrNumberOfFunctions gArrNumberOfFunctions = Array ("1", "1", "1", "1", "1", "1", "1", "1", "1", "1", "1")   gsTo = "admin1@domain.com" gsEMail = "n" ' \u042d\u0442\u043e \u0434\u043b\u044f \u043e\u0442\u0447\u0435\u0442\u0430 \u0437\u0430 \u0441\u0435\u0433\u043e\u0434\u043d\u044f (\u043d\u0430 \u0432\u0441\u044f\u043a\u0438\u0439 \u0441\u043b\u0443\u0447\u0430\u0439): ' gsNormalDate = fuNormalizeSystemDate(cStr(Date)) ' \u042d\u0442\u043e \u0434\u043b\u044f \u043e\u0442\u0447\u0435\u0442\u0430 \u0437\u0430 \u0432\u0447\u0435\u0440\u0430 (\u043d\u043e\u0440\u043c\u0430\u043b\u044c\u043d\u044b\u0439 \u0440\u0435\u0436\u0438\u043c): gsNormalDate = fuNormalizeSystemDate(cStr(DateAdd("d", -1, Date))) gsDate = gsNormalDate gsNumberOfFunctions = "all"   gsCheckDate = DateAdd("d", -1, Date) gsLogFilename = fuGetFilename(gsCheckDate)   Set objFSO = CreateObject("Scripting.FileSystemObject") gsFileNameLog = gsReportFolder & gsNormalDate & ".log" Set objTextFileWriteLog = objFSO.OpenTextFile(gsFileNameLog, 8, True)   ' \u043e\u0442\u0447\u0435\u0442 \u0437\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0438\u0435 33 \u0447\u0430\u0441\u0430: fuWritedown "* \u0414\u0430\u0442\u0430 \u043e\u0442\u0447\u0435\u0442\u0430: " & Now, 4 gsPastDate = DateAdd("h", -33, Now)  fuWritedown "* \u041e\u0442\u0447\u0435\u0442\u044b \u0441\u043e\u0437\u0434\u0430\u044e\u0442\u0441\u044f \u043d\u0430\u0447\u0438\u043d\u0430\u044f \u0441 " & gsPastDate, 4 ' \u043e\u0442\u0447\u0435\u0442 \u0437\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0438\u0435 2 \u0434\u043d\u044f: ' gsPastDate = DateAdd("d", -2, Date) \t if Wscript.Arguments.Count >= 1 then \tif lCase(Wscript.Arguments(0)) = "nothing" then \t\tgArrNumberOfFunctions = Array ("0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0") \t\tgsNumberOfFunctions = "nothing" \telseif InStr(Wscript.Arguments(0), ",") then \t\tgArrNumberOfFunctions = split(Wscript.Arguments(0), ",") \t\tgsNumberOfFunctions = "different" \telseif fuNeedHelp(lCase(Wscript.Arguments(0))) then \t\tfuTypeTextfile(gsHelpFile) \t\tWScript.Quit 0 \t'else gArrNumberOfFunctions = Array ("1", "1", "1", "1", "1", "1", "1", "1", "1", "1", "1") \tend if \t \tif Wscript.Arguments.Count >= 2 then \t\tif InStr(Wscript.Arguments(1), "@") then \t\t\tgsEMail = "y" \t\t\tgsTo = Wscript.Arguments(1) \t\telse \t\t\tgsEMail = lCase(Wscript.Arguments(1)) \t\tend if \t\t \t\tif Wscript.Arguments.Count = 3 then \t\t\tgsDate = Wscript.Arguments(2) \t\tend if \tend if end if   fuWritedown "* \u0418\u043c\u044f \u0444\u0430\u0439\u043b\u0430 \u0436\u0443\u0440\u043d\u0430\u043b\u0430: " & gsFileNameLog, 2  gStartTime = fuStartTimer("")  if gsNumberOfFunctions <> "nothing" then \tgArrProcNamesList = Array (_ \t\t"\u041f\u0440\u043e\u0446\u0435\u0434\u0443\u0440\u0430 \u043f\u043e\u0438\u0441\u043a\u0430 \u043b\u043e\u0433\u0438\u043d\u043e\u0432 \u0430\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u043e\u0440\u043e\u0432", _ \t\t"\u041f\u0440\u043e\u0446\u0435\u0434\u0443\u0440\u0430 AccauntManage", _ \t\t"\u041f\u0440\u043e\u0446\u0435\u0434\u0443\u0440\u0430 \u0441\u043e\u0437\u0434\u0430\u043d\u0438\u044f \u0441\u0442\u0430\u0442\u0438\u0441\u0442\u0438\u043a\u0438 \u043d\u0435\u0443\u0434\u0430\u0447\u043d\u044b\u0445 \u043b\u043e\u0433\u0438\u043d\u043e\u0432", _ \t\t"\u041f\u0440\u043e\u0446\u0435\u0434\u0443\u0440\u0430 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u0433\u0440\u0443\u043f\u043f\u0430\u043c\u0438", _ \t\t"\u041f\u0440\u043e\u0446\u0435\u0434\u0443\u0440\u0430 \u043f\u043e\u0438\u0441\u043a\u0430 \u043d\u0435\u0443\u0434\u0430\u0447\u043d\u044b\u0445 \u043b\u043e\u0433\u0438\u043d\u043e\u0432", _ \t\t"\u041f\u0440\u043e\u0446\u0435\u0434\u0443\u0440\u0430 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u043f\u0430\u0440\u043e\u043b\u044f\u043c\u0438", _ \t\t"\u041f\u0440\u043e\u0446\u0435\u0434\u0443\u0440\u0430 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u0430\u043c\u0438", _ \t\t"\u041f\u0440\u043e\u0446\u0435\u0434\u0443\u0440\u0430 \u0430\u0443\u0434\u0438\u0442\u0430", _ \t\t"\u041f\u0440\u043e\u0446\u0435\u0434\u0443\u0440\u0430 \u0441\u0442\u0430\u0442\u0438\u0441\u0442\u0438\u043a\u0438 \u0430\u0443\u0434\u0438\u0442\u0430", _ \t\t"\u041f\u0440\u043e\u0446\u0435\u0434\u0443\u0440\u0430 \u043f\u043e\u0438\u0441\u043a\u0430 \u043b\u043e\u0433\u0438\u043d\u043e\u0432 \u043a RDP",_ \t\t"\u041f\u0440\u043e\u0446\u0435\u0434\u0443\u0440\u0430 \u0441\u043b\u0435\u0436\u0435\u043d\u0438\u044f \u0437\u0430 \u0434\u0435\u0439\u0441\u0442\u0432\u0438\u044f\u043c\u0438 \u043d\u0430\u0434 \u043e\u0431\u044a\u0435\u043a\u0442\u0430\u043c\u0438 \u0432 AD") \t\t \tgArrReportfilesList = Array (_ \t\tgsReportFolder & "logged_Administrator_" & gsNormalDate & ".html", _ \t\tgsReportFolder & "new_AD_" & gsNormalDate & ".html", _ \t\tgsReportFolder & "logonFailuresStats_" & gsNormalDate & ".html", _ \t\tgsReportFolder & "group_Manage_" & gsNormalDate & ".html", _ \t\tgsReportFolder & "logonFailure_" & gsNormalDate & ".html", _ \t\tgsReportFolder & "change_password_" & gsNormalDate & ".html", _ \t\tgsReportFolder & "new_Comp_AD_" & gsNormalDate & ".html", _ \t\tgsReportFolder & "audit_" & gsNormalDate & ".html", _ \t\tgsReportFolder & "auditStat_" & gsNormalDate & ".html", _ \t\tgsReportFolder & "logged_Rdp_" & gsNormalDate & ".html", _ \t\tgsReportFolder & "AD_objects_" & gsNormalDate & ".html") \t\t   \tfor gix = 0 to UBound(gArrNumberOfFunctions) \t\tgsFunctionName = gArrProcNamesList(gix) \t\tgsReportfile = gArrReportfilesList(gix) \t\t \t\tif gArrNumberOfFunctions(gix) = "1" then\t \t\t\tstartTime = fuStartTimer(gsFunctionName) \t\t\tgArrServerList = Array ("DC1", "DC2") \t\t\tSelect Case gix \t\t\t\tCase 0: giErrorCode = fuLogonAdministrator(gArrServerList, gsReportfile) \t\t\t\tCase 1: giErrorCode = fuAccauntManage(gArrServerList, gsReportfile) \t\t\t\tCase 2: giErrorCode = fuLogonFailureStats(gArrServerList, gsReportfile) \t\t\t\tCase 3: gArrServerList = Array ("DC1","DC2","EXCH1","EXCH2") \t\t\t\t\t\tgiErrorCode = fuGroupManage(gArrServerList, gsReportfile) \t\t\t\tCase 4: giErrorCode = fuLogonFailures(gArrServerList, gsReportfile) \t\t\t\tCase 5: giErrorCode = fuPasswordManage(gArrServerList, gsReportfile) \t\t\t\tCase 6: giErrorCode = fuCompManage(gArrServerList, gsReportfile) \t\t\t\tCase 7: gArrServerList = Array ("FILE-SRV1","FILE-SRV2") \t\t\t\t\t\tgiErrorCode = fuAudit(gArrServerList, gsReportfile) \t\t\t\tCase 8: gArrServerList = Array ("FILE-SRV1","FILE-SRV2") \t\t\t\t\t\tgiErrorCode = fuAuditStat(gArrServerList, gsReportfile) \t\t\t\tCase 9: gArrServerList = Array ("DC1","DC2","EXCH1","EXCH2") \t\t\t\t\t\tgiErrorCode = fuLogonRdp(gArrServerList, gsReportfile, gsFunctionName) \t\t\t\tCase 10: giErrorCode = fuADObjects(gArrServerList, gsReportfile) \t\t\t\tCase else fuWritedown "* \u041d\u0435\u043a\u043e\u0440\u0440\u0435\u043a\u0442\u043d\u044b\u0439 \u0438\u043d\u0434\u0435\u043a\u0441: " & gix, 4 \t\t\tEnd Select \t\t\tfuCheckErrorCode giErrorCode, gArrServerList, gsReportfile, gsFunctionName, startTime \t\telse \t\t\tfuWritedown gsFunctionName & " \u043f\u0440\u043e\u043f\u0443\u0449\u0435\u043d\u0430", 4 \t\tend if \tnext else \tfuWritedown "* \u0412\u044b\u0431\u0440\u0430\u043d \u0432\u0430\u0440\u0438\u0430\u043d\u0442 \u0431\u0435\u0437 \u0441\u043e\u0437\u0434\u0430\u043d\u0438\u044f \u043e\u0442\u0447\u0435\u0442\u043e\u0432", 4 end if  fuStopTimer(gStartTime)  if gsEMail = "y" then \tfuSendReportMail gsReportFolder & "*_" & gsDate & ".*", gsFrom, gsTo, gsSubject, gsDate else \tfuWritedown "* \u0412\u044b\u0431\u0440\u0430\u043d \u0432\u0430\u0440\u0438\u0430\u043d\u0442 \u0431\u0435\u0437 \u043e\u0442\u0441\u044b\u043b\u0430\u043d\u0438\u044f \u043e\u0442\u0447\u0435\u0442\u043e\u0432", 4 end if  fuWritedown "* \u0416\u0443\u0440\u043d\u0430\u043b \u0441\u043e\u0445\u0440\u0430\u043d\u0435\u043d \u0432 \u0424\u0430\u0439\u043b '" & gsFileNameLog & "'", 1 fuDeleteEvtxFiles "F:\\Logi_ForADReports\\*.evtx" 'MsgBox "\u0416\u0443\u0440\u043d\u0430\u043b \u0441\u043e\u0445\u0440\u0430\u043d\u0435\u043d \u0432 \u0424\u0430\u0439\u043b '" & gsFileNameLog & "'", vbInformation, "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f" objTextFileWriteLog.Close  ' \u041f\u0440\u043e\u0446\u0435\u0434\u0443\u0440\u0430 \u043f\u043e\u0438\u0441\u043a\u0430 \u043b\u043e\u0433\u0438\u043d\u043e\u0432 \u0430\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u043e\u0440\u043e\u0432 function fuLogonAdministrator(lArrServerList, lsReport) \tliErrorCode = -1 \tlsFROM = fuCollectFileList(lArrServerList, false)  \tif lsFROM <> "" then \t\tSet oLogQuery = CreateObject("MSUtil.LogQuery")  \t\t' Create Input Format object \t\tSet oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") \t\toEVTInputFormat.direction = "BW"  \t\t' Create Output Format object \t\t' Set oCSVOutputFormat = CreateObject("MSUtil.LogQuery.CSVOutputFormat") \t\tSet oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") \t\t'oCSVOutputFormat.tabs = TRUE \t\toTPLOutputFormat.tpl = "c:\\script\\Tamplates\\logonAdministrator.tpl"  \t\t' \u0421\u043e\u0437\u0434\u0430\u043d\u0438\u0435 \u0442\u0435\u043a\u0441\u0442\u0430 \u0437\u0430\u043f\u0440\u043e\u0441\u0430 \t\tstrQuery = "SELECT TO_LOWERCASE(EXTRACT_TOKEN(Strings,5,'|')) as UserName, eventid, TimeGenerated, ComputerName as DC, " & _ \t\t\t"TO_LOWERCASE(EXTRACT_TOKEN(Strings,5,'|')) AS LogonName, " & _ \t\t\t"TO_LOWERCASE(EXTRACT_TOKEN(Strings,6,'|')) AS Domain, " & _ \t\t\t"TO_LOWERCASE(EXTRACT_TOKEN(Strings,13,'|')) AS LogonWKS, " & _ \t\t\t"extract_token(trim(extract_token(Message, 18, ':' )), 