I need to figure out who has logged into an endpoint. We have a SID history table that I am using as a conversion table. This will result in a username instead of SID. The connection works fine, but it only inserts one event from the event log.
I included the insert statement into the foreach loop. What am I missing?
The sample host I am running this on has over 15 events, I need to insert all 15 of those events into a MySQL database so I can query for what machines a specific SID has logged into.
Below is the simple and ugly code. The connection works, but is only inserting one row at a time.
# MySQL Connection string #
function Connect-MySQL([string]$user,[string]$pass, [string]$MySQLHost,[string]$database) {
# Load MySQL .NET Connector Objects
[void][system.reflection.Assembly]::LoadWithPartialName("MySql.Data")
$connStr = "server=" + $MySQLHost + ";port=3306;uid=" + $user + ";pwd=" + $pass + ";database="+$database+";Pooling=FALSE"
$conn = New-Object MySql.Data.MySqlClient.MySqlConnection($connStr)
$conn.Open()
return $conn
}
# Close Conn
function Disconnect-MySQL($conn) {
$conn.Close()
}
# MySQL Connection Vars #
$user = ''
$pass = ''
$database = ''
$MySQLHost = ''
$conn = Connect-MySQL $user $pass $MySQLHost $database
function Execute-MySQLNonQuery($conn, [string]$query) {
$command = $conn.CreateCommand()
$command.CommandText = $query
$RowsInserted = $command.ExecuteNonQuery()
$command.Dispose()
if ($RowsInserted) {
return $RowInserted
} else {
return $false
}
}
$ErrorActionPreference = 'silentlycontinue'
$events = Get-Eventlog -Log system -ComputerName '.' | Where-Object {
(($_.EventID -like "*7001*") -or
($_.EventID -like "*7002*"))
} | Select-Object replacementstrings, machinename, timegenerated ;
foreach ($event in $events) {
$outObj = new-object psobject -Property @{
user = $event.ReplacementStrings[1]
time = $event.timegenerated
machine = $event.machinename
}
$uservar = $outObj.user
$timevar = $outObj.time
$machinevar = $outObj.machine
$query = "INSERT INTO infosec.ewarp_testing (data1,data2,data3) VALUES ('$uservar', '$timevar','$machinevar')"
echo "$uservar $timevar $machinevar"
$Rows = Execute-MySQLNonQuery $conn $query
}
$ErrorActionPreference = 'silentlycontinue'and see if something breaks. Also, verify that$eventsactually contains more than one item. - Ansgar Wiechers