forked from PoshSec/PoshSecScripts
-
Notifications
You must be signed in to change notification settings - Fork 0
/
SecIISMonitor.ps1
53 lines (41 loc) · 1.51 KB
/
SecIISMonitor.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
<#
.Synopsis
A PoshSec Framework function that monitors the current IIS log and generates alerts on specified criteria. The alerts display the log's timestamp, the client IP, the URL accessed, and the user agent string.
.PARAMETER IP
Client IP address to isolate in the log file. Generates alerts for those records.
.PARAMETER Filter
A string to search for to limit the log files returned
.PARAMETER Limit
An integer value to indicate how many records to return from the log file. Default is the most recent 100.
.PARAMETER Path
Path to the IIS log files. Default is C:\inetpub\logs\LogFiles\W3SVC1\
.PARAMETER Poll
Integer indicating number of seconds to elapse between chacks on the log. Default is 10.
.EXAMPLE
Get an alert if anyone tries to view your robots.txt file.
Start-SecIISMonitor -filter "robots.txt"
#>
param(
[String]$IP = "",
[String]$filter = "",
[Int]$limit = 100,
[String]$path = "C:\inetpub\logs\LogFiles\W3SVC1\",
[int]$poll = 10
)
#Required to use PoshSec functions
Import-Module $PSModRoot\PoshSec
while($true){
if([System.Net.IPAddress]::TryParse($IP,[ref] $null)){
Get-SECIISlog -path $path -filter $filter -limit $limit | ForEach-Object {
if($_.cIP -eq $IP){
$PSAlert.Add($_.cIP + " " + $_.URL + " " + $_.Agent ,2)
}
}
}
else{
Get-SECIISlog -path $path -filter $filter -limit $limit | ForEach-Object {
$PSAlert.Add($_.LogDate + " " + $_.cIP + " " + $_.URL + " " + $_.Agent,2)
}
}
Start-Sleep -Second $poll
}