0, ' ') as LogonIP, " & _ \t\t\t"CASE TO_INT(EXTRACT_TOKEN(Strings,10,'|')) " & _ \t\t\t"\tWHEN 2 THEN  'Interactive - Intended for users who will be interactively using the machine, such as a user being logged on by a terminal server, remote shell, or similar process.'" & _ \t\t\t"\tWHEN 3 THEN  'Network - Intended for high performance servers to authenticate clear text passwords. LogonUser does not cache credentials for this logon type.'" & _ \t\t\t"\tWHEN 4 THEN  'Batch - Intended for batch servers, where processes may be executing on behalf of a user without their direct intervention; or for higher performance servers that process many clear-text authentication attempts at a time, such as mail or web servers. LogonUser does not cache credentials for this logon type.'" & _ \t\t\t"\tWHEN 5 THEN  'Service - Indicates a service-type logon. The account provided must have the service privilege enabled.'" & _ \t\t\t"\tWHEN 6 THEN  'Proxy - Indicates a proxy-type logon.'" & _ \t\t\t"\tWHEN 7 THEN  'Unlock - This logon type is intended for GINA DLLs logging on users who will be interactively using the machine. This logon type allows a unique audit record to be generated that shows when the workstation was unlocked.'" & _ \t\t\t"\tWHEN 8 THEN  'NetworkCleartext - Windows 2000; Windows XP and Windows Server 2003 family:  Preserves the name and password in the authentication packages, allowing the server to make connections to other network servers while impersonating the client. This allows a server to accept clear text credentials from a client, call LogonUser, verify that the user can access the system across the network, and still communicate with other servers.'" & _ \t\t\t"\tWHEN 9 THEN  'NewCredentials - Windows 2000; Windows XP and Windows Server 2003 family:  Allows the caller to clone its current token and specify new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.'" & _ \t\t\t"\tWHEN 10 THEN 'RemoteInteractive - Terminal Server session that is both remote and interactive.'" & _ \t\t\t"\tWHEN 11 THEN 'CachedInteractive - Attempt cached credentials without accessing the network.'" & _ \t\t\t"\tWHEN 12 THEN 'CachedRemoteInteractive - Same as RemoteInteractive. This is used for internal auditing.'" & _ \t\t\t"\tWHEN 13 THEN 'CachedUnlock - Workstation logon'" & _ \t\t\t"\tELSE EXTRACT_TOKEN(Strings,10,'|') " & _ \t\t\t"END AS LogonType, " & _ \t\t\t"extract_token(strings, 4, '|' ) as LogonProc, " & _ \t\t\t"extract_token(strings, 11, '|' ) as ProcessID " & _ \t\t\t"INTO " & lsReport & " " & _ \t\t\t"FROM " & lsFROM & " " & _ \t\t\t"WHERE EventID IN (4624;4636) " & _ \t\t\t"AND TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss') " & _ \t\t\t"AND ((TO_LOWERCASE(LogonName) = TO_LOWERCASE('administrator')) " & _ \t\t\t" OR  (TO_LOWERCASE(LogonName) = TO_LOWERCASE('\u0430\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u043e\u0440')) " & _ \t\t\t" OR  (TO_LOWERCASE(LogonName) = TO_LOWERCASE('admin'))) " \t\t \t\tfuWritedown "* \u0417\u0430\u043f\u0440\u043e\u0441 \u043f\u043e\u0438\u0441\u043a\u0430 \u043b\u043e\u0433\u0438\u043d\u043e\u0432 \u0430\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u043e\u0440\u043e\u0432: '" & strQuery & "'", 4  \t\t' Execute query \t\toLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat  \t\tliErrorCode = 0 \telse \t\tliErrorCode = 1 \tend if  \tfuLogonAdministrator = liErrorCode end function  '\u041f\u0440\u043e\u0446\u0435\u0434\u0443\u0440\u0430 AccauntManage function fuAccauntManage(lArrServerList, lsReport) \tliErrorCode = -1 \tlsFROM = fuCollectFileList(lArrServerList, false) \t'lsFROM = "\\\\DC1\\c$\\WINDOWS\\system32\\winevt\\Logs\\Archive-Security-2010-08-03-09-34-11-527.evtx" \t'lsFROM = "\\\\DC1\\security"  \tif lsFROM <> "" then \t\tSet oLogQuery = CreateObject("MSUtil.LogQuery")  \t\tSet oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") \t\toEVTInputFormat.direction = "BW"  \t\tSet oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") \t\toTPLOutputFormat.tpl = "c:\\script\\Tamplates\\accauntManage.tpl" \t\t\t \t\tstrQuery = "select extract_token(extract_token(Message, 3, ':' ), 0, ' Account ') as UserName, TimeGenerated, SourceName, Message as EventCategoryName, " & _ \t\t\t"extract_token(extract_token(Message, 0, ':' ),0,'.') as Description, EventID, ComputerName, " & _ \t\t\t"extract_token(extract_token(Message, 8, ':' ), 1, ' ') as Name " & _ \t\t\t"INTO " & lsReport & " " & _ \t\t\t"FROM " & lsFROM & " " & _ \t\t\t"WHERE EventID IN (4720;4722;4725;4726;4738;4740;4767;4780;4781;4782) " &_ \t\t\t"AND TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss')"  \t\tfuWritedown "* \u0417\u0430\u043f\u0440\u043e\u0441 AccauntManage: '" & strQuery & "'", 4 \t\t \t\tif not gbDebugModeON then \t\t\toLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat  \t\tend if \t\t \t\tliErrorCode = 0 \telse \t\tliErrorCode = 1 \tend if  \tfuAccauntManage = liErrorCode end function  '\u041f\u0440\u043e\u0446\u0435\u0434\u0443\u0440\u0430 \u0441\u043e\u0437\u0434\u0430\u043d\u0438\u044f \u0441\u0442\u0430\u0442\u0438\u0441\u0442\u0438\u043a\u0438 \u043d\u0435\u0443\u0434\u0430\u0447\u043d\u044b\u0445 \u043b\u043e\u0433\u0438\u043d\u043e\u0432 function fuLogonFailureStats(lArrServerList, lsReport) \tliErrorCode = -1 \tlsFROM = fuCollectFileList(lArrServerList, false)  \tif lsFROM <> "" then \t\tSet oLogQuery = CreateObject("MSUtil.LogQuery")  \t\tSet oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") \t\toEVTInputFormat.direction = "BW"  \t\tSet oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") \t\toTPLOutputFormat.tpl = "c:\\script\\Tamplates\\logonFailuresStats.tpl"  \t\tstrQuery = "SELECT TO_LOWERCASE(EXTRACT_TOKEN(Strings,5,'|')) AS User, " & _ \t\t"COUNT(*) AS Total " & _ \t\t"INTO " & lsReport & " " & _ \t\t"FROM " & lsFROM & " " & _ \t\t"WHERE EventID IN (4625) " & _ \t\t"AND TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss') " & _ \t\t"GROUP BY User " & _ \t\t"ORDER BY Total DESC" \t\t\t \t\tfuWritedown "* \u0417\u0430\u043f\u0440\u043e\u0441 \u0441\u0442\u0430\u0442\u0438\u0441\u0442\u0438\u043a\u0438 \u043d\u0435\u0443\u0434\u0430\u0447\u043d\u044b\u0445 \u043b\u043e\u0433\u0438\u043d\u043e\u0432: '" & strQuery & "'", 4  \t\tif not gbDebugModeON then \t\t\toLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat  \t\tend if \t\t \t\tliErrorCode = 0 \telse \t\tliErrorCode = 1 \tend if \t \tfuLogonFailureStats = liErrorCode end function  '\u041f\u0440\u043e\u0446\u0435\u0434\u0443\u0440\u0430 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u0433\u0440\u0443\u043f\u043f\u0430\u043c\u0438 function fuGroupManage(lArrServerList, lsReport) \tliErrorCode = -1 \tlsFROM = fuCollectFileList(lArrServerList, false)  \tif lsFROM <> "" then \t\tSet oLogQuery = CreateObject("MSUtil.LogQuery")  \t\tSet oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") \t\toEVTInputFormat.direction = "BW"  \t\tSet oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") \t\toTPLOutputFormat.tpl = "c:\\script\\Tamplates\\groupManage.tpl"  \t\tstrQuery = "SELECT extract_token(extract_token(Message, 3, ':' ), 0, ' Account ') as UserName, TimeGenerated, SourceName, EventCategoryName, " & _  \t\t\t"extract_token(extract_token(Message, 0, ':' ), 0, '.') as EventIDName, " & _ \t\t\t"COALESCE(extract_token(extract_token(strings, 0, ',' ), 1, '='), extract_token(strings, 0, '|' ), strings) as Name, " & _ \t\t\t"COALESCE(extract_token(extract_token(strings, 0, ',' ), 1, '='), extract_token(strings, 1, '|' ), strings) as SIDName, " & _ \t\t\t"extract_token(strings, 2, '|' ) as Name_Group, " & _ \t\t\t"EventID, extract_token(ComputerName, 0, '.') " & _ \t\t\t"INTO " & lsReport & " " & _ \t\t\t"FROM " & lsFROM & " " & _ \t\t\t"WHERE EventID IN (4727;4728;4729;4730;4731;4732;4733;4734;4735;4737;4744;4745;4746;4747;4748;4749;4750;4751;4752;4753;4754;4755;4756;4757;4758;4759;4760;4761;4762;4764;4783;4784;4785;4786;4787;4788;4789;4790) " & _ \t\t\t"AND TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss')" \t\t\t \t\tfuWritedown "* \u0417\u0430\u043f\u0440\u043e\u0441 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u0433\u0440\u0443\u043f\u043f\u0430\u043c\u0438: '" & strQuery & "'", 4  \t\tif not gbDebugModeON then \t\t\toLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat  \t\tend if \t\t \t\tliErrorCode = 0 \telse \t\tliErrorCode = 1 \tend if \t \tfuGroupManage = liErrorCode end function  '\u041f\u0440\u043e\u0446\u0435\u0434\u0443\u0440\u0430 \u043f\u043e\u0438\u0441\u043a\u0430 \u043d\u0435\u0443\u0434\u0430\u0447\u043d\u044b\u0445 \u043b\u043e\u0433\u0438\u043d\u043e\u0432 function fuLogonFailures(lArrServerList, lsReport) \tliErrorCode = -1 \tlsFROM = fuCollectFileList(lArrServerList, false)  \tif lsFROM <> "" then \t\tSet oLogQuery = CreateObject("MSUtil.LogQuery")  \t\tSet oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") \t\toEVTInputFormat.direction = "BW"  \t\tSet oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") \t\toTPLOutputFormat.tpl = "c:\\script\\Tamplates\\logonFailures.tpl"  \t\tstrQuery = "SELECT COUNT(EventID) AS TotalLogonFailures, " & _ \t\t\t"TO_LOWERCASE(EXTRACT_TOKEN(Strings,5,'|')) AS User, " & _ \t\t\t"TO_LOWERCASE(EXTRACT_TOKEN(Strings,6,'|')) AS Domain, " & _ \t\t\t"TO_LOWERCASE(EXTRACT_TOKEN(Strings,13,'|')) AS WorkStation, " & _ \t\t\t"CASE TO_INT(EXTRACT_TOKEN(Strings,10,'|')) " & _ \t\t\t"\tWHEN 2 THEN  'Interactive - Intended for users who will be interactively using the machine, such as a user being logged on by a terminal server, remote shell, or similar process.'" & _ \t\t\t"\tWHEN 3 THEN  'Network - Intended for high