info
Grupos de Google ya no admite publicaciones ni suscripciones nuevas de Usenet. El contenido anterior sigue visible.
Dismiss
Re: Find out which user disconnected from the system and whether they tried to reconnect into the system or not
19 vistas
Ir al primer mensaje no leído
Marcel Müller
22 ago 2015, 7:05:08 a.m.22/8/15
para
Am 11.08.2015 um 05:35 schrieb T Ton:
> So I have this log file:
[...]
> Every time the string "1=Login" means the user connected to the
> system. Every time the string "Closing connection IP" means the user
> was disconnected from the system.
>
> Now I'm trying to determine "Did the user disconnected from the
> system? If so, did they try to reconnect back into the system?"
>
> I don't know how to approach this. Maybe find a way to keep a history
> of each users?
Quite correct, but you will need to not only keep a history of the
users, but of the corresponding IP, too. If logins happen purely
sequential (you get the request from one IP, the user logs in, you get a
request from another IP, another user logs in) this will be possible,
otherwise you'll get mix-ups (request from one IP 1, request from IP 2,
user A logs in in from IP 1, user B logs in from IP 2), since you cannot
reliably determine which user connected from which IP according to your log.
If sequential:
You will need to parse the file and filter for the service client (IP),
store that and look for the next login-request, store that one too and
then save both values:
<#
initialize $i with zero for the first element
make $list a hashtable
add new elements, which are (named) hashtables themselves
#>
$i = 0
$list = @{}
$list.add($i,@{user="PUT_USERNAME_HERE";ip="PUT_IP-ADDRESS_HERE"})
# or if you want to store a connection-status within each element
# $list.add
($i,@{user="PUT_USERNAME_HERE";ip="PUT_IP-ADDRESS_HERE";connected=$TRUE})
$i++
Later on, you can go through your list and display all users
for ($i=0; $i -lt $list.count; $i++) {$list[$i].user}
So you don't actually need to display them, you can do something else in
the {} block and figure out if a name has already been stored or
whatever you want:
for ($i=0;$i -lt $list.count; $i++) {if ($list[$i].user -eq "user1")
{write-host "match:" $list[$i].user "from IP:" $list[$i].ip}}
So when you parse your log, you can get the IP, then get the
corresponding login, store both values, maybe with an extra entry to
store the connection status; this way, you could check if there's an
existing connection and the user tries to open a second, parallel
connection. You can loop through the hashtable and search, if a string
you grab from your logfile already exists as a user-entry.
If you want to test for existing entries, before adding new ones, you
can create an array while parsing
$entry = @(0,1)
$entry[0] = "username"
$entry[1] = "IP"
Then have a boolean variable to store a possible match and loop through
the hashtable:
$previous = $false
for ($i=0;$i -lt $list.count; $i++) {if ($list[$i].user -eq $entry[0])
{$previous = $true}}
This way, you can test your hashtable before adding new entries to it:
if ($previous -eq $false) {$list.add ...} else {write-host "there
already is an entry with this username present"}
I have put the above code together for a quick test, so see for yourself
(change $entry[0] to something else to have no match and add the new entry):
$i = 0
$list = @{}
$list.add($i,@{user="user2";ip="2.2.2.2";status=$true})
$i++
$list.add($i,@{user="user1";ip="1.1.1.1";status=$true})
$i++
$list.add($i,@{user="user3";ip="3.3.3.3";status=$true})
$i++
$entry = @(0,1)
$entry[0]="user1"
$entry[1]="1.1.1.1"
$found_previous = $false
for ($i=0;$i -lt $list.count; $i++) {if ($list[$i].user -eq $entry[0])
{$found_previous = $true ; write-host "Found previous login:"
$list[$i].user "from IP:" $list[$i].ip}}
if ($found_previous -eq $false)
{$list.add($i,@{user=$entry[0];ip=$entry[1];status=$true})} else
{write-host "user already exists"}
I leave the parsing of your log to yourself. You can use select-string
or .substring-function to extract the data you'll need from your file to
store away.
> So I have this log file:
[...]
> Every time the string "1=Login" means the user connected to the
> system. Every time the string "Closing connection IP" means the user
> was disconnected from the system.
>
> Now I'm trying to determine "Did the user disconnected from the
> system? If so, did they try to reconnect back into the system?"
>
> I don't know how to approach this. Maybe find a way to keep a history
> of each users?
Quite correct, but you will need to not only keep a history of the
users, but of the corresponding IP, too. If logins happen purely
sequential (you get the request from one IP, the user logs in, you get a
request from another IP, another user logs in) this will be possible,
otherwise you'll get mix-ups (request from one IP 1, request from IP 2,
user A logs in in from IP 1, user B logs in from IP 2), since you cannot
reliably determine which user connected from which IP according to your log.
If sequential:
You will need to parse the file and filter for the service client (IP),
store that and look for the next login-request, store that one too and
then save both values:
<#
initialize $i with zero for the first element
make $list a hashtable
add new elements, which are (named) hashtables themselves
#>
$i = 0
$list = @{}
$list.add($i,@{user="PUT_USERNAME_HERE";ip="PUT_IP-ADDRESS_HERE"})
# or if you want to store a connection-status within each element
# $list.add
($i,@{user="PUT_USERNAME_HERE";ip="PUT_IP-ADDRESS_HERE";connected=$TRUE})
$i++
Later on, you can go through your list and display all users
for ($i=0; $i -lt $list.count; $i++) {$list[$i].user}
So you don't actually need to display them, you can do something else in
the {} block and figure out if a name has already been stored or
whatever you want:
for ($i=0;$i -lt $list.count; $i++) {if ($list[$i].user -eq "user1")
{write-host "match:" $list[$i].user "from IP:" $list[$i].ip}}
So when you parse your log, you can get the IP, then get the
corresponding login, store both values, maybe with an extra entry to
store the connection status; this way, you could check if there's an
existing connection and the user tries to open a second, parallel
connection. You can loop through the hashtable and search, if a string
you grab from your logfile already exists as a user-entry.
If you want to test for existing entries, before adding new ones, you
can create an array while parsing
$entry = @(0,1)
$entry[0] = "username"
$entry[1] = "IP"
Then have a boolean variable to store a possible match and loop through
the hashtable:
$previous = $false
for ($i=0;$i -lt $list.count; $i++) {if ($list[$i].user -eq $entry[0])
{$previous = $true}}
This way, you can test your hashtable before adding new entries to it:
if ($previous -eq $false) {$list.add ...} else {write-host "there
already is an entry with this username present"}
I have put the above code together for a quick test, so see for yourself
(change $entry[0] to something else to have no match and add the new entry):
$i = 0
$list = @{}
$list.add($i,@{user="user2";ip="2.2.2.2";status=$true})
$i++
$list.add($i,@{user="user1";ip="1.1.1.1";status=$true})
$i++
$list.add($i,@{user="user3";ip="3.3.3.3";status=$true})
$i++
$entry = @(0,1)
$entry[0]="user1"
$entry[1]="1.1.1.1"
$found_previous = $false
for ($i=0;$i -lt $list.count; $i++) {if ($list[$i].user -eq $entry[0])
{$found_previous = $true ; write-host "Found previous login:"
$list[$i].user "from IP:" $list[$i].ip}}
if ($found_previous -eq $false)
{$list.add($i,@{user=$entry[0];ip=$entry[1];status=$true})} else
{write-host "user already exists"}
I leave the parsing of your log to yourself. You can use select-string
or .substring-function to extract the data you'll need from your file to
store away.
0 mensajes nuevos