Script to pull authentication logs (including RDP) from windows desktop or server event logs and write them to easily readable logs files.
Script will create log files to keep track of authentication events by device hostname, device serial number, and domain username.
Script will send an alert if it sees three failed login attempts.
Script names files relative to the directory and separates logs by month. i.e. xxxx_2022-Feb_Auth.log
How to Run:
./AuditAuthEvents.ps1 -ConfigFile \\remote\config\file
Recommendations:
- Require all powershell scripts to be signed in your domain environment. Set through Group Policy.
- Sign this script with an organization code signing certificate that is pushed to all domain assets via GPO.
- Run as a scheduled task pushed to all domain assets with a GPO.
- A minimum, set the scheduled task to trigger on user login and on event 4625 (failed login).
- Log directory requires a minimum of Read and Write permissions. This script DOES NOT require Modify prmissions. Nothing in existing logs files needs to be modified or deleted. This script just writes to existing files.