performance servers to authenticate clear text passwords. LogonUser does not cache credentials for this logon type.'" & _ \t\t\t"\tWHEN 4 THEN  'Batch - Intended for batch servers, where processes may be executing on behalf of a user without their direct intervention; or for higher performance servers that process many clear-text authentication attempts at a time, such as mail or web servers. LogonUser does not cache credentials for this logon type.'" & _ \t\t\t"\tWHEN 5 THEN  'Service - Indicates a service-type logon. The account provided must have the service privilege enabled.'" & _ \t\t\t"\tWHEN 6 THEN  'Proxy - Indicates a proxy-type logon.'" & _ \t\t\t"\tWHEN 7 THEN  'Unlock - This logon type is intended for GINA DLLs logging on users who will be interactively using the machine. This logon type allows a unique audit record to be generated that shows when the workstation was unlocked.'" & _ \t\t\t"\tWHEN 8 THEN  'NetworkCleartext - Windows 2000; Windows XP and Windows Server 2003 family:  Preserves the name and password in the authentication packages, allowing the server to make connections to other network servers while impersonating the client. This allows a server to accept clear text credentials from a client, call LogonUser, verify that the user can access the system across the network, and still communicate with other servers.'" & _ \t\t\t"\tWHEN 9 THEN  'NewCredentials - Windows 2000; Windows XP and Windows Server 2003 family:  Allows the caller to clone its current token and specify new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.'" & _ \t\t\t"\tWHEN 10 THEN 'RemoteInteractive - Terminal Server session that is both remote and interactive.'" & _ \t\t\t"\tWHEN 11 THEN 'CachedInteractive - Attempt cached credentials without accessing the network.'" & _ \t\t\t"\tWHEN 12 THEN 'CachedRemoteInteractive - Same as RemoteInteractive. This is used for internal auditing.'" & _ \t\t\t"\tWHEN 13 THEN 'CachedUnlock - Workstation logon'" & _ \t\t\t"\tELSE EXTRACT_TOKEN(Strings,10,'|') " & _ \t\t\t"END AS Type " & _ \t\t\t"INTO " & lsReport & " " & _ \t\t\t"FROM " & lsFROM & " " & _ \t\t\t"WHERE EventID IN (4625) " & _ \t\t\t"AND TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss') " & _ \t\t\t"GROUP BY User,Domain,WorkStation,Type " & _ \t\t\t"ORDER BY TotalLogonFailures DESC" \t\t\t \t\tfuWritedown "* \u0417\u0430\u043f\u0440\u043e\u0441 \u0441\u043e\u0437\u0434\u0430\u043d\u0438\u044f \u0441\u0442\u0430\u0442\u0438\u0441\u0442\u0438\u043a\u0438 \u043d\u0435\u0443\u0434\u0430\u0447\u043d\u044b\u0445 \u043b\u043e\u0433\u0438\u043d\u043e\u0432: '" & strQuery & "'", 4  \t\tif not gbDebugModeON then \t\t\toLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat  \t\tend if \t\t \t\tliErrorCode = 0 \telse \t\tliErrorCode = 1 \tend if \t \tfuLogonFailures = liErrorCode end function  '\u041f\u0440\u043e\u0446\u0435\u0434\u0443\u0440\u0430 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u043f\u0430\u0440\u043e\u043b\u044f\u043c\u0438 function fuPasswordManage(lArrServerList, lsReport) \tliErrorCode = -1 \tlsFROM = fuCollectFileList(lArrServerList, false)  \tif lsFROM <> "" then \t\tSet oLogQuery = CreateObject("MSUtil.LogQuery")  \t\tSet oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") \t\toEVTInputFormat.direction = "BW"  \t\tSet oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") \t\toTPLOutputFormat.tpl = "c:\\script\\Tamplates\\PasswordManage.tpl" \t\t \t\tstrQuery = "SELECT extract_token(extract_token(Message, 3, ':' ), 0, ' Account ') as UserName, TimeGenerated, SourceName, EventCategoryName, " & _ \t\t\t"extract_token(extract_token(Message, 0, ':' ),0,'.') as Description, EventID, ComputerName, " & _ \t\t\t"extract_token(extract_token(Message, 8, ':' ), 0, ' Account ') as Name " & _ \t\t\t"INTO " & lsReport & " " & _ \t\t\t"FROM " & lsFROM & " " & _ \t\t\t"WHERE EventID IN (4723;4724;4782;4793) " & _ \t\t\t"AND TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss')" \t\t\t \t\tfuWritedown "* \u0417\u0430\u043f\u0440\u043e\u0441 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u043f\u0430\u0440\u043e\u043b\u044f\u043c\u0438: '" & strQuery & "'", 4  \t\tif not gbDebugModeON then \t\t\toLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat  \t\tend if \t\t \t\tliErrorCode = 0 \telse \t\tliErrorCode = 1 \tend if \t \tfuPasswordManage = liErrorCode end function  '\u041f\u0440\u043e\u0446\u0435\u0434\u0443\u0440\u0430 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u0430\u043c\u0438 function fuCompManage(lArrServerList, lsReport) \tliErrorCode = -1 \tlsFROM = fuCollectFileList(lArrServerList, false)  \tif lsFROM <> "" then \t\tSet oLogQuery = CreateObject("MSUtil.LogQuery")  \t\tSet oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") \t\toEVTInputFormat.direction = "BW"  \t\tSet oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") \t\toTPLOutputFormat.tpl = "c:\\script\\Tamplates\\compManage.tpl" \t\t \t\tstrQuery = "SELECT extract_token(extract_token(Message, 3, ':' ), 0, ' Account ') as UserName, TimeGenerated, SourceName, EventCategoryName, " & _ \t\t\t"extract_token(extract_token(Message, 0, ':' ),0,'.') as Description, EventID, ComputerName, " & _ \t\t\t"extract_token(extract_token(Message, 8, ':' ), 0, ' Account ') as Name " & _ \t\t\t"INTO " & lsReport & " " & _ \t\t\t"FROM " & lsFROM & " " & _ \t\t\t"WHERE EventID in (4720;4742;4743) " & _ \t\t\t"and Name like '%%$%%' " & _ \t\t\t"AND TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss')" \t\t\t \t\tfuWritedown "* \u0417\u0430\u043f\u0440\u043e\u0441 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u0430\u043c\u0438: '" & strQuery & "'", 4  \t\tif not gbDebugModeON then \t\t\toLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat  \t\tend if \t\t \t\tliErrorCode = 0 \telse \t\tliErrorCode = 1 \tend if \t \tfuCompManage = liErrorCode end function  '\u041f\u0440\u043e\u0446\u0435\u0434\u0443\u0440\u0430 \u0430\u0443\u0434\u0438\u0442\u0430 function fuAudit(lArrServerList, lsReport) \tliErrorCode = -1 \tlsFROM = fuCollectFileList(lArrServerList, false)  \tif lsFROM <> "" then \t\tSet oLogQuery = CreateObject("MSUtil.LogQuery")  \t\tSet oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") \t\toEVTInputFormat.direction = "BW"  \t\tSet oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") \t\toTPLOutputFormat.tpl = "c:\\script\\Tamplates\\audit.tpl"  \t\tstrQuery = "select TimeGenerated, EventID, " & _ \t\t\t"extract_token(Strings, 0, '|' ) as UserSID,  " & _ \t\t\t"extract_token(Strings, 6, '|' ) as ObjectName, " & _ \t\t\t"extract_token(Strings, 1, '|' ) as User, " & _ \t\t\t"extract_token(Strings, 2, '|' ) as Domain, " & _ \t\t\t"extract_token(Strings, 5, '|' ) as ObjectType, " & _ \t\t\t"extract_token(Strings, 11, '|' ) as ProgramName, " & _ \t\t\t"extract_token(Message, 0, '.' ) as Event " & _ \t\t\t"into " & lsReport & " " & _ \t\t\t"from " & lsFROM & " " & _ \t\t\t"where EventId in (4656;4659;4660;4661;4663;4691) " & _ \t\t\t"and TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss') " & _ \t\t\t"and User <> 'NT AUTHORITY\\SYSTEM' " & _ \t\t\t"and extract_token(Strings, 6, '|' ) not like '%%HarddiskVolumeShadowCopy%%' " & _ \t\t\t"and extract_token(Strings, 6, '|' ) not like '%%ShadowCopyVolume%%' " & _ \t\t\t"and TO_LOWERCASE(extract_token(Strings, 6, '|' )) like '%%Top-Secret-Documents%%' " & _ \t\t\t"and User <> 'FILE-SRV1$' " & _ \t\t\t"and User <> 'FILE-SRV2$' " & _ \t\t\t"order by Timegenerated" \t\t\t \t\tfuWritedown "* \u0417\u0430\u043f\u0440\u043e\u0441 " & lsFunctionName & ": '" & strQuery & "'", 4  \t\tif not gbDebugModeON then \t\t\toLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat  \t\tend if \t\t \t\tliErrorCode = 0 \telse \t\tlsFROM = fuCollectFileList(lArrServerList, true) \t\t \t\tif lsFROM <> "" then \t\t\tSet oLogQuery = CreateObject("MSUtil.LogQuery")  \t\t\tSet oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") \t\t\toEVTInputFormat.direction = "BW"  \t\t\tSet oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") \t\t\toTPLOutputFormat.tpl = "c:\\script\\Tamplates\\audit.tpl"  \t\t\tstrQuery = "select TimeGenerated, EventID, " & _ \t\t\t\t"extract_token(Strings, 0, '|' ) as UserSID,  " & _ \t\t\t\t"extract_token(Strings, 6, '|' ) as ObjectName, " & _ \t\t\t\t"extract_token(Strings, 1, '|' ) as User, " & _ \t\t\t\t"extract_token(Strings, 2, '|' ) as Domain, " & _ \t\t\t\t"extract_token(Strings, 5, '|' ) as ObjectType, " & _ \t\t\t\t"extract_token(Strings, 11, '|' ) as ProgramName, " & _ \t\t\t\t"extract_token(Message, 0, '.' ) as Event " & _ \t\t\t\t"into " & lsReport & " " & _ \t\t\t\t"from " & lsFROM & " " & _ \t\t\t\t"where EventId in (4656;4659;4660;4661;4663;4691) " & _ \t\t\t\t"and TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss') " & _ \t\t\t\t"and User <> 'NT AUTHORITY\\SYSTEM' " & _ \t\t\t\t"and extract_token(Strings, 6, '|' ) not like '%%HarddiskVolumeShadowCopy%%' " & _ \t\t\t\t"and extract_token(Strings, 6, '|' ) not like '%%ShadowCopyVolume%%' " & _ \t\t\t\t"and TO_LOWERCASE(extract_token(Strings, 6, '|' )) like '%%Top-Secret-Documents%%' " & _ \t\t\t\t"and User <> 'FILE-SRV1$' " & _ \t\t\t\t"and User <> 'FILE-SRV2$' " & _ \t\t\t\t"order by Timegenerated" \t\t\t\t \t\t\tfuWritedown "* \u0417\u0430\u043f\u0440\u043e\u0441 " & lsFunctionName & ": '" & strQuery & "'", 4  \t\t\tif not gbDebugModeON then \t\t\t\toLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat  \t\t\tend if \t\telse \t\t\tfuWritedown "* \u0427\u0442\u043e-\u0442\u043e \u0441 \u0430\u0443\u0434\u0438\u0442\u043e\u043c \u0441\u043e\u0432\u0441\u0435\u043c \u043f\u043b\u043e\u0445\u043e.", 4 \t\tend if \t\t \t\tliErrorCode = 1 \tend if \t \tfuAudit = liErrorCode end function  '\u041f\u0440\u043e\u0446\u0435\u0434\u0443\u0440\u0430 \u0441\u0442\u0430\u0442\u0438\u0441\u0442\u0438\u043a\u0438 \u0430\u0443\u0434\u0438\u0442\u0430 function fuAuditStat(lArrServerList, lsReport) \tliErrorCode = -1 \tlsFROM = fuCollectFileList(lArrServerList, false)  \tif lsFROM <> "" then \t\tSet oLogQuery = CreateObject("MSUtil.LogQuery")  \t\tSet oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") \t\toEVTInputFormat.direction = "BW"  \t\tSet oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") \t\toTPLOutputFormat.tpl = "c:\\script\\Tamplates\\auditStat.tpl"  \t\tstrQuery = "select extract_token(Strings, 1, '|' ) as User, " & _ \t\t\t"COUNT(*) as Qty, " & _ \t\t\t"MAX(TimeGenerated) as MaxTime  " & _ \t\t\t"into " & lsReport & " " & _ \t\t\t"from " & lsFROM & " " & _ \t\t\t"where EventId in (4656;4659;4660;4661;4663;4691) " & _ \t\t\t"and TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss') " & _ \t\t\t"and User <> 'NT AUTHORITY\\SYSTEM' " & _ \t\t\t"and extract_token(Strings, 6, '|' ) not like '%%HarddiskVolumeShadowCopy%%' " & _ \t\t\t"and extract_token(Strings, 6, '|' ) not like '%%ShadowCopyVolume%%' " & _ \t\t\t"and TO_LOWERCASE(extract_token(Strings, 6, '|' )) like '%%Top-Secret-Documents%%' " & _ \t\t\t"group by User " & _ \t\t\t"order by User" \t\t \t\tfuWritedown "* \u0417\u0430\u043f\u0440\u043e\u0441 " & lsFunctionName & ": '" & strQuery & "'", 4  \t\tif not gbDebugModeON then \t\t\toLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat  \t\tend if \t\t \t\tliErrorCode = 0 \telse \t\tlsFROM = fuCollectFileList(lArrServerList, true) \t\t \t\tif lsFROM <> "" then \t\t\tSet oLogQuery = CreateObject("MSUtil.LogQuery")  \t\t\tSet oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") \t\t\toEVTInputFormat.direction = "BW"  \t\t\tSet oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") \t\t\toTPLOutputFormat.tpl = "c:\\script\\Tamplates\\auditStat.tpl"  \t\t\tstrQuery = "select extract_token(Strings, 1, '|' ) as User, " & _ \t\t\t\t"COUNT(*) as Qty, " & _ \t\t\t\t"MAX(TimeGenerated) as MaxTime  " & _ \t\t\t\t"into " & lsReport & " " & _ \t\t\t\t"from " & lsFROM & " " & _ \t\t\t\t"where EventId in (4656;4659;4660;4661;4663;4691) " & _ \t\t\t\t"and TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss') " & _ \t\t\t\t"and User <> 'NT AUTHORITY\\SYSTEM' " & _ \t\t\t\t"and extract_token(Strings, 6, '|' ) not like '%%HarddiskVolumeShadowCopy%%' " & _ \t\t\t\t"and extract_token(Strings, 6, '|' ) not like '%%ShadowCopyVolume%%' " & _ \t\t\t\t"and TO_LOWERCASE(extract_token(Strings, 6, '|' )) like '%%Top-Secret-Documents%%' " & _ \t\t\t\t"group by User " & _ \t\t\t\t"order by User" \t\t\t \t\t\tfuWritedown "* \u0417\u0430\u043f\u0440\u043e\u0441 " & lsFunctionName & ": '" & strQuery & "'", 4  \t\t\tif not gbDebugModeON then \t\t\t\toLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat  \t\t\tend if \t\telse \t\t\tfuWritedown "* \u0427\u0442\u043e-\u0442\u043e \u0441\u043e \u0441\u0442\u0430\u0442\u0438\u0441\u0442\u0438\u043a\u043e\u0439 \u0430\u0443\u0434\u0438\u0442\u043e\u043c \u0441\u043e\u0432\u0441\u0435\u043c \u043f\u043b\u043e\u0445\u043e.", 4 \t\tend if \t \t\tliErrorCode = 1 \tend if \t \tfuAuditStat = liErrorCode end function  '\u041f\u0440\u043e\u0446\u0435\u0434\u0443\u0440\u0430 \u043f\u043e\u0438\u0441\u043a\u0430 \u043b\u043e\u0433\u0438\u043d\u043e\u0432 \u043a RDP function fuLogonRdp(lArrServerList, lsReport, lsFunctionName) \tliErrorCode = -1 \tlsFROM = fuCollectFileList(lArrServerList, false)  \tif lsFROM <> "" then \t\tSet oLogQuery = CreateObject("MSUtil.LogQuery")  \t\tSet oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") \t\toEVTInputFormat.direction = "BW"  \t\tSet oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") \t\toTPLOutputFormat.tpl = "c:\\script\\Tamplates\\logonRdp.tpl"  \t\tstrQuery = "SELECT DISTINCT resolve_sid(SID) as UserName, eventid, TimeGenerated, extract_token(ComputerName, 0, '.') as NormComputerName, " & _ \t\t\t"extract_token(strings, 5, '|' ) as LogonName, " & _ \t\t\t"extract_token(strings, 13, '|' ) as LogonWKS, " & _ \t\t\t"extract_token(strings, 18, '|' ) as LogonIP, " & _ \t\t\t"case extract_token(strings, 8, '|' ) " & _ \t\t\t" WHEN '2' THEN 'interactive' " & _ \t\t\t" WHEN '3' THEN 'network' " & _ \t\t\t" WHEN '4' THEN 'batch' " & _ \t\t\t" WHEN '5' THEN 'service' " & _ \t\t\t" WHEN '7' THEN 'unlocked workstation' " & _ \t\t\t" WHEN '8' THEN 'network logon using a cleartext password' " & _ \t\t\t" WHEN '9' THEN 'impersonated logons' " & _ \t\t\t" WHEN '10' THEN 'remote access' " & _ \t\t\t" ELSE extract_token(strings, 8, '|' ) " & _ \t\t\t"end as LogonType, " & _ \t\t\t"extract_token(strings, 17, '|' ) as LogonProc, " & _ \t\t\t"extract_token(strings, 16, '|' ) as ProcessID " & _ \t\t\t"INTO " & lsReport & " " & _ \t\t\t"FROM " & lsFROM & " " & _ \t\t\t"WHERE EventID IN (4624;4625;4648;4675) " & _ \t\t\t"AND TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss') " & _ \t\t\t"AND LogonType = 'remote access' " & _ \t\t\t"order by Timegenerated DESC" \t\t\t \t\tfuWritedown "* \u0417\u0430\u043f\u0440\u043e\u0441 " & lsFunctionName & ": '" & strQuery & "'", 4  \t\tif not gbDebugModeON then \t\t\toLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat  \t\tend if \t\t \t\tliErrorCode = 0 \telse \t\tliErrorCode = 1 \tend if \t \tfuLogonRdp = liErrorCode end function  function fuADObjects(lArrServerList, lsReport) \tliErrorCode = -1 \tlsFROM = fuCollectFileList(lArrServerList, false) \t'lsFROM = "\\\\DC1\\c$\\WINDOWS\\system32\\winevt\\Logs\\Archive-Security-2010-12-09-09-55-23-631.evtx" \t'lsFROM = "\\\\DC1\\security"  \tif lsFROM <> "" then \t\tSet oLogQuery = CreateObject("MSUtil.LogQuery")  \t\tSet oEVTInputFormat = CreateObject("MSUtil.LogQuery.EventLogInputFormat") \t\toEVTInputFormat.direction = "BW"  \t\tSet oTPLOutputFormat = CreateObject("MSUtil.LogQuery.TemplateOutputFormat") \t\toTPLOutputFormat.tpl = "c:\\script\\Tamplates\\adobjects.tpl" \t\t\t \t\tstrQuery = "select extract_token(extract_token(Message, 3, ':' ), 0, ' Account ') as UserName, TimeGenerated, SourceName, Message as EventCategoryName, " & _ \t\t\t"extract_token(extract_token(Message, 0, ':' ),0,'.') as Description, EventID, ComputerName, " & _ \t\t\t"extract_token(extract_token(Message, 8, ':' ), 1, ' ') as Name " & _ \t\t\t"INTO " & lsReport & " " & _ \t\t\t"FROM " & lsFROM & " " & _ \t\t\t"WHERE EventID IN (4928;4929;4930;4931;4934;4935;4936;4937;4662;5136;5137;" & _ \t\t\t"5138;5139;5141;4932;4933) " & _ \t\t\t"AND TimeGenerated >= TO_TIMESTAMP('" & gsPastDate & "','dd.MM.yyyy hh:mm:ss') " & _ \t\t\t"AND UserName not like '%%RTCService%%' "  \t\tfuWritedown "* \u0417\u0430\u043f\u0440\u043e\u0441 ADObjects: '" & strQuery & "'", 4 \t\t \t\tif not gbDebugModeON then \t\t\toLogQuery.ExecuteBatch strQuery, oEVTInputFormat, oTPLOutputFormat  \t\tend if \t\t \t\tliErrorCode = 0 \telse \t\tliErrorCode = 1 \tend if \t \tfuADObjects = liErrorCode end function   ' \u0421\u043b\u0443\u0436\u0435\u0431\u043d\u044b\u0435 \u0444\u0443\u043d\u043a\u0446\u0438\u0438 function fuSendReportMail(lsFileMask, lsFrom, lsTo, lsSubject, lsDate) \tSet objEmail = CreateObject("CDO.Message") \tobjEmail.From = lsFrom \tobjEmail.To = lsTo \tobjEmail.Subject = lsSubject \tobjEmail.HTMLBody = "<span style='font-family:Tahoma,Arial,sans-serif;font-size:14pt;'>\u041e\u0442\u0447\u0451\u0442\u044b \u0437\u0430 " & _ \t\tlsDate & "<\/span>"  \tfuCheckfileSizeAndZIP lsDate \t \tSet oLogQuery = CreateObject("MSUtil.LogQuery") \tSet oFormat = CreateObject("MSUtil.LogQuery.FileSystemInputFormat") \tSet oRecordSet = oLogQuery.Execute("SELECT * FROM " & lsFileMask, oFormat)  \ti = 0 \tWhile Not oRecordSet.atEnd \t    Set oRecord = oRecordSet.getRecord() \t    strValue = oRecord.getValue("Path") \t    objEmail.AddAttachment strValue \t    i = i + 1 \t    oRecordSet.moveNext \tWend \toRecordSet.Close  \tobjEmail.Configuration.Fields.Item("http:\/\/schemas.microsoft.com\/cdo\/configuration\/sendusing") = 2 \tobjEmail.Configuration.Fields.Item("http:\/\/schemas.microsoft.com\/cdo\/configuration\/smtpserver")="MAIL-SRV"  \tobjEmail.Configuration.Fields.Item("http:\/\/schemas.microsoft.com\/cdo\/configuration\/smtpserverport") = 25 \tobjEmail.Configuration.Fields.Update \tobjEmail.Send  \tfuWritedown "* \u041e\u0442\u0447\u0435\u0442\u044b \u043e\u0442\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u044b \u043e\u0442 '" & lsFrom & "' \u043d\u0430 '" & lsTo & "'. \u041a\u043e\u043b\u0438\u0447\u0435\u0441\u0442\u0432\u043e \u0444\u0430\u0439\u043b\u043e\u0432-\u043e\u0442\u0447\u0435\u0442\u043e\u0432: " & i, 4 end function  function fuCheckErrorCode(liErrorCode, lArrServerList, lsReportfile, lsFunctionName, startTime) \tselect case liErrorCode \t\tcase -1:  fuWritedown "* " & lsFunctionName & " \u043d\u0435 \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u043b\u0430\u0441\u044c (\u0444\u0443\u043d\u043a\u0446\u0438\u044f \u043d\u0435 \u043e\u0442\u0440\u0430\u0431\u043e\u0442\u0430\u043b\u0430 \u043a\u043e\u0440\u0440\u0435\u043a\u0442\u043d\u043e)", 4 \t\tcase 0:   fuWritedown "* " & lsFunctionName & " \u0437\u0430\u0432\u0435\u0440\u0448\u0435\u043d\u0430", 4 \t\t\t\t  fuCheckResultFile(lsReportfile) \t\tcase 1:   fuWritedown "* \u0414\u043b\u044f \u0441\u0435\u0440\u0432\u0435\u0440\u043e\u0432 '" & Join(lArrServerList, ",") & "' \u043d\u0435 \u043d\u0430\u0439\u0434\u0435\u043d\u044b \u0430\u0440\u0445\u0438\u0432\u043d\u044b\u0435 \u043f\u0430\u043f\u043a\u0438\/\u0444\u0430\u0439\u043b\u044b, \u043f\u043e \u043a\u043e\u0442\u043e\u0440\u044b\u043c \u0434\u0435\u043b\u0430\u0442\u044c \u043e\u0442\u0447\u0435\u0442 (\u0431\u043b\u043e\u043a FROM \u043f\u0443\u0441\u0442\u043e\u0439). \u041f\u043e\u0438\u0441\u043a \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u0435\u0442\u0441\u044f \u043f\u043e \u0442\u0435\u043a\u0443\u0449\u0438\u043c \u0436\u0443\u0440\u043d\u0430\u043b\u0430\u043c.", 4 \t\t\t\t  fuCheckResultFile(lsReportfile) \t\tcase else fuWritedown "* \u041d\u0435\u043f\u0440\u0438\u0434\u0432\u0438\u0434\u0435\u043d\u043d\u0430\u044f \u043e\u0448\u0438\u0431\u043a\u0430 \u0432 " & lsFunctionName & "!", 4 \tend select \t \tfuStopTimer(startTime) \tfuWritedown "", 4 end function  function fuPing(NetworkDevice) \tlBoo = false \tset objPING = GetObject("winmgmts:{impersonationLevel=impersonate}")._ \t\tExecQuery ("select * from Win32_PingStatus where address ='" & NetworkDevice & "'")  \tFor Each PING In objPing \t\tif PING.StatusCode = 0 then \t\t\tlBoo = true \t\tend if \tnext \t \tfuPing = lBoo end function  function fuCollectFileList(lArrServerList, lbFindOnServer) \t' true \u0434\u043b\u044f \u043f\u043e\u0438\u0441\u043a\u0430 \u0432 \u0442\u0435\u043a\u0443\u0449\u0438\u0445 \u0436\u0443\u0440\u043d\u0430\u043b\u0430\u0445, false \u0434\u043b\u044f \u043f\u043e\u0438\u0441\u043a\u0430 \u0432 \u0430\u0440\u0445\u0438\u0432\u043d\u044b\u0445 \u0436\u0443\u0440\u043d\u0430\u043b\u0430\u0445: \t' lbFindOnServer = true \t' lbFindOnServer = false \t \tlsTmp = Join(lArrServerList, ",") \tfuWritedown "* \u0421\u043f\u0438\u0441\u043e\u043a \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u043e\u0432: " & lsTmp, 4 \tlsList = "" \tlsListFiles = "" \tlsTmpPath = "" \tlbServerHaveArchive = false  \tfor lix = 0 to UBound(lArrServerList) \t\tlsServer = lArrServerList(lix) \t\tfuWritedown "* \u041a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440 '" & lsServer & "'", 4 \t\t \t\tif lbFindOnServer then\t\t \t\t\tif fuPing(lsServer) then \t\t\t\tfuWritedown "* \u0415\u0441\u0442\u044c \u0432 \u0441\u0435\u0442\u0438", 4 \t\t\t\tlsList = lsList & "\\\\" & lsServer & "\\Security" \t\t\t\t \t\t\t\t\tif fuServerHaveArchive(lsServer, lsListFiles) then \t\t\t\t\t\tlbServerHaveArchive = true \t\t\t\t\t\t'lsList = lsList & "," & "\\\\" & lsServer & "\\c$\\WINDOWS\\system32\\config\\archive-security-*.evtx" \t\t\t\t\t\tif len(lsListFiles) <> 0 then \t\t\t\t\t\t\t'lsList = lsList & "," & lsListFiles \t\t\t\t\t\tend if \t\t\t\t\tend if \t\t\t\t \t\t\t\tif lix < UBound(lArrServerList) then \t\t\t\t\tlsList = lsList & "," \t\t\t\tend if \t\t\telse \t\t\t\tfuWritedown "* \u041d\u0435\u0442 \u0432 \u0441\u0435\u0442\u0438", 4 \t\t\tend if \t\telse \t\t\tlbServerHaveArchive = false \t\t\t \t\t\tif Len(lsListFiles) = 0 then \t\t\t\tlsListFiles = fuGetLogFolder(lsServer) \t\t\telse \t\t\t\tlsTmpPath = fuGetLogFolder(lsServer) \t\t\t\tif Len(lsTmpPath) <> 0 then \t\t\t\t\tlsListFiles = lsListFiles & "," & lsTmpPath \t\t\t\tend if \t\t\tend if \t\tend if \t\t \tnext  \tif Right(lsList, 2) = ", " then \t\tlsList = Left(lsList, Len(lsList)-2) \tend if \t \t'\\\\dc1\\Security, \\\\dc1\\c$\\WINDOWS\\system32\\config\\Archive-Security-*.evt,  \t'\\\\dc2\\Security, \\\\dc2\\c$\\WINDOWS\\system32\\config\\Archive-Security-*.evt \t \tif lbServerHaveArchive then \t\tlsList = lsList & "," & lsListFiles \tend if \t \tif not lbFindOnServer then \t\tlsList = lsListFiles \tend if \t \tfuWritedown "* \u0411\u043b\u043e\u043a FROM \u0438\u0437 \u0444\u0443\u043d\u043a\u0446\u0438\u0438: '" & lsList & "'", 4 \tfuCollectFileList = lsList end function  function fuServerHaveArchive(lsServerName, lsListFiles_a) \tConst FILE_NAME = 0  \tdim gbFoo \tdim gsFilename  \tgbFoo = false  \tSet objShell = CreateObject ("Shell.Application") \tSet objFolder = objShell.Namespace ("\\\\" & lsServerName & "\\c$\\Windows\\System32\\winevt\\Logs")  \tFor Each strFileName in objFolder.Items \t\tgsFilename = trim(lCase(objFolder.GetDetailsOf (strFileName, FILE_NAME))) \t\t' fuWritedown "* gsFilename: " & gsFilename, 1 \t    if ((InStr(gsFilename, "archive-security-")) and (Right(gsFilename, 4) = "evtx")) then \t\t\tfuWritedown "* \u0410\u0440\u0445\u0438\u0432 \u043d\u0430\u0439\u0434\u0435\u043d! \\\\" & lsServerName & "\\c$\\Windows\\System32\\winevt\\Logs\\"&gsFilename, 4 \t\t\tif len(lsListFiles_a) = 0 then \t\t\t\tlsListFiles_a = "f:\\Logi_ForADReports\\" & gsFilename \t\t\telse  \t\t\t\tlsListFiles_a = lsListFiles_a & "," & "f:\\Logi_ForADReports\\" & gsFilename \t\t\tend if \t\t\tfuWritedown "* lsListFiles_a: " & lsListFiles_a, 2 \t\t\t'fuConvertEvt2Evtx "\\\\" & lsServerName & "\\c$\\WINDOWS\\system32\\config\\" & gsFilename, gsFilename \t\t\tfuCopyEvtx "\\\\" & lsServerName & "\\c$\\Windows\\System32\\winevt\\Logs\\" & gsFilename, gsFilename \t\t\tgbFoo = true \t\tend if \tNext  \tif gbFoo then \t\tfuWritedown "* \u041d\u0430 \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u0435 '" & lsServerName & "' \u0430\u0440\u0445\u0438\u0432\u044b \u0436\u0443\u0440\u043d\u0430\u043b\u043e\u0432 \u0435\u0441\u0442\u044c", 4 \telse \t\tfuWritedown "* \u041d\u0430 \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u0435 '" & lsServerName & "' \u0430\u0440\u0445\u0438\u0432\u043e\u0432 \u0436\u0443\u0440\u043d\u0430\u043b\u043e\u0432 \u043d\u0435\u0442", 4 \tend if  \t \tfuServerHaveArchive = gbFoo end function  function fuConvertEvt2Evtx(lsFilenamePath, lsFilename) \tlbTmp = true \t \tif (fuIsFileExists("f:\\Logi_ForADReports\\" & lsFilename) and (fuIsFileExists("f:\\Logi_ForADReports\\" & lsFilename & "x"))) then \t\tfuWritedown "* \u041a\u043e\u043d\u0432\u0435\u0440\u0442\u0430\u0446\u0438\u044f \u0444\u0430\u0439\u043b\u0430 " & lsFilename & " \u043d\u0435 \u043d\u0443\u0436\u043d\u0430, \u0443\u0436\u0435 \u0435\u0441\u0442\u044c \u0441\u043a\u043e\u043d\u0432\u0435\u0440\u0442\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439", 4 \telse \t\tfuWritedown "* \u041a\u043e\u043d\u0432\u0435\u0440\u0442\u0438\u0440\u0443\u0435\u043c \u0444\u0430\u0439\u043b " & lsFilename & "...", 4  \t\tSet WshShell = CreateObject("WScript.Shell")  \t\tgsRunCmd = "c:\\script\\convert_evt_to_evtx.bat " & lsFilenamePath & " " & lsFilename  \t\tfuWritedown "* \u0412\u044b\u043f\u043e\u043b\u043d\u044f\u0435\u0442\u0441\u044f \u043a\u043e\u043c\u0430\u043d\u0434\u0430: '" & gsRunCmd & "'", 2 \t\tWshShell.Run gsRunCmd \t\t \t\tWScript.Sleep 300000 \tend if \t \tfuConvertEvt2Evtx = lbTmp end function   function fuCopyEvtx(lsFilenamePath, lsFilename) \tlbTmp = true  \tif not fuIsFileExists("f:\\Logi_ForADReports\\" & lsFilename) then \t\tSet WshShell = CreateObject("WScript.Shell") \t\t \t\tgsRunCmd = "c:\\script\\copy_evtx.bat " & lsFilenamePath & " " & lsFilename \t\tfuWritedown "* \u0412\u044b\u043f\u043e\u043b\u043d\u044f\u0435\u0442\u0441\u044f \u043a\u043e\u043c\u0430\u043d\u0434\u0430: '" & gsRunCmd & "'", 4 \t\tWshShell.Run gsRunCmd \t\t\t \t\tWScript.Sleep 25000 \telse \t\tfuWritedown "* \u0410\u0440\u0445\u0438\u0432\u043d\u044b\u0439 \u0436\u0443\u0440\u043d\u0430\u043b " & lsFilename & " \u043a\u043e\u043f\u0438\u0440\u043e\u0432\u0430\u0442\u044c \u043d\u0435 \u043d\u0443\u0436\u043d\u043e, \u0443\u0436\u0435 \u0435\u0441\u0442\u044c \u0441\u043a\u043e\u043f\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439", 4 \tend if \t \tfuCopyEvtx = lbTmp end function   function fuDeleteEvtxFiles(lsFromList) \tfuWritedown "* \u0423\u0434\u0430\u043b\u0435\u043d\u0438\u0435 \u0432\u0440\u0435\u043c\u0435\u043d\u043d\u044b\u0445 \u0444\u0430\u0439\u043b\u043e\u0432: " & lsFromList, 4 \tlbTmp = true \t \tSet WshShell = CreateObject("WScript.Shell") \t \tif InStr(lsFromList, ",") then \t\tlArrFrom = Split(lsFromList, ",") \t\t \t\tfor lix = 0 to uBound(lArrFrom) \t\t\tif InStr(lCase(lArrFrom(lix)), "archive-security-") then \t\t\t\tgsRunCmd = "c:\\script\\del_evtx.bat " & lArrFrom(lix)  \t\t\t\tfuWritedown "* \u0412\u044b\u043f\u043e\u043b\u043d\u044f\u0435\u0442\u0441\u044f \u043a\u043e\u043c\u0430\u043d\u0434\u0430: '" & gsRunCmd & "'", 4 \t\t\t\tWshShell.Run gsRunCmd \t\t\tend if \t\tnext \telse \t\tgsRunCmd = "c:\\script\\del_evtx.bat " & lsFromList  \t\tfuWritedown "* \u0412\u044b\u043f\u043e\u043b\u043d\u044f\u0435\u0442\u0441\u044f \u043a\u043e\u043c\u0430\u043d\u0434\u0430: '" & gsRunCmd & "'", 4 \t\tWshShell.Run gsRunCmd \tend if \t \tWScript.Sleep 60000 \t \tfuDeleteEvtxFiles = lbTmp end function    function fuIsFileExists(lsFilename) \tlBoo = false \t \tSet FSO = CreateObject("Scripting.FileSystemObject") \tif FSO.FileExists(lsFilename) then \t\t' \u0424\u0430\u0439\u043b \u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \t\tlBoo = true \telse  \t\t' \u0424\u0430\u0439\u043b\u0430 \u043d\u0435 \u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \tend if \tSet FSO = nothing \t \tfuIsFileExists = lBoo end function  function fuWritedown(lsToWrite, liCase) \tSelect Case liCase \t\tCase 0: ' \u043d\u0438\u0447\u0435\u0433\u043e \u043d\u0435 \u0434\u0435\u043b\u0430\u0442\u044c. \u0421\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u0435 \u0443\u0445\u043e\u0434\u0438\u0442 \u0432 \u043d\u0438\u043a\u0443\u0434\u0430. \t\tCase 1: WScript.Echo lsToWrite ' \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u0435 \u0442\u043e\u043b\u044c\u043a\u043e \u043d\u0430 \u044d\u043a\u0440\u0430\u043d \t\tCase 2: objTextFileWriteLog.WriteLine lsToWrite ' \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u0435 \u0442\u043e\u043b\u044c\u043a\u043e \u0432 \u0436\u0443\u0440\u043d\u0430\u043b \t\tCase 4: WScript.Echo lsToWrite ' \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u0435 \u0438 \u043d\u0430 \u044d\u043a\u0440\u0430\u043d, \u0438 \u0432 \u0436\u0443\u0440\u043d\u0430\u043b \t\t\t\tobjTextFileWriteLog.WriteLine lsToWrite \t\tCase else WScript.Echo lsToWrite \tEnd Select end function   function fuNormalizeSystemDate(lsDate) \tlsNormalizeDate = lsDate \t \tif InStr(lsDate, ".") then \t\tlArrDate = Split(lsDate, ".") \t\tlsNormalizeDate = lArrDate(2) & "." & lArrDate(1) & "." & lArrDate(0) \telseif InStr(lsDate, "\/") then \t\tlArrDate = Split(lsDate, "\/") \t\tlsNormalizeDate = fuCheckDatePart(lArrDate(2)) & "." & fuCheckDatePart(lArrDate(0)) & "." & fuCheckDatePart(lArrDate(1)) \tend if \t \tfuNormalizeSystemDate = lsNormalizeDate end function   function fuNormalizeDate(lsDate) \tlsNormalizeDate = lsDate \t \tif InStr(lsDate, ".") then \t\tlArrDate = Split(lsDate, ".") \t\tlsNormalizeDate = lArrDate(2) & "." & lArrDate(1) & "." & lArrDate(0) \tend if \t \tfuNormalizeDate = lsNormalizeDate end function   function fuCheckDatePart(lsDate) \tlsNormalizeDate = lsDate \t \tif len(lsDate) <= 1 then \t\tlsNormalizeDate = "0" & lsDate \tend if \t \tfuCheckDatePart = lsNormalizeDate end function   function fuStartTimer(lsFunctionName) \tfuStartTimer = Now() \tif lsFunctionName <> "" then \t\tfuWritedown VBNewLine & lsFunctionName & " \u0437\u0430\u043f\u0443\u0449\u0435\u043d\u0430", 4 \tend if end function   function fuStopTimer(startTime) \tEndTime = Now() \ttimeDiff = CDate(EndTime - startTime) \tfuWritedown "* \u041f\u043e\u0438\u0441\u043a \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u043b\u0441\u044f: " & timeDiff & " (" & startTime & "\/" & EndTime & ").", 4 end function   function fuCheckResultFile(lsReportfile) \tif objFSO.FileExists(lsReportfile) then \t\tfuWritedown "* \u0420\u0435\u0437\u0443\u043b\u044c\u0442\u0430\u0442 \u0441\u043e\u0445\u0440\u0430\u043d\u0435\u043d \u0432 \u0444\u0430\u0439\u043b '" & lsReportfile & "'", 4 \telse  \t\tfuWritedown "* \u0424\u0430\u0439\u043b \u0440\u0435\u0437\u0443\u043b\u044c\u0442\u0430\u0442\u043e\u0432 '" & lsReportfile & "' \u043d\u0435 \u0431\u044b\u043b \u0441\u043e\u0437\u0434\u0430\u043d, \u0442\u0430\u043a \u043a\u0430\u043a \u043f\u043e\u0438\u0441\u043a \u043d\u0435 \u0434\u0430\u043b \u0440\u0435\u0437\u0443\u043b\u044c\u0442\u0430\u0442\u043e\u0432", 4 \tend if end function   function fuTypeTextfile(lsTextfile) \t'fuWritedown "\u0420\u0430\u0441\u043f\u0435\u0447\u0430\u0442\u0430\u0442\u044c \u0444\u0430\u0439\u043b \u043f\u043e\u043c\u043e\u0449\u0438 '" & lsTextfile & "'", 1 \tSet objTextFileShowHelp = objFSO.OpenTextFile(lsTextfile, 1) \tDo Until objTextFileShowHelp.AtEndOfStream \t\tfuWritedown objTextFileShowHelp.Readline, 1 \tLoop \tobjTextFileShowHelp.Close end function   function fuNeedHelp(lsPar) \tlbFoo = false \tif  lsPar = "h" or lsPar = "help" or InStr(lsPar, "?") then \t\tlbFoo = true \tend if \tfuNeedHelp = lbFoo end function    function fuGetFilename(lsDate) \tlsTmp = "Archive-Security-2013-12-01-*.evtx" \t \tif InStr(lsDate, ".") then \t\tlArrDate = Split(lsDate, ".") \t\tlsTmp = "Archive-Security-" & fuCheckDatePart(lArrDate(2)) & "-" & fuCheckDatePart(lArrDate(1)) & "-" & fuCheckDatePart(lArrDate(0)) & "-*.evtx" \telseif InStr(lsDate, "\/") then \t\tlArrDate = Split(lsDate, "\/") \t\tlsTmp = "Archive-Security-" & fuCheckDatePart(lArrDate(2)) & "-" & fuCheckDatePart(lArrDate(1)) & "-" & fuCheckDatePart(lArrDate(0)) & "-*.evtx" \tend if \t \tfuGetFilename = lsTmp end function   function fuGetLogFolder(lsServer) \tlsTmp = "" \t \tSelect Case lsServer \t\tCase "DC1": lsTmp = "Q:\\Logi_DC1\\" \t\tCase "DC2": lsTmp = "Q:\\Logi_DC2\\" \t\tCase "FILE-SRV1": lsTmp = "Q:\\Logi_FILE-SRV1\\" \t\tCase "FILE-SRV2": lsTmp = "Q:\\Logi_FILE-SRV2\\" \t\tCase "EXCH1": lsTmp = "Q:\\Logi_EXCH1\\" \t\tCase "EXCH2": lsTmp = "Q:\\Logi_EXCH2\\" \t\tCase else  \t\t\tfuWritedown "* \u0412 \u0441\u043a\u0440\u0438\u043f\u0442\u0435 \u043f\u0430\u043f\u043a\u0430 \u0441 \u0430\u0440\u0445\u0438\u0432\u0430\u043c\u0438 \u0441\u0435\u0440\u0432\u0435\u0440\u0430 " & lsServer & " \u043d\u0435 \u0443\u043a\u0430\u0437\u0430\u043d\u0430. \u041f\u044b\u0442\u0430\u044e\u0441\u044c \u043f\u0430\u043f\u043a\u0443 \u0443\u0433\u0430\u0434\u0430\u0442\u044c 'Q:\\Logi_" & lsServer & "\\'", 4 \t\t\tlsTmp = "Q:\\Logi_" & lsServer & "\\" \tEnd Select \t \t \tlsPath = Left(lsTmp, Len(lsTmp)-1) \t'lsPath = lsTmp \tlsFile = gsLogFilename  \tlsBoo = fuNASHaveArchive(lsServer, lsPath, lsFile)  \tif lsBoo then \t\tlsTmp = lsTmp & gsLogFilename \telse \t\tlsTmp = "" \tend if \t \tfuGetLogFolder = lsTmp end function    function fuNASHaveArchive(Server, Path, File) \twscript.echo Server & ", " & Path & ", " & File  \tConst FILE_NAME = 0  \tdim gbFoo \tdim gsFilename  \tgbFoo = false \t \tlsF = lCase(Left(File, Len(File)-6))  \tSet objShell = CreateObject("Shell.Application") \tSet objFolder = objShell.Namespace(Path)  \tFor Each strFileName in objFolder.Items \t\tgsFilename = trim(lCase(objFolder.GetDetailsOf (strFileName, FILE_NAME))) \t\t' wscript.echo  "* gsFilename: " & gsFilename \t    if InStr(gsFilename, lsF) then \t\t\tgbFoo = true \t\tend if \tNext  \tfuNASHaveArchive = gbFoo end function   function fuCheckfileSizeAndZIP(lsDate) \tlsReportFolder = "F:\\Reports\\" \tlArrReportfilesList = Array (_ \t\tlsReportFolder & "logged_Administrator_" & lsDate & ".html", _ \t\tlsReportFolder & "new_AD_" & lsDate & ".html", _ \t\tlsReportFolder & "logonFailuresStats_" & lsDate & ".html", _ \t\tlsReportFolder & "group_Manage_" & lsDate & ".html", _ \t\tlsReportFolder & "logonFailure_" & lsDate & ".html", _ \t\tlsReportFolder & "change_password_" & lsDate & ".html", _ \t\tlsReportFolder & "new_Comp_AD_" & lsDate & ".html", _ \t\tlsReportFolder & "audit_" & lsDate & ".html", _ \t\tlsReportFolder & "auditStat_" & lsDate & ".html", _ \t\tlsReportFolder & "logged_Rdp_" & lsDate & ".html", _ \t\tgsReportFolder & "AD_objects_" & gsNormalDate & ".html")  \tfor lix = 0 to UBound(lArrReportfilesList) \t\tlbTmp = false \t\t \t\tlsFilenamePath = lArrReportfilesList(lix) \t\tArcName = Left(lsFilenamePath, Len(lsFilenamePath)-5) & ".zip" \t\t \t\tif fuIsFileExists(lsFilenamePath) then \t\t\tSet File = objFSO.GetFile(lsFilenamePath)  \t\t\t lsFilenameSize =  File.Size \t\t\t if lsFilenameSize > 3000000 then \t\t\t\tfuWritedown "* \u0420\u0430\u0437\u043c\u0435\u0440 \u0444\u0430\u0439\u043b\u0430 '" & lsFilenamePath & "' \u0431\u043e\u043b\u044c\u0448\u0435 3 \u041c\u0411 (\u0440\u0430\u0437\u043c\u0435\u0440 " & lsFilenameSize & " \u0431\u0430\u0439\u0442), \u043d\u0435\u043e\u0431\u0445\u043e\u0434\u0438\u043c\u043e \u0435\u0433\u043e \u0437\u0430\u0430\u0440\u0445\u0438\u0432\u0438\u0440\u043e\u0432\u0430\u0442\u044c", 4 \t\t\t\tfuWritedown "* \u0418\u0434\u0435\u0442 \u0430\u0440\u0445\u0438\u0432\u0430\u0446\u0438\u044f...", 1 \t\t\t\t'--[ \u0410\u0440\u0445\u0438\u0432\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u043e\u0442\u0447\u0435\u0442\u0430 ]------------------------------------------------------------------- \t\t\t\tSet Shell=CreateObject("WScript.Shell") \t\t\t\tSet Zip=Shell.Exec("C:\\Program Files\\7-Zip\\7z.exe a " & ArcName & " " & lsFilenamePath)  \t\t\t\t'\u041d\u0435\u043e\u0431\u0445\u043e\u0434\u0438\u043c\u043e \u043e\u0436\u0438\u0434\u0430\u043d\u0438\u0435, \u043f\u043e\u043a\u0430 \u0430\u0440\u0445\u0438\u0432\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u043d\u0435 \u0437\u0430\u043a\u043e\u043d\u0447\u0438\u0442\u0441\u044f \t\t\t\tWhile (Zip.Status = 0) \t\t\t\t\tWScript.Sleep 5000 \t\t\t\tWend  \t\t\t\tSet Shell = Nothing  \t\t\t\tfuWritedown "* \u0410\u0440\u0445\u0438\u0432\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0437\u0430\u0432\u0435\u0440\u0448\u0435\u043d\u043e! \u0418\u043c\u044f \u0430\u0440\u0445\u0438\u0432\u0430 '" & ArcName & "'", 4 \t\t\t\tfuWritedown "* \u0423\u0434\u0430\u043b\u044f\u0435\u043c \u0444\u0430\u0439\u043b \u043e\u0442\u0447\u0435\u0442\u0430 '" & lsFilenamePath & "'...", 4 \t\t\t\tobjFSO.DeleteFile lsFilenamePath, true \t\t\t\tfuWritedown "* \u0423\u0434\u0430\u043b\u0435\u043d\u0438\u0435 \u0437\u0430\u0432\u0435\u0440\u0448\u0435\u043d\u043e!", 1 \t\t\t\tlbTmp = true \t\t\t\t'WScript.Sleep 2000 \t\t\t\t'--------------------------------------------------------------------------------------------- \t\t\t end if \t\telse  \t\t\t' \u0444\u0430\u0439\u043b\u0430 \u043d\u0435 \u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442, \u043d\u0438\u0447\u0435\u0433\u043e \u043d\u0435 \u0434\u0435\u043b\u0430\u0435\u043c. \t\tend if \tnext \t \tfuCheckfileSizeAndZIP = lbTmp end function  <\/code><\/pre>\n<\/div>\n<\/div>\n
  \u0412\u0441\u043f\u043e\u043c\u0430\u0433\u0430\u0442\u0435\u043b\u044c\u043d\u044b\u0435 \u0431\u0430\u0442\u043d\u0438\u043a\u0438.  <\/p>\n
convert_evt_to_evtx.bat<\/b><\/p>\n
\n
copy %1 f:\\Logi_ForADReports\\%2 wevtutil epl f:\\Logi_ForADReports\\%2 f:\\Logi_ForADReports\\%2x \/lf:true <\/code><\/pre>\n<\/div>\n<\/div>\n
  <\/p>\n
copy_evtx.bat<\/b><\/p>\n
\n
copy %1 f:\\Logi_ForADReports\\%2 <\/code><\/pre>\n<\/div>\n<\/div>\n
  <\/p>\n
del_evtx.bat<\/b><\/p>\n
\n
del %1 <\/code><\/pre>\n<\/div>\n<\/div>\n
  \u0421\u043a\u0440\u0438\u043f\u0442 \u043c\u043e\u0436\u0435\u0442 \u0437\u0430\u043f\u0443\u0441\u043a\u0430\u0442\u044c\u0441\u044f \u0431\u0435\u0437 \u043a\u0430\u043a\u0438\u0445-\u043b\u0438\u0431\u043e \u043a\u043b\u044e\u0447\u0435\u0439. \u0412 \u044d\u0442\u043e\u043c \u0441\u043b\u0443\u0447\u0430\u0435 \u0441\u043e\u0437\u0434\u0430\u044e\u0442\u0441\u044f \u0432\u0441\u0435 \u043e\u0434\u0438\u043d\u043d\u0430\u0434\u0446\u0430\u0442\u044c \u043e\u0442\u0447\u0435\u0442\u043e\u0432.
