Last active
March 6, 2020 18:33
-
-
Save AndrewPla/23080ccc157a82a750f48a629914ddc5 to your computer and use it in GitHub Desktop.
Downloads access log from TOPdesk. We then extract the logfile from the zip and parse it. Finally we output an object. I blogged about this at: https://andrewpla.dev/Inspect-TOPdesk-Access-Logs/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
.Parameter Credential | |
Enter WEBdav creds for an account with the WEBDav Read permission | |
.Parameter TOPdeskURL | |
The URL of the topdesk instance. eg: Support.Company.com, company.topdesk.net | |
.Parameter OutputFolder | |
Folder where you want the logs to be downloaded to. If not provided, the files will be downloaded into your tmp folder and will be cleaned up at the end. | |
.Parameter MonthsBack | |
Select how many months back you want to go. Default select the current month. 1 would be for this month, 3 whereas 3 would be the last 3 months | |
.Parameter DaysBack | |
Specify how many days back you would like to return access logs for. Default is 7 | |
#> | |
param( | |
[Parameter(Mandatory)] | |
[pscredential]$Credential, | |
[Parameter(Mandatory)] | |
[string]$TOPdeskURL, | |
$OutputFolder, | |
[int]$MonthsBack = 1, | |
[int]$DaysBack = 7 | |
) | |
# Use the provided outputfolder | |
if ($OutputFolder) { | |
if (-not (Test-Path $OutputFolder)) { $null = mkdir $OutputFolder } | |
$Directory = $OutputFolder | |
} else { | |
# Create a temporary file, remove it, create it as a folder, then use it for our files! | |
$Directory = New-TemporaryFile | | |
ForEach-Object { Remove-Item $_; New-Item -ItemType Directory -Path $_ } | | |
Select-Object -ExpandProperty FULLNAME | |
} | |
# Splat our parameters | |
$psDriveParams = @{ | |
PSProvider = 'FileSystem' | |
Root = "\\$TOPdeskURL@SSL\webdav" | |
Credential = $Credential | |
Name = 'TOPdesk' | |
} | |
New-PSDrive @psDriveParams | |
# Lets select yesterdays access log | |
$Files = (Get-Childitem TOPdesk:\accesslogs\ -Directory | | |
Sort-Object Name | | |
Select-Object -Last $MonthsBack | | |
Get-ChildItem -Filter 'access_log.*' | | |
Sort-Object name | | |
Select-Object -last $DaysBack) | |
# Copy File, save to variable so we can interact with our local file later | |
foreach ($file in $Files) { | |
$newFile = Copy-Item $File.Fullname -Destination $Directory -Passthru | |
Expand-Archive -Path $newfile.fullname -DestinationPath $Directory -Force | |
Remove-Item $NewFile | |
$LogFile = Get-Item -Path ($newfile.fullname).replace('.zip', '') | |
$Content = Get-Content $LogFile | |
foreach ($entry in $Content) { | |
# ONly add entries that are relevant. Dont grab Handler/Provider registrations | |
if ($entry -like '*AUTH] User:*') { | |
# Logons and Logoffs have different formatting | |
if ($entry -like '*logged out*') { | |
$hash = @{ } | |
$hash.'Action' = 'LoggedOut' | |
# Grab the closing brace index | |
$dateIndexEnd = $entry.IndexOf(']') | |
$date = $entry[0..$dateIndexEnd] -join '' | |
# get rid of the []'s | |
$hash.Date = (($date).replace('[', '')).replace(']', '') | |
# Determine where | [AUTH] User: is in the line | |
# Add the lenght to the index to get the index of the first character | |
# of the username | |
$AuthUserStr = '[AUTH] user: ' | |
$index = $entry.indexOf($AuthUserStr) + $AuthUserStr.length | |
# lets grab everything between the index and the space at the end of the username. | |
$endUsernameIndex = ($entry.indexof(' ', $index)) - 1 | |
# add the Username to our Hashtable | |
$username = $entry[$index..$endUsernameIndex] -join '' | |
$hash.UserName = $username | |
# Grab the realm /tas/secure (operators) or /tas/public (persons) | |
$realmString = 'realm: ' | |
$realmIndexStart = $entry.IndexOf($realmString, $providerIndexEnd) + $realmString.Length | |
$realmIndexEnd = $entry.IndexOf('from ', $realmIndexStart) - 1 | |
$realm = $entry[$realmIndexStart..$realmIndexEnd] -join '' | |
$hash.Realm = $realm | |
# Grab the Host IP | |
$hostString = 'remote host: ' | |
$hostIndexStart = $entry.IndexOf($hostString, $realmIndexEnd) + $hostString.Length | |
# we are at the end of the file so we can just grab it all! | |
$hostIndexEnd = $hostIndexStart + 15 | |
# use hostValue instead of Host because host is reserved! | |
$hostValue = $entry[$hostIndexStart..$hostIndexend] -join '' | |
$hash.Host = $hostValue | |
} | |
if ($entry -like '*verified by*') { | |
# We are going to add our properties to a hashtable | |
$hash = @{ } | |
$hash.Action = 'Verified' | |
# Grab the closing brace index | |
$dateIndexEnd = $entry.IndexOf(']') | |
$date = $entry[0..$dateIndexEnd] -join '' | |
# get rid of the []'s | |
$hash.Date = (($date).replace('[', '')).replace(']', '') | |
# Determine where | [AUTH] User: is in the line | |
# Add the lenght to the index to get the index of the first character | |
# of the username | |
$AuthUserStr = '| [AUTH] User: ' | |
$index = $entry.indexOf($AuthUserStr) + $AuthUserStr.length | |
# lets grab everything between the index and the space at the end of the username. | |
$endUsernameIndex = ($entry.indexof(' ', $index)) - 1 | |
# add the Username to our Hashtable | |
$username = $entry[$index..$endUsernameIndex] -join '' | |
$hash.UserName = $username | |
# Grab the Provider | |
$verifiedString = 'verified by ' | |
$providerIndexStart = $entry.IndexOf($verifiedString, $endUsernameIndex) + $verifiedString.Length | |
$providerIndexEnd = $entry.IndexOf(' ', $providerIndexStart) - 1 | |
$provider = $entry[$providerIndexStart..$providerIndexEnd] -join '' | |
$hash.Provider = $provider | |
# Grab the realm /tas/secure (operators) or /tas/public (persons) | |
$realmString = 'in the ' | |
$realmIndexStart = $entry.IndexOf($realmString, $providerIndexEnd) + $realmString.Length | |
$realmIndexEnd = $entry.IndexOf(' ', $realmIndexStart) - 1 | |
$realm = $entry[$realmIndexStart..$realmIndexEnd] -join '' | |
$hash.Realm = $realm | |
# Grab the Host IP | |
$hostString = 'remote host ' | |
$hostIndexStart = $entry.IndexOf($hostString, $realmIndexEnd) + $hostString.Length | |
# we are at the end of the file so we can just grab it all! | |
$hostIndexEnd = $hostIndexStart + 15 | |
# use hostValue instead of Host because host is reserved! | |
$hostValue = $entry[$hostIndexStart..$hostIndexend] -join '' | |
$hash.Host = $hostValue | |
} | |
# Convert our hash to a pscustomobject and output it! | |
[PSCustomObject]$hash | |
} | |
} | |
} | |
if (-not $OutputFolder) { | |
Write-Verbose "Removing directory holding log files. Specify an outputfolder if you want to keep a copy of the log files." | |
Remove-Item $Directory -Recurse | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment