This post follows on from my earlier post about AD login logging where we covered how to create a .csv log file containing all your user logins on your machines.
Building on that script, wouldn’t it be handy if we could have that information sent to us via an email or text every time a certain account logs in, namely the administrator account.
This is particularly handy if you want to keep tabs on a certain account showing when / where its being used and allowing you to act quickly and mitigate should the activity be unauthorized.
Lets grab the bits we need from the logging script to use here.
REM Gathering information to send in an alert
set "val1=%DATE%"
set "val2=%TIME%"
set "val3=%USERNAME%"
set "val4=%COMPUTERNAME%"
REM Getting the IP address of the machine
for /f "tokens=1-2 delims=:" %%a in ('ipconfig^|find "IPv4"') do set ip=%%b
set ip=%ip:~1%
echo %ip%
REM Making a string with above variables
set "str=%val1%,%val2%,%val3%,%val4%,%ip%"
Now at this point previously we would save this string to the log .csv file, however instead we are going to email it to the administrator.
To do this we need to use a third party command line mailer tool to send via a server of your choice.
I use and recommend “Mail Alert Simple Mailer” available here. It encrypts the SMTP password in the config file which is a particularly important feature I have found lacking in some other applications.
NOTE: I recommend setting up restrictions for the email account you choose to use for mailing out to only send to specified recipients. This will help to prevent abuse.
Once you have configured your chosen mailer app all you need to do is send the string we have created containing the login data to it. For example using mailalert:
\\server\LogShare\mailalert\MailAlert.exe -s "Admin Login" -b %str%
The above line will send an email with the subject “Admin Login” and the body of the email will contain the string we just set above containing all of the parameters we want.
Note that in the above example I have used a .ini file to configure the mail server settings hence the reason I only specified the subject and body.
As an alternative you can receive alerts via an SMS text message using another third party command line utility, smscmd that can be found here. However this method requires credit to be added to your account otherwise it will fail, hence the reason I prefer to use email and specify my own server.
The above line of code can be added to your NETLOGON script for specified groups of users you wish to alert for and can run alongside the logging code. For example, to log and alert:
REM Gathering information to later use and save into the log
set "val1=%DATE%"
set "val2=%TIME%"
set "val3=%USERNAME%"
set "val4=%COMPUTERNAME%"
REM Getting the IP address of the machine
for /f "tokens=1-2 delims=:" %%a in ('ipconfig^|find "IPv4"') do set ip=%%b
set ip=%ip:~1%
echo %ip%
REM Making a string and then appending it to a csv file stored in a shared area
set "str=%val1%,%val2%,%val3%,%val4%,%ip%"
echo %str% >> //server/LogShare/userlog.csv
REM Alerting of login via email
\\server\LogShare\mailalert\MailAlert.exe -s "Admin Login" -b %str%
And that is all, now you can be alerted whenever someone logs in on your network.