Posts Tagged ‘file’
January 17th, 2011 | 
Author: Currently I am having an issue with not knowing information about the servers I am responsible. I am not happy not knowing things. I spent a little time gather different parts of different scripts (hacker / script kiddie style) and compiling them in to one Visual Basic Script. This script is designed to work against Dell Servers. It will ask the computer for it name, the OS, OS version number, Service Packs, Bit Level (32 or 64 bit), Dell Warranty info, list of local users, and a list of local groups and the users in the groups. It takes the list of servers from “hosts.txt” which is just a list of servers or ip addresses where there is one per line. It will write all the information it gathers in to a file called “report.txt”.
Download the .VBS File
Here is the code:
Option ExplicitDim url, svctag, wshShell, wshNetworkDim strComputer, colGroups, objGroup, objUserDim objWMIService, colItems, objItemDim warrantyRows, warrantyColsDim objsvc,svccount, errorChecking,svc,objNetwork,colAccountsDim get_OS_Bit, info, strComputer2, oReg, strKeyPath, strValueName, strValueDim objShell, objIE, objWMIDim colOSes, objOSDim objFSO, objTextFile, objTextFileW, objTextFileO, strNextLine, arrServiceListDim i, resultConst ForReading = 1Const ForAppending = 8Set objFSO = CreateObject(“Scripting.FileSystemObject”)Set objTextFileW = objFSO.OpenTextFile (“report.txt”, ForAppending, True)Set objFSO = CreateObject(“Scripting.FileSystemObject”)Set objTextFileO = objFSO.OpenTextFile _(“hosts.txt”, ForReading)Do Until objTextFileO.AtEndOfStreamstrNextLine = objTextFileO.ReadlinearrServiceList = Split(strNextLine , “,”)strComputer = arrServiceList(0)wscript.echo strComputerOn Error Resume NextSet colOSes = objWMIService.ExecQuery(“Select * from Win32_OperatingSystem”)For Each objOS in colOSesobjTextFileW.Writeline “########################################”objTextFileW.WritelineobjTextFileW.Writeline “========================================”objTextFileW.Writeline “== Computer Info ==”objTextFileW.Writeline “========================================”objTextFileW.WriteLine “Computer Name : ” & objOS.CSNameNextobjTextFileW.WriteLineSet objWMI = GetObject(“winmgmts:\” & strComputer & “rootCIMV2″)Set colItems = objWMI.ExecQuery(“SELECT * FROM Win32_OperatingSystem”,,48)For Each objItem in colItemsobjTextFileW.WriteLine “Operating System : ” & objItem.CaptionobjTextFileW.WriteLine “OS Version Number : ” & objItem.VersionobjTextFileW.WriteLine “Service Pack : ” & objItem.ServicePackMajorVersionobjTextFileW.WriteLineNextconst HKEY_LOCAL_MACHINE = &H80000002Set oReg=GetObject(“winmgmts:{impersonationLevel=impersonate}!\” & strComputer & “rootdefault:StdRegProv”)strKeyPath = “HARDWAREDESCRIPTIONSystemCentralProcessor�”strValueName = “Identifier”oReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValueif (instr(strValue,”x86″)) thenget_OS_Bit=”32″elseif (instr(strValue,”64″)) thenget_OS_Bit=”64″elseget_OS_Bit=”NotSure”end ifobjTextFileW.WriteLine “OS is : ” & get_OS_Bit & “bit”objTextFileW.WriteLineobjTextFileW.Writeline “========================================”objTextFileW.WriteLine “== Get the Dell warranty information ==”objTextFileW.Writeline “========================================”url = “http://support.dell.com/support/topics/global.aspx/support/my_systems_info/details?c=us&cs=RC956904&l=en&s=hied&~lt=bodyonly&~wsf=tabs&servicetag=”set objIE=createobject(“internetexplorer.application”)set objShell = WScript.CreateObject(“WScript.Shell”)set objWMI = GetObject(“winmgmts:{impersonationLevel=impersonate}!