  \u0421\u043a\u0440\u0438\u043f\u0442 \u043c\u043e\u0436\u0435\u0442 \u0438\u043c\u0435\u0442\u044c \u0442\u0440\u0438 \u043a\u043b\u044e\u0447\u0430.  <\/p>\n
Logparser_4.bat [\u0441\u043f\u0438\u0441\u043e\u043a_\u043e\u0442\u0447\u0435\u0442\u043e\u0432] [\u0430\u0434\u0440\u0435\u0441_\u044d\u043b\u0435\u043a\u0442\u0440\u043e\u043d\u043d\u043e\u0439_\u043f\u043e\u0447\u0442\u044b] [\u0434\u0430\u0442\u0430] <\/code><\/pre>\n
   [\u0441\u043f\u0438\u0441\u043e\u043a_\u043e\u0442\u0447\u0435\u0442\u043e\u0432] \u2014 \u043d\u0435\u043e\u0431\u044f\u0437\u0430\u0442\u0435\u043b\u044c\u043d\u044b\u0439 \u043a\u043b\u044e\u0447. \u041f\u0435\u0440\u0435\u0447\u0435\u043d\u044c \u043e\u0442\u0447\u0435\u0442\u043e\u0432, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u043d\u0430\u0434\u043e \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c. \u0423\u043a\u0430\u0437\u044b\u0432\u0430\u0435\u0442\u0441\u044f \u0432 \u0444\u043e\u0440\u043c\u0430\u0442\u0435: \u00ab1,1,0,0,1,0,1,0,1,0,0\u00bb, \u0442\u043e \u0435\u0441\u0442\u044c \u0435\u0434\u0438\u043d\u0438\u0446\u0430 \u0443\u043a\u0430\u0437\u044b\u0432\u0430\u0435\u0442, \u0447\u0442\u043e \u043e\u0442\u0447\u0435\u0442 \u043d\u0430\u0434\u043e \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c.
   \u041c\u043e\u0436\u043d\u043e \u0441\u0434\u0435\u043b\u0430\u0442\u044c \u0432\u0441\u0435 \u043e\u0442\u0447\u0435\u0442\u044b, \u0443\u043a\u0430\u0437\u0430\u0432 \u043a\u043b\u044e\u0447 all.
   \u0412\u044b\u043a\u043b\u044e\u0447\u0430\u0435\u0442 \u0441\u043e\u0437\u0434\u0430\u043d\u0438\u0435 \u0432\u0441\u0435\u0445 \u043e\u0442\u0447\u0435\u0442\u043e\u0432 \u043a\u043b\u044e\u0447 nothing.<\/p>\n
  [\u0430\u0434\u0440\u0435\u0441_\u044d\u043b\u0435\u043a\u0442\u0440\u043e\u043d\u043d\u043e\u0439_\u043f\u043e\u0447\u0442\u044b] \u2014 \u043d\u0435\u043e\u0431\u044f\u0437\u0430\u0442\u0435\u043b\u044c\u043d\u044b\u0439 \u043a\u043b\u044e\u0447. \u041c\u043e\u0436\u0435\u0442 \u043f\u0440\u0438\u043d\u0438\u043c\u0430\u0442\u044c \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u044f:
   y \u2014 \u043e\u0442\u043f\u0440\u0430\u0432\u0438\u0442\u044c \u043e\u0442\u0447\u0435\u0442\u044b \u043d\u0430 \u0430\u0434\u0440\u0435\u0441 \u043f\u043e \u0443\u043c\u043e\u043b\u0447\u0430\u043d\u0438\u044e (admin1@domain.com)
   n \u2014 \u043d\u0435 \u043e\u0442\u043f\u0440\u0430\u0432\u043b\u044f\u0442\u044c \u043e\u0442\u0447\u0435\u0442\u044b \u043d\u0430 \u044d\u043b\u0435\u043a\u0442\u0440\u043e\u043d\u043d\u044b\u0439 \u044f\u0449\u0438\u043a, \u0430 \u0442\u043e\u043b\u044c\u043a\u043e \u0441\u043b\u043e\u0436\u0438\u0442\u044c \u0432 \u043f\u0430\u043f\u043a\u0443 \u043e\u0442\u0447\u0435\u0442\u043e\u0432 f:\\Reports.
   \u0430\u0434\u0440\u0435\u0441_\u044d\u043b\u0435\u043a\u0442\u0440\u043e\u043d\u043d\u043e\u0439_\u043f\u043e\u0447\u0442\u044b \u2014 \u0423\u043a\u0430\u0437\u044b\u0432\u0430\u0435\u0442 \u0430\u0434\u0440\u0435\u0441 \u044d\u043b\u0435\u043a\u0442\u0440\u043e\u043d\u043d\u043e\u0439 \u043f\u043e\u0447\u0442\u044b, \u043d\u0430 \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u0431\u0443\u0434\u0443\u0442 \u043e\u0442\u043e\u0441\u043b\u0430\u043d\u044b \u043e\u0442\u0447\u0435\u0442\u044b. <\/p>\n
  [\u0434\u0430\u0442\u0430] \u2014 \u043d\u0435\u043e\u0431\u044f\u0437\u0430\u0442\u0435\u043b\u044c\u043d\u044b\u0439 \u043a\u043b\u044e\u0447. \u0423\u043a\u0430\u0437\u044b\u0432\u0430\u0435\u0442 \u0434\u0430\u0442\u0443 \u0434\u043b\u044f \u0440\u0430\u0431\u043e\u0442\u044b \u0441 \u043e\u0442\u0447\u0435\u0442\u0430\u043c\u0438. \u042d\u0442\u043e\u0442 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440 \u0443\u043a\u0430\u0437\u044b\u0432\u0430\u0435\u0442\u0441\u044f \u0442\u043e\u043b\u044c\u043a\u043e \u0442\u043e\u0433\u0434\u0430, \u043a\u043e\u0433\u0434\u0430 \u043d\u0430\u0434\u043e \u043e\u0442\u043f\u0440\u0430\u0432\u0438\u0442\u044c \u0443\u0436\u0435 \u0441\u0434\u0435\u043b\u0430\u043d\u043d\u044b\u0435 \u043e\u0442\u0447\u0435\u0442\u044b \u0437\u0430 \u0434\u0430\u0442\u0443 \u0432 \u043f\u0440\u043e\u0448\u043b\u043e\u043c (\u041e\u0442\u0447\u0435\u0442\u044b \u0432\u0441\u0435\u0433\u0434\u0430<\/i> \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u044e\u0442\u0441\u044f \u0437\u0430 \u043f\u0440\u0435\u0434\u044b\u0434\u0443\u0449\u0438\u0439 \u0434\u0435\u043d\u044c \u043e\u0442 \u0434\u0430\u0442\u044b \u0437\u0430\u043f\u0443\u0441\u043a\u0430 \u0441\u043a\u0440\u0438\u043f\u0442\u0430). \u0424\u043e\u0440\u043c\u0430\u0442 \u0434\u0430\u0442\u044b: YYYY.MM.DD<\/p>\n
  \u041e\u0442\u0447\u0435\u0442\u044b:
  1. \u041e\u0442\u0447\u0435\u0442 \u043f\u043e\u0438\u0441\u043a\u0430 \u043b\u043e\u0433\u0438\u043d\u043e\u0432 \u0430\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u043e\u0440\u043e\u0432
  2. \u041e\u0442\u0447\u0435\u0442 AccauntManage
  3. \u041e\u0442\u0447\u0435\u0442 \u0441\u043e\u0437\u0434\u0430\u043d\u0438\u044f \u0441\u0442\u0430\u0442\u0438\u0441\u0442\u0438\u043a\u0438 \u043d\u0435\u0443\u0434\u0430\u0447\u043d\u044b\u0445 \u043b\u043e\u0433\u0438\u043d\u043e\u0432
  4. \u041e\u0442\u0447\u0435\u0442 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u0433\u0440\u0443\u043f\u043f\u0430\u043c\u0438
  5. \u041e\u0442\u0447\u0435\u0442 \u043f\u043e\u0438\u0441\u043a\u0430 \u043d\u0435\u0443\u0434\u0430\u0447\u043d\u044b\u0445 \u043b\u043e\u0433\u0438\u043d\u043e\u0432
  6. \u041e\u0442\u0447\u0435\u0442 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u043f\u0430\u0440\u043e\u043b\u044f\u043c\u0438
  7. \u041e\u0442\u0447\u0435\u0442 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u0430\u043c\u0438
  8. \u041e\u0442\u0447\u0435\u0442 \u0430\u0443\u0434\u0438\u0442\u0430 \u043f\u043e \u043f\u0430\u043f\u043a\u0435 Top-Secret-Documents
  9. \u041e\u0442\u0447\u0435\u0442 \u0441\u0442\u0430\u0442\u0438\u0441\u0442\u0438\u043a\u0438 \u0430\u0443\u0434\u0438\u0442\u0430 \u043f\u043e \u043f\u0430\u043f\u043a\u0435 Top-Secret-Documents
  10. \u041e\u0442\u0447\u0435\u0442 \u043f\u043e\u0438\u0441\u043a\u0430 \u043b\u043e\u0433\u0438\u043d\u043e\u0432 \u043a RDP
  11. \u041e\u0442\u0447\u0435\u0442 \u0441\u043b\u0435\u0436\u0435\u043d\u0438\u044f \u0437\u0430 \u0434\u0435\u0439\u0441\u0442\u0432\u0438\u044f\u043c\u0438 \u043d\u0430\u0434 \u043e\u0431\u044a\u0435\u043a\u0442\u0430\u043c\u0438 \u0432 AD<\/p>\n
  \u041f\u0440\u0438\u043c\u0435\u0440\u044b.<\/i><\/p>\n
Logparser_4.bat nothing "admin2@domain.com" 2013.01.01 <\/code><\/pre>\n
\u0412\u0441\u0435 \u0443\u0436\u0435 \u0441\u0434\u0435\u043b\u0430\u043d\u043d\u044b\u0435 \u043e\u0442\u0447\u0435\u0442\u044b \u0437\u0430 1 \u044f\u043d\u0432\u0430\u0440\u044f 2013 \u0433. \u043e\u0442\u0441\u044b\u043b\u0430\u0435\u0442 \u043d\u0430 \u00abadmin2@domain.com\u00bb (\u0437\u0430\u043d\u043e\u0432\u043e \u043e\u0442\u0447\u0435\u0442\u044b \u043d\u0435 \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u044e\u0442\u0441\u044f).<\/p>\n
Logparser_4.bat nothing y 2013.02.18 <\/code><\/pre>\n
\u0412\u0441\u0435 \u0443\u0436\u0435 \u0441\u0434\u0435\u043b\u0430\u043d\u043d\u044b\u0435 \u043e\u0442\u0447\u0435\u0442\u044b \u0437\u0430 18 \u0444\u0435\u0432\u0440\u0430\u043b\u044f 2013 \u0433. \u043e\u0442\u0441\u044b\u043b\u0430\u0435\u0442 \u043d\u0430 \u0430\u0434\u0440\u0435\u0441 \u043f\u043e \u0443\u043c\u043e\u043b\u0447\u0430\u043d\u0438\u044e (\u0437\u0430\u043d\u043e\u0432\u043e \u043e\u0442\u0447\u0435\u0442\u044b \u043d\u0435 \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u044e\u0442\u0441\u044f).<\/p>\n
Logparser_4.bat all "admin3@domain.com" <\/code><\/pre>\n
\u0421\u043e\u0437\u0434\u0430\u0435\u0442 \u0432\u0441\u0435 \u043e\u0442\u0447\u0435\u0442\u044b \u0438 \u043e\u0442\u0441\u044b\u043b\u0430\u0435\u0442 \u043d\u0430 \u00abadmin3@domain.com\u00bb.<\/p>\n
Logparser_4.bat "1,0,0,0,0,0,0,0,0,1,0" <\/code><\/pre>\n
\u0421\u043e\u0437\u0434\u0430\u0435\u0442 \u0442\u043e\u043b\u044c\u043a\u043e \u043f\u0435\u0440\u0432\u044b\u0439 \u0438 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0438\u0439 \u043e\u0442\u0447\u0451\u0442\u044b \u0438 \u043e\u0442\u0441\u044b\u043b\u0430\u0435\u0442 \u043d\u0430 \u0430\u0434\u0440\u0435\u0441 \u043f\u043e \u0443\u043c\u043e\u043b\u0447\u0430\u043d\u0438\u044e.<\/p>\n
Logparser_4.bat "0,1,0,0,0,0,0,0,0,0,0" n <\/code><\/pre>\n
\u0421\u043e\u0437\u0434\u0430\u0435\u0442 \u0442\u043e\u043b\u044c\u043a\u043e \u0432\u0442\u043e\u0440\u043e\u0439 \u043e\u0442\u0447\u0435\u0442, \u043d\u043e \u043d\u0438\u043a\u0443\u0434\u0430 \u043d\u0435 \u043e\u0442\u0441\u044b\u043b\u0430\u0435\u0442, \u0430 \u0441\u043a\u043b\u0430\u0434\u044b\u0432\u0435\u0442 \u0432 \u043f\u0430\u043f\u043a\u0443 f:\\Reports.<\/p>\n
Logparser_4.bat \/? <\/code><\/pre>\n
\u041f\u043e\u043a\u0430\u0437\u044b\u0432\u0430\u0435\u0442 \u043f\u043e\u043c\u043e\u0449\u044c.<\/p>\n
  \u041f\u0440\u0438\u043c\u0435\u0447\u0430\u043d\u0438\u0435<\/i>.
