If you have a website running using IIS and that website is using authentication (in this case Negotiate authentication) then you can run in a report on who is using that website, obviously the logs will get the samAccountName which will be in the format domain\userid
This script will then also provide the UPN of the user and how many hits that user has had on the website, which can be very handy for information purposes, obviously change the sections is bold if required an overview on that is below before the script:
If you wish to change how many log files are read as part of this script amend the First value to grater than "1" as below:
# Get the most recent log file based on the last write time
$latestLogFile = Get-ChildItem -Path $logDirectoryPath -Filter "u_ex*.log" | Sort-Object LastWriteTime -Descending | Select-Object -First 1
You will need to change the samAccountName prefix for your domain and the virtual directory to look for:
# Read the log file and extract the entries containing 'BEAR\' and '/honeypot/
$logEntries = Get-Content $latestLogFile.FullName | Where-Object { $_ -match 'BEAR\\' -and $_ -match '/honey/' }
# Define the path to the IIS log directory
$logDirectoryPath = "C:\inetpub\logs\LogFiles\W3SVC1"
# Get the most recent log file based on the last write time
$latestLogFile = Get-ChildItem -Path $logDirectoryPath -Filter "u_ex*.log" | Sort-Object LastWriteTime -Descending | Select-Object -First 1
if ($latestLogFile) {
Write-Output "Processing log file: $($latestLogFile.FullName)"
# Read the log file and extract the entries containing 'BEAR\' and '/honeypot/
$logEntries = Get-Content $latestLogFile.FullName | Where-Object { $_ -match 'BEAR\\' -and $_ -match '/honey/' }
# Display the extracted log entries
$logEntries
# Import the ActiveDirectory module
Import-Module ActiveDirectory
# Function to extract the username from a log entry
function Get-UsernameFromLogEntry($logEntry) {
if ($logEntry -match 'STWATER\\(\w+)') {
return $matches[1]
}
return $null
}
# Dictionary to track username hit counts
$userHitCounts = @{}
# Loop through each log entry to count the hits per user
foreach ($logEntry in $logEntries) {
$username = Get-UsernameFromLogEntry -logEntry $logEntry
if ($username) {
if ($userHitCounts.ContainsKey($username)) {
$userHitCounts[$username]++
} else {
$userHitCounts[$username] = 1
}
}
}
# Table to store results
$userTable = @()
# Loop through each unique username and retrieve the UPN
foreach ($username in $userHitCounts.Keys) {
# Retrieve the user's UPN from Active Directory
$user = Get-ADUser -Identity $username -Properties UserPrincipalName
$upn = $user.UserPrincipalName
# Add to the results table
$userTable += [PSCustomObject]@{
'LoginID' = $username
'UPN' = $upn
'HitCount' = $userHitCounts[$username]
}
}
# Display the user table
$userTable | Format-Table -AutoSize
} else {
Write-Output "No log files found in the directory."
}