Logon-Audit.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
<#PSScriptInfo
 
.VERSION 20.03.20
 
.GUID 8ce1ea39-7421-4190-8d59-267612fb0727
 
.AUTHOR Mike Galvin Contact: mike@gal.vin / twitter.com/mikegalvin_
 
.COMPANYNAME Mike Galvin
 
.COPYRIGHT (C) Mike Galvin. All rights reserved.
 
.TAGS Logon Event Audit Microsoft Teams Webhook
 
.LICENSEURI
 
.PROJECTURI https://gal.vin/2020/03/12/logon-audit-utility
 
.ICONURI
 
.EXTERNALMODULEDEPENDENCIES
 
.REQUIREDSCRIPTS
 
.EXTERNALSCRIPTDEPENDENCIES
 
.RELEASENOTES
 
#>


<#
    .SYNOPSIS
    Logon Audit Utility - Really simple log on/off auditing utility
 
    .DESCRIPTION
    Log user log on and off activity to a txt file as well as Teams.
 
    .PARAMETER Logon
    Use this option to log a log on event.
 
    .PARAMETER Logoff
    Use this option to log a log off event.
 
    .PARAMETER Teams
    The path to a txt file containing the webhook to your Teams instance.
    Use this option to send a configured event to teams as well as a log file.
 
    .PARAMETER L
    The path to output the log file to.
    The file name will be Logon-Audit.log
    Do not add a trailing \ backslash.
 
    .EXAMPLE
    Logon-Audit.ps1 -Logon -L \\server\share -Teams \\server\share\webhook.txt
 
    The above command will record a logon event for the currently logged on user to the log file and also to Teams.
#>


## Set up command line switches.
[CmdletBinding()]
Param(
    [alias("L")]
    [ValidateScript({Test-Path $_ -PathType 'Container'})]
    $LogPath,
    [Alias("Teams")]
    [ValidateScript({Test-Path -Path $_ -PathType Leaf})]
    [string]$Twh,
    [switch]$Logon,
    [switch]$Logoff)

## If logging is configured, set the log file name.
If ($LogPath)
{
    $LogFile = "Logon-Audit-new.log"
    $Log = "$LogPath\$LogFile"
}

## Function to get date in specific format.
Function Get-DateFormat
{
    Get-Date -Format "yyyy-MM-dd HH:mm:ss"
}

## Function for logging.
Function Write-Log($Type,$Event)
{
    If ($Type -eq "Logon")
    {
        If ($Null -ne $LogPath)
        {
            Add-Content -Path $Log -Encoding ASCII -Value "$(Get-DateFormat) [LOGON] $Event"
        }
    }

    If ($Type -eq "Logoff")
    {
        If ($Null -ne $LogPath)
        {
            Add-Content -Path $Log -Encoding ASCII -Value "$(Get-DateFormat) [LOGOFF] $Event"
        }
    }
}

# If the -logon switch is used, register it as a logon.
If ($Logon)
{
    Write-Log -Type Logon -Event "Device: $env:COMPUTERNAME, Domain: $env:userdomain, Username: $env:username"

    If ($Twh)
    {
        $EStatus = "Logon"
    }
}

# If the -logon switch is used, register it as a logoff.
If ($Logoff)
{
    Write-Log -Type Logoff -Event "Device: $env:COMPUTERNAME, Domain: $env:userdomain, Username: $env:username"

    If ($Twh)
    {
        $EStatus = "Logoff"
    }
}

# If the teams switch is used, get the webhook uri from the txt file.
If ($Twh)
{
    $uri = Get-Content $Twh

    # Create an array for the results.
    $ResultArr = @()

    $ResultArr += New-Object PSObject -Property @{
        facts = @(
            @{
                name = 'User:'
                value = $env:username
            },
            @{
                name = 'Event:'
                value = $EStatus
            },
            @{
                name = 'Device:'
                value = $env:COMPUTERNAME
            },
            @{
                name = 'Domain:'
                value = $env:userdomain
            }
        )
    }

    # If the result is not empty, put array together for sending to teams.
    If ($Null -ne $ResultArr)
    {
        $Body = ConvertTo-Json -Depth 8 @{
        text  = "An event occurred."
        sections = $ResultArr
        title = "Logon Audit Utility"
        }

        Invoke-RestMethod -Uri $Uri -Method Post -body $Body -ContentType 'application/json'
    }
}

## End