IIS Statistics : Access from user X having Y hits

If you have a website running using IIS and that website is using authentication (in this case Negotiate authentication) then you can run in a report on who is using that website, obviously the logs will get the samAccountName which will be in the format domain\userid

This script will then also provide the UPN of the user and how many hits that user has had on the website, which can be very handy for information purposes, obviously change the sections is bold if required an overview on that is below before the script:

If you wish to change how many log files are read as part of this script amend the First value to grater than "1" as below:

# Get the most recent log file based on the last write time
$latestLogFile = Get-ChildItem -Path $logDirectoryPath -Filter "u_ex*.log" | Sort-Object LastWriteTime -Descending | Select-Object -First 1

You will need to change the samAccountName prefix for your domain and the virtual directory to look for:

    # Read the log file and extract the entries containing 'BEAR\' and '/honeypot/
    $logEntries = Get-Content $latestLogFile.FullName | Where-Object { $_ -match 'BEAR\\' -and $_ -match '/honey/' }

The Script

# Define the path to the IIS log directory
$logDirectoryPath = "C:\inetpub\logs\LogFiles\W3SVC1"

# Get the most recent log file based on the last write time
$latestLogFile = Get-ChildItem -Path $logDirectoryPath -Filter "u_ex*.log" | Sort-Object LastWriteTime -Descending | Select-Object -First 1
if ($latestLogFile) {
    Write-Output "Processing log file: $($latestLogFile.FullName)"

    # Read the log file and extract the entries containing 'BEAR\' and '/honeypot/
    $logEntries = Get-Content $latestLogFile.FullName | Where-Object { $_ -match 'BEAR\\' -and $_ -match '/honey/' }

    # Display the extracted log entries
    $logEntries

    # Import the ActiveDirectory module
    Import-Module ActiveDirectory

    # Function to extract the username from a log entry
    function Get-UsernameFromLogEntry($logEntry) {
        if ($logEntry -match 'STWATER\\(\w+)') {
            return $matches[1]
        }
        return $null
    }

    # Dictionary to track username hit counts
    $userHitCounts = @{}

    # Loop through each log entry to count the hits per user
    foreach ($logEntry in $logEntries) {
        $username = Get-UsernameFromLogEntry -logEntry $logEntry
        if ($username) {
            if ($userHitCounts.ContainsKey($username)) {
                $userHitCounts[$username]++
            } else {
                $userHitCounts[$username] = 1
            }
        }
    }

    # Table to store results
    $userTable = @()

    # Loop through each unique username and retrieve the UPN
    foreach ($username in $userHitCounts.Keys) {

    # Retrieve the user's UPN from Active Directory
        $user = Get-ADUser -Identity $username -Properties UserPrincipalName
        $upn = $user.UserPrincipalName

        # Add to the results table
        $userTable += [PSCustomObject]@{
            'LoginID' = $username
            'UPN' = $upn
            'HitCount' = $userHitCounts[$username]
        }
    }

# Display the user table
    $userTable | Format-Table -AutoSize
} else {
    Write-Output "No log files found in the directory."
}

This will the give you a table of data that you can then use to query who is using the website, an example is provided below:

xxxx
Previous Post Next Post

Ω†Ω…ΩˆΨ°Ψ¬ Ψ§Ω„Ψ§ΨͺΨ΅Ψ§Ω„