Track Ip Address From Eveint Viewer

[alexmartin]

Guys,

I am worried about how to track an IP address from event viewer which is having more than 100 or 200 incoming connections to my server. But I am afraid as I can track those suspected IP address by using netstat but this is used to track the live connections only. But I want suspected IP address which was affected my server past.

Thanks.

 

[ICTCity]

Hi, it's easy.

From technet:

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" _
& strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent " _
& "Where Logfile = 'System'")
For Each objEvent in colLoggedEvents
Wscript.Echo "Category: " & objEvent.Category & VBNewLine _
& "Computer Name: " & objEvent.ComputerName & VBNewLine _
& "Event Code: " & objEvent.EventCode & VBNewLine _
& "Message: " & objEvent.Message & VBNewLine _
& "Record Number: " & objEvent.RecordNumber & VBNewLine _
& "Source Name: " & objEvent.SourceName & VBNewLine _
& "Time Written: " & objEvent.TimeWritten & VBNewLine _
& "Event Type: " & objEvent.Type & VBNewLine _
& "User: " & objEvent.User
Next

Also, if you need something more complex...

http://gallery.technet.microsoft.com/scriptcenter/site/search?f%5B0%5D.Type=RootCategory&f%5B0%5D.Value=logs&f%5B0%5D.Text=Logs%20and%20monitoring

There are plenty of examples you can use

 

[alexmartin]

Hi,

Thank you! But I haven't much knowledge in Windows in spcefically Event Viewer.

Can you please let me know do i need to make this as batch file and run it in command prompt.

Can you able to point me clearly to find such connection IP addresses in Event viewer.

Thanks again.

 

[ICTCity]

Ok, do you have any knowledge of PowerShell or VBScript?

Starting from here:
http://gallery.technet.microsoft.com/scriptcenter/ccc4f445-6c19-4300-9210-d8b200ab18ef

you can easily retrieve all the events that you need and then, decide: write to file, send an e-mail, ...

Everything depends on what do you want to do AND your knowledge.

 

[alexmartin]

Hi,

Sorry, I haven't knowledge anything about this, If you provide some steps to make this successfuly that would be great.

 

[ICTCity]

Well...

Copy this code in a text file:

$Log = "Application" 
$Computer ="." 
$ID = "1002"  
$Type = "Error" 

##The above are your standard Event Viewer attributes, to choose the system log, replace the word Application 
##To view Warnings or Information, replace the word Error 


$Objlog = New-Object system.diagnostics.eventLog($Log, $Computer) 
#$Objlog = $Objlog | Where-object { $_.EntryType -like $Type } 
#$Objlog.entries | select -last 5000 

$result = $Objlog.entries | where { $_.EntryType -like "[$Type]*" } | select -last 2 | out-string 
## On the above, you can amend the 'select -last 2 to whichever number of entries you would like to pull back 

write-host $result

As written in the code itself, replace APPLICATION with the event log you need to check. Same thing for ERROR and ID.

Save this file as WHATEVER.ps

Run it from powershell and notice that you will have an output with the information needed.