  \u0421\u0435\u0439\u0447\u0430\u0441 \u0441\u043a\u0440\u0438\u043f\u0442 \u0438\u0449\u0435\u0442 \u0441\u043e\u0431\u044b\u0442\u0438\u044f \u0432 \u0430\u0440\u0445\u0438\u0432\u043d\u044b\u0445 \u0436\u0443\u0440\u043d\u0430\u043b\u0430\u0445 \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0442\u0435, \u0447\u0442\u043e Archive-Security-*.evt) \u0432 \u0446\u0435\u043d\u0442\u0440\u0430\u043b\u0438\u0437\u043e\u0432\u0430\u043d\u043d\u043e\u043c \u0445\u0440\u0430\u043d\u0438\u043b\u0438\u0449\u0435. \u0412 \u0441\u043a\u0440\u0438\u043f\u0442\u0435 \u044d\u0442\u043e \u0434\u0438\u0441\u043a Q, \u043f\u043e\u0434\u043a\u043b\u044e\u0447\u0435\u043d\u043d\u044b\u0439 \u0432 \u043d\u0430\u0447\u0430\u043b\u0435 \u0432 \u0431\u0430\u0442\u043d\u0438\u043a\u0435  <\/p>\n
net use Q: \\\\nas-srv\\BACKUP<\/code><\/pre>\n
\u041d\u043e \u043c\u043e\u0436\u0435\u0442 \u0438\u0441\u043a\u0430\u0442\u044c \u0432 \u043e\u043f\u0435\u0440\u0430\u0442\u0438\u0432\u043d\u044b\u0445 \u0438 \u0430\u0440\u0445\u0438\u0432\u043d\u044b\u0445 \u0436\u0443\u0440\u043d\u0430\u043b\u0430\u0445 \u043d\u0430 \u0441\u0435\u0440\u0432\u0435\u0440\u0430\u0445. \u0414\u043b\u044f \u044d\u0442\u043e\u0433\u043e \u043d\u0443\u0436\u043d\u043e \u0432 \u043a\u0430\u0436\u0434\u043e\u0439 \u0438\u0445 11 \u0444\u0443\u043d\u043a\u0446\u0438\u0439 \u0438\u0437\u043c\u0435\u043d\u0438\u0442\u044c   <\/p>\n
lsFROM = fuCollectFileList(lArrServerList, false)<\/code><\/pre>\n
 \u043d\u0430 <\/p>\n
lsFROM = fuCollectFileList(lArrServerList, true)<\/code><\/pre>\n
  \u0422\u0443\u0442 \u043c\u043e\u0436\u043d\u043e \u0441\u043a\u0430\u0447\u0430\u0442\u044c \u0430\u0440\u0445\u0438\u0432 \u0441\u043e \u0441\u043a\u0440\u0438\u043f\u0442\u043e\u043c, \u0431\u0430\u0442\u043d\u0438\u043a\u0430\u043c\u0438 \u0438 \u0448\u0430\u0431\u043b\u043e\u043d\u0430\u043c\u0438<\/a>. 
  \u0412 \u043f\u0440\u0438\u043d\u0446\u0438\u043f\u0435, \u043d\u0435 \u043e\u0431\u044f\u0437\u0430\u0442\u0435\u043b\u044c\u043d\u043e \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c \u0441\u043a\u0440\u0438\u043f\u0442 \u0434\u043e\u0441\u043b\u043e\u0432\u043d\u043e. \u0413\u043b\u0430\u0432\u043d\u043e\u0435 \u043f\u043e\u043d\u044f\u0442\u044c \u043f\u0440\u0438\u043d\u0446\u0438\u043f, \u043a\u0430\u043a \u043b\u043e\u0433\u043f\u0430\u0440\u0441\u0435\u0440 \u0438\u0449\u0435\u0442 \u0441\u043e\u0431\u044b\u0442\u0438\u044f \u0438 \u0432\u044b\u0433\u0440\u0443\u0436\u0430\u0435\u0442 \u0438\u0445 \u0432 html-\u0444\u0430\u0439\u043b, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0448\u0430\u0431\u043b\u043e\u043d. \u0418 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c\u0441\u044f.    \t<\/p>\n
<\/div>\n<\/p><\/div>\n
 \u0441\u0441\u044b\u043b\u043a\u0430 \u043d\u0430 \u043e\u0440\u0438\u0433\u0438\u043d\u0430\u043b \u0441\u0442\u0430\u0442\u044c\u0438  http:\/\/habrahabr.ru\/post\/205128\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
   \t\u0412\u0441\u0435\u043c \u043f\u0440\u0438\u0432\u0435\u0442!
  \u0423\u0434\u043e\u0431\u043d\u043e \u043f\u043e\u043b\u0443\u0447\u0430\u0442\u044c \u0432 \u043f\u043e\u0447\u0442\u0443 \u0435\u0436\u0435\u0434\u043d\u0435\u0432\u043d\u044b\u0439 \u043e\u0442\u0447\u0451\u0442 \u043e \u0441\u043e\u0431\u044b\u0442\u0438\u044f\u0445 \u043d\u0430 \u0441\u0435\u0440\u0432\u0435\u0440\u0430\u0445 \u0434\u043e\u043c\u0435\u043d\u0430 \u0437\u0430 \u043f\u0440\u0435\u0434\u044b\u0434\u0443\u0449\u0438\u0439 \u0434\u0435\u043d\u044c. \u041c\u043e\u0436\u043d\u043e \u0438 \u0437\u0430 \u0442\u0435\u043a\u0443\u0449\u0438\u0439, \u043d\u0435 \u0441\u0443\u0442\u044c \u0432\u0430\u0436\u043d\u043e. \u041a\u043e\u0433\u0434\u0430 \u0442\u0430\u043a\u0438\u0435 \u043e\u0442\u0447\u0451\u0442\u044b \u0441\u043e\u0431\u0438\u0440\u0430\u044e\u0442\u0441\u044f \u0437\u0430 \u0434\u043b\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0439 \u043f\u0440\u043e\u043c\u0435\u0436\u0443\u0442\u043e\u043a \u0432\u0440\u0435\u043c\u0435\u043d\u0438 (\u0437\u0430 \u043d\u0435\u0441\u043a\u043e\u043b\u044c\u043a\u043e \u043b\u0435\u0442, \u043d\u0430\u043f\u0440\u0438\u043c\u0435\u0440), \u043c\u043e\u0436\u043d\u043e \u043d\u0430\u0439\u0442\u0438, \u043a\u0442\u043e \u0437\u0430\u0432\u0451\u043b \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0451\u043d\u043d\u043e\u0433\u043e \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f, \u043a\u0442\u043e \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f \u0434\u043e\u0431\u0430\u0432\u0438\u043b\/\u0443\u0434\u0430\u043b\u0438\u043b \u0438\u0437 \u0433\u0440\u0443\u043f\u043f\u044b, \u043a\u0442\u043e \u043f\u043e\u043c\u0435\u043d\u044f\u043b \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044e \u043f\u0430\u0440\u043e\u043b\u044c (\u0438\u043b\u0438 \u043a\u043e\u0433\u0434\u0430 \u043e\u043d \u0441\u0430\u043c \u0441\u0435\u0431\u0435 \u043f\u043e\u043c\u0435\u043d\u044f\u043b), \u043b\u043e\u0433\u0438\u043d\u044b \u043d\u0430 \u0441\u0435\u0440\u0432\u0435\u0440\u044b, \u043d\u0435\u0443\u0434\u0430\u0447\u043d\u044b\u0435 \u043b\u043e\u0433\u0438\u043d\u044b \u0438 \u0442\u0430\u043a \u0434\u0430\u043b\u0435\u0435. \u0412 \u043f\u0440\u0438\u043d\u0446\u0438\u043f\u0435, \u043a\u0430\u0436\u0434\u044b\u0439 \u0441\u0430\u043c \u0434\u043b\u044f \u0441\u0435\u0431\u044f \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u044f\u0435\u0442 \u043d\u0430\u0431\u043e\u0440 \u0441\u043e\u0431\u044b\u0442\u0438\u0439 \u0434\u043b\u044f \u043e\u0442\u0447\u0451\u0442\u043e\u0432. \u0413\u043b\u0430\u0432\u043d\u043e\u0435 \u043f\u0440\u0438\u043d\u0446\u0438\u043f. 
  \u041d\u0430\u043c, \u043d\u0430\u043f\u0440\u0438\u043c\u0435\u0440, \u0432 \u043f\u043e\u0447\u0442\u0443 \u043f\u0440\u0438\u0445\u043e\u0434\u0438\u0442 \u0432\u043e\u0442 \u0442\u0430\u043a\u043e\u0439 \u043e\u0442\u0447\u0451\u0442:
  
  \u041a\u043e\u043c\u0443 \u043d\u0443\u0436\u043d\u043e, \u043f\u043e\u0434 \u043a\u0430\u0442\u043e\u043c \u0440\u0435\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u044f.  <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-205128","post","type-post","status-publish","format-standard","hentry"],"_links":{"self":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/posts\/205128","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=205128"}],"version-history":[{"count":0,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/posts\/205128\/revisions"}],"wp:attachment":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=205128"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=205128"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=205128"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}