We have a need to see login failures on a IIS 6 & 7 server farm. I would assume that some sort of log parsing will be required to make this work. Could someone point me in the right direction?
Article Comments
Depending on what you exactly want to monitor, for example the total number of failed attempts for the last hour, you will have to write a Custom Sensor (script, batch or exe) that counts the 401's over the last hour.
The /api.htm page on your PRTG server can give you more detail on how to write such a sensor.
Sep, 2011 - Permalink
Here is a small batch file to get you going, with a few remarks:
- You will have to set the "logfolder" variable to your own log file location.
- The script assumes log files are created on a daily basis and therefore returns the number of failed logins in the last created log file.
- The script is provided "as is" and you are of cause free to make your own modifications and improvements.
@ECHO OFF
SET logfolder=\\YOUR_COMPUTER\c$\WINDOWS\system32\LogFiles\W3SVC1
SET /a counter=0
:: get newest file
FOR /F %%f IN ('DIR %logfolder% /B /O:D') DO SET newestfile=%%f
:: copy newest file to temp file
COPY "%logfolder%\%newestfile%" c:\temp\xx.log > NUL
:: process each line in the file
FOR /F "usebackq delims=" %%l in (c:\temp\xx.log) DO (
:: get the 12th column in the line
FOR /F "tokens=12 delims= " %%a in ("%%l") DO (
IF %%a == 401 SET /a counter+=1
)
)
:: delete temp file
DEL c:\temp\xx.log > NUL
:: output to PRTG
ECHO %counter%:Ok
Sep, 2011 - Permalink
If you have enabled logging in IIS for your "web site", the log files by default reside in C:\WINDOWS\system32\LogFiles
Here you can examine the xx.log files and find the lines with 401 in the sc-status column.
(401 stands for Unauthorized login attempt)
Sep, 2011 - Permalink