Click an Ad

If you find this blog helpful, please support me by clicking an ad!

Tuesday, April 12, 2016

Report on Cisco VPN Logins from Syslog..... Logs....

Man it's been a long time! Don't know what to say; sometimes I feel like writing and sometimes I don't. I definitely have a long list of things to Blog about. Maybe I'm just destined to be an "in spurts" type of blogger.

The rest of this is a script I created to keep track of people that were using the VPN for licensing purposes, though it does have security implications as well. I wanted to get rid of accounts that very rarely or never used our VPN capabilities.

<#
What we want is to parse the ASA syslog files stored in the syslog folder. These are in txt format and are rather large.

This Powershell script is scheduled to run after midnight on the syslog server every day.

The script autogenerates a new CSV file if it doesn't exist. Results should append to the CSV file daily, and we pull down and remove the csv file weekly.

On Mondays (or a day of your choosing, see the variables section), it counts the entries, keeps only unique logins, and sends the file as an attachment to me. It then deletes the concatenated csv file.

#>

############
# Variables
############

#Get Today's Date
$Today = Get-Date

#Get yesterdays date
$Yesterday = $Today.AddDays(-1)

#Path to txt Syslog Files
$SyslogFilePath = "D:\ASA Syslog Files\ASA1\"

#Name of output file
$OutputFile = "D:\PowershellLogData\ASA1_VPNConnections.csv"

#Specify the day of the week to report (Monday by default)
$ReportDayOfWeek = "Monday"

#Build filename of yesterday's log file, with the path
$FileName = $SyslogFilePath + ($Yesterday.ToString('yyyy-MM-dd')) + ".txt"

#Mail Variables
$To = "me@contoso.com"
$From = "me@contoso.com"
$SMTPServer = "mail.contoso.com"

#Get the day of the week
$DayOfWeek = ((Get-Date).DayOfWeek).ToString()

#If the Output CSV File Doesn't Exit, create one
If ((Test-Path $OutputFile) -eq $False){
    $Headers = @()
    $HeadersEntry = New-Object psobject
    $HeadersEntry | Add-Member -MemberType NoteProperty -Name Timestamp -Value "ScriptEntry"
    $HeadersEntry | Add-Member -MemberType NoteProperty -Name Group -Value "ScriptEntry"
    $HeadersEntry | Add-Member -MemberType NoteProperty -Name User -Value "ScriptEntry"
    $HeadersEntry | Add-Member -MemberType NoteProperty -Name IPAddress -Value "ScriptEntry"
    $Headers += $HeadersEntry
    $Headers | Export-CSV $OutputFile -NoTypeInformation
}

#Parse Yesterday's log file for only VPN connection entries
$ConnectionEvents = select-string -path $FileName -Pattern "722022"

#Create an array
$LogInfo = @()

#Cycle through each VPN Login entry and extract the data, adding to the array
$ConnectionEvents | Foreach-Object {
    
    #Extract the Info
    $infos = $_ -split '\t'
    $TimePre = $Infos[0] -split ':'
    $Time = $TimePre[3] + ":" + $TimePre[4] + ":" + $TimePre[5]
    $BetterInfo = $Infos[3] -split '<'
    $Group = ($BetterInfo[1] -split '>')[0]
    $User = ($BetterInfo[2] -split '>')[0]
    $IPFrom = ($BetterInfo[3] -split '>')[0]
    
    #Build the Object
    $LogInfoItem = New-Object psobject
    $LogInfoItem | Add-Member -MemberType NoteProperty -Name Timestamp -Value $Time
    $LogInfoItem | Add-Member -MemberType NoteProperty -Name Group -Value $Group
    $LogInfoItem  | Add-Member -MemberType NoteProperty -Name User -Value $User
    $LogInfoItem  | Add-Member -MemberType NoteProperty -Name IPAddress -Value $IPFrom
    $LogInfo += $LogInfoItem
    
    } #End Foreach-Object

#Append the array to the csv output file
$LogInfo | Export-CSV -Append $OutPutFile

#If it's Monday, clean up the file and send it out, then remove the original CSV so it's rebuilt for the next reporting week
#If it's NOT Monday, just do the data conversion and leave the file intact.
If ($DayOfWeek -like $ReportDayOfWeek){

    #Import the Output CSV File
    $Entries = Import-CSV $OutputFile

    #Keep only entries that have populated username fields and weren't created on CSV initialization (ScriptEntry piece)
    $Entries = $Entries | select-object  | Where-Object {$_.user -notlike "" -and $_user -notlike "ScriptEntry"}

    #Create Report information
    $ReportObject = $Entries | select user -unique | sort user
    
    #Create HTML Report
    $ReportHTML = $ReportObject | ConvertTo-Html | out-string
    
    #Count the Entries
    $VPNCount = (($Entries | Measure-Object).Count).ToString()

    #Craft the Email Subject wit the count
    $Subject = "PS Report - Cisco ASA VPN Logs - $VPNCount Logons Last Week"

    #Send the email
    Send-MailMessage -To $To -From $From -SmtpServer $SMTPServer -Body $ReportHTML -BodyAsHTML -Subject $Subject -Attachments $OutputFile

    #Remove the CSV file
    Remove-Item $OutputFile -force -ErrorAction 0

} #End If Monday

VMware HA Testing Tool/Site

Something I ran across today is this VMware tool/site that allows you to upload a DRS dump file from your environment and simulates a host failure in your VMware HA cluster. It's always nice to have a test on what you think will happen, and this is much easier and less (possibly) disruptive than pulling out the power cords from your ESXi server.....

Good stuff!

PS, I passed, except for one VM that will only boot on one host.