\” & strComputer & “rootcimv2″)If InStr(UCase(objWMI.ExecQuery(“Select Manufacturer From Win32_ComputerSystem”).ItemIndex(0).Manufacturer), “DELL”) = 0 then Err.Raise 2, “This is not a Dell dude!”, “No Service Tag”svctag = objWMI.ExecQuery (“Select SerialNumber from Win32_BIOS”).ItemIndex(0).SerialNumberSet objWMIService = GetObject(“winmgmts:” _& “{impersonationLevel=impersonate}!\” _& strComputer & “rootcimv2″)objTextFileW.WriteLine “Service Tag : ” & svctagobjIE.navigate url & svctagdo while objIE.readystate<>4 : wscript.sleep 50 : loopset warrantyRows = objIE.document.getElementsByTagName(“table”).item(1).getElementsByTagName(“table”).item(2).getElementsByTagName(“table”).item(0).getElementsByTagName(“tr”)For i = 1 to warrantyRows.length – 1set warrantyCols = warrantyRows.item(i).getElementsByTagName(“td”)objTextFileW.WriteLine “Description : ” & warrantyCols.item(0).innerTextobjTextFileW.WriteLine “Provider : ” & warrantyCols.item(1).innerTextobjTextFileW.WriteLine “Warranty Extension : ” & warrantyCols.item(2).innerTextobjTextFileW.WriteLine “Start Date : ” & warrantyCols.item(3).innerTextobjTextFileW.WriteLine “End Date : ” & warrantyCols.item(4).innerTextobjTextFileW.WriteLine “Days Left : ” & warrantyCols.item(5).innerTextobjTextFileW.WriteLineNextobjTextFileW.Writeline “========================================”objTextFileW.WriteLine “== List all local users ==”objTextFileW.Writeline “========================================”Set objNetwork = CreateObject(“Wscript.Network”)‘strComputer = objNetwork.ComputerNameSet colAccounts = GetObject(“WinNT://” & strComputer & “”)colAccounts.Filter = Array(“user”)For Each objUser In colAccountsobjTextFileW.WriteLine “Local User : ” & objUser.NameNextobjTextFileW.WriteLineobjTextFileW.Writeline “===========================================”objTextFileW.WriteLine “== List all local groups and their users ==”objTextFileW.Writeline “===========================================”Set colGroups = GetObject(“WinNT://” & strComputer & “”)colGroups.Filter = Array(“group”)For Each objGroup In colGroupsobjTextFileW.WriteLine “Group : ” & objGroup.NameFor Each objUser in objGroup.MembersobjTextFileW.WriteLine “User : ” & objUser.NameNextobjTextFileW.WriteLineNextobjTextFileW.WriteLine “== List all services ==”set objsvc = GetObject(“winmgmts:{impersonationLevel=impersonate}\” & strComputer & “rootcimv2″).ExecQuery (“SELECT * FROM Win32_Service”)for each svc in objsvcobjTextFileW.WriteLine “Service : ” & svc.displaynameobjTextFileW.WriteLine “Current Status : ” & svc.stateobjTextFileW.WriteLine “Startus Type : ” & svc.startmodeobjTextFileW.WriteLine “Run Server As : ” & svc.startnameobjTextFileW.WriteLinenextobjTextFileW.WriteLineLoopobjTextFileW.Close
Posted in 
Tags: 
I have used OSSEC in the past to watch the file system for changes. When I found that I can have the Splunk agent handle the monitoring itself, I was pretty excited. Since I would send my OSSEC data to Splunk anyways, it just seemed logical to have Splunk do everything.
In Windows, you need to edit the “c:program filesSplunketcsystemlocalinputs.conf” file. Of course your path could be different if you installed it in a different place. There are a lot of options and switches you can use. I went for the simplest set.
[fschange:d:temp]
recurse=true
pollPeriod=3600
This will monitor the d:temp folder and all files and folders under it. It will check the system every 3600 seconds (1 hour).
This has helped me keep track of the changes in my servers. I can see when a file was add/deleted/changed (due to the hash) and then look at who was logged in during the period that the file was changed.
Splunk article on the switches and FSCHANGE.
http://www.splunk.com/base/Documentation/4.0.3/Admin/Monitorchangestoyourfilesystem
recurse=true
followLinks=false
pollPeriod=60