You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I recall seeing you mention somewhere you plan on implementing correlation but cannot find now where.
It would be a great feature addition to add some correlation support, at least for TerminalServices-Gateway event logs, which only report authentication success and not authentication failures.
I've written up a basic script (see blow) that I planned on running on an RD Gateway to create event logs to be parsed by EvlWatcher. I ran into a challenge on how to handle events that happened during an extended period my script didn't run, where it can introduce a condition where EvlWatcher will ban an IP only because my script reported at once multiple failed authentication request even though in reality these failed events happened over a span of time but are reported at once just because my script processed all of those now since it is now catching up.
I figure if the correlation can be somehow added into EvlWatcher it would solve the whole challenge, since EvlWatcher internally would compare the time ranges between the events.
Very simple script I wrote. It's still missing the Windows EventLog creation but that should be trivial to add. As we can see, the correlation code is all 4 lines long.
$LastEventPath = ".\LastEvent.txt"
if (Test-Path $LastEventPath) {
$EventFilter_TimeStart = ([datetime](Get-Content $LastEventPath)).AddSeconds(1)
} else {
$EventFilter_TimeStart = (Get-Date).AddDays(-100)
}
$Events = Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TerminalServices-Gateway/operational'; StartTime=$EventFilter_TimeStart; EndTime=(get-date).AddMinutes(-1) } -ErrorAction:SilentlyContinue
# This is the code that actually does the correlation, it returns the events that don't have a follow up authentication success.
$FailedAuth = $Events | group ActivityId | % {
if (($_.group.id -match "\b312\b") -and ($_.group.Count -eq 1)) {
$_.group
}
}
# Save to disk last event datetime to be used for next script run event filter starttime.
if ($events) {
$LastEventTime = ($events | sort timecreated)[-1].timecreated
} else {
$LastEventTime = get-date
}
$LastEventTime.ToString() | Out-File $LastEventPath -Encoding utf7 -Force
Edit: The reason we need to monitor this event log is because on a RD Gateway event 4625 doesn't get generated when the username is correct but the password is incorrect.
The text was updated successfully, but these errors were encountered:
Hi,
I recall seeing you mention somewhere you plan on implementing correlation but cannot find now where.
It would be a great feature addition to add some correlation support, at least for TerminalServices-Gateway event logs, which only report authentication success and not authentication failures.
I've written up a basic script (see blow) that I planned on running on an RD Gateway to create event logs to be parsed by EvlWatcher. I ran into a challenge on how to handle events that happened during an extended period my script didn't run, where it can introduce a condition where EvlWatcher will ban an IP only because my script reported at once multiple failed authentication request even though in reality these failed events happened over a span of time but are reported at once just because my script processed all of those now since it is now catching up.
I figure if the correlation can be somehow added into EvlWatcher it would solve the whole challenge, since EvlWatcher internally would compare the time ranges between the events.
Very simple script I wrote. It's still missing the Windows EventLog creation but that should be trivial to add. As we can see, the correlation code is all 4 lines long.
Edit: The reason we need to monitor this event log is because on a RD Gateway event 4625 doesn't get generated when the username is correct but the password is incorrect.
The text was updated successfully, but these errors were encountered: