krypted.com

Tiny Deathstars of Foulness

Tomcat logs events into the system log. You can use the get-wmiobject commandlet to see events. Here, we’ll look at a JSS and view only system events:

Get-WmiObject Win32_NTLogEvent -ComputerName $jss -Filter "LogFile='system'

We can then use AND to further constrain to specific messages, in this case those containing Tomcat:

Get-WmiObject Win32_NTLogEvent -ComputerName $jss -Filter "LogFile='system' AND (Message like '%Tomcat%')

We can then further constrain output to those with a specific EventCode with another compound statement:

Get-WmiObject Win32_NTLogEvent -ComputerName $jss -Filter "LogFile='system' AND (Message like '%Tomcat%') AND (EventCode=1024)

For a comprehensive list of Windows event codes, see https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx.

You could instead use get-eventlog to see system logs. For example, the following will list the latest 100 entries in the system log:

Get-Eventlog -LogName system -Newest 1000

And the following lists the number of unique entries in descending order using Sort-Object, along with the -Property option set to count:

Get-Eventlog -LogName system -Newest 1000 | Sort-Object -Property count -Descending

And the following would additionally constrain the output to entries with the word Tomcat using the -Message option:

Get-Eventlog -LogName system -Newest 1000 -Message "*Tomcat*" | Sort-Object -Property count -Descending

And to focus on a server called jss, use the -ComputerName option:

Get-Eventlog -LogName system -Newest 1000 -Message "*Tomcat*" -ComputerName "localhost" | Sort-Object -Property count -Descending

July 11th, 2017

Posted In: JAMF, Windows Server

Tags: , , , , , , ,

Leave a Comment

As an author of technical books, I’ve been very interested in the comings and goings of technical books for a long time. This new Instagram feed is an expedition into what once was and how quickly the times change. Feed is embedded into a page on krypted to make it easier to see. Curious how many of my books are now “Dead Tech Books”…

Screen Shot 2015-01-31 at 7.11.24 PM

February 1st, 2015

Posted In: Articles and Books, public speaking

Tags: , , , , , , , ,

The default logs in Windows Server can be tweaked to provide a little better information. This is really helpful, for example, if you’re dumping your logs to a syslog server. Here’s a script that can make it happen with a few little tweaks to how we interpret data (to be run per host, just paste into a Powershell interface as an administrator):

auditpol /set /subcategory:"Security State Change" /success:enable /failure:enable
auditpol /set /subcategory:"Security System Extension" /success:enable /failure:enable
auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable
auditpol /set /subcategory:"IPsec Driver" /success:disable /failure:disable
auditpol /set /subcategory:"Other System Events" /success:disable /failure:enable
auditpol /set /subcategory:"Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Logoff" /success:enable /failure:enable
auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable
auditpol /set /subcategory:"IPsec Main Mode" /success:disable /failure:disable
auditpol /set /subcategory:"IPsec Quick Mode" /success:disable /failure:disable
auditpol /set /subcategory:"IPsec Extended Mode" /success:disable /failure:disable
auditpol /set /subcategory:"Special Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable
auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable
auditpol /set /subcategory:"File System" /success:enable /failure:enable
auditpol /set /subcategory:"Registry" /success:enable /failure:enable
auditpol /set /subcategory:"Kernel Object" /success:enable /failure:enable
auditpol /set /subcategory:"SAM" /success:disable /failure:disable
auditpol /set /subcategory:"Certification Services" /success:enable /failure:enable
auditpol /set /subcategory:"Application Generated" /success:enable /failure:enable
auditpol /set /subcategory:"Handle Manipulation" /success:disable /failure:disable
auditpol /set /subcategory:"File Share" /success:enable /failure:enable
auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable
auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:disable
auditpol /set /subcategory:"Other Object Access Events" /success:disable /failure:disable
auditpol /set /subcategory:"Sensitive Privilege Use" /success:disable /failure:disable
auditpol /set /subcategory:"Non Sensitive Privilege Use" /success:disable /failure:disable
auditpol /set /subcategory:"Other Privilege Use Events" /success:disable /failure:disable
auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable
auditpol /set /subcategory:"Process Termination" /success:enable /failure:enable
auditpol /set /subcategory:"DPAPI Activity" /success:disable /failure:disable
auditpol /set /subcategory:"RPC Events" /success:enable /failure:enable
auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable
auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:enable
auditpol /set /subcategory:"Authorization Policy Change" /success:enable /failure:enable
auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:disable /failure:disable
auditpol /set /subcategory:"Filtering Platform Policy Change" /success:disable /failure:disable
auditpol /set /subcategory:"Other Policy Change Events" /success:disable /failure:enable
auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable
auditpol /set /subcategory:"Computer Account Management" /success:enable /failure:enable
auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable
auditpol /set /subcategory:"Distribution Group Management" /success:enable /failure:enable
auditpol /set /subcategory:"Application Group Management" /success:enable /failure:enable
auditpol /set /subcategory:"Other Account Management Events" /success:enable /failure:enable
auditpol /set /subcategory:"Directory Service Access" /success:enable /failure:enable
auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable
auditpol /set /subcategory:"Directory Service Replication" /success:disable /failure:disable
auditpol /set /subcategory:"Detailed Directory Service Replication" /success:disable /failure:disable
auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable
auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable
auditpol /set /subcategory:"Other Account Logon Events" /success:enable /failure:enable
auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable

eventviewer

April 23rd, 2014

Posted In: Windows Server

Tags: , , , , , , , , , , ,

You can use PowerShell to pretty much get anything you want out of Active Directory. Let’s say you want to see when the last time a user changed their password was. You can use the Get-ADUser commandlet to obtain any attribute for a user in the Active Directory schema. To use Get-ADUser, you’ll need to define a scope. In this example, we’ll do so using the -filter option and filter for everyone, using an *. That could be a lot of data, so we’re also going to look for the property, or attribute of PasswordLastSet using the -Properties option:

Get-ADUser –filter * -Properties PasswordLastSet

We can then add a little more logic and pipe the output to a conditional statement that just looks at who hasn’t ever changed their password.

Get-ADUser –filter * -Properties PasswordLastSet | Where { $_.passwordLastSet –eq $null }

A more common task, we could also look for the last 90 days, using “(get-date).adddays(-90)” in our filter. We don’t want to display disabled users, so we could do something like this (note the curly brackets allow us to compound search):

Get-ADUser -filter {(passwordlastset -le $90days) -AND (enabled -eq $True)}

April 1st, 2014

Posted In: Active Directory, Windows Server

Tags: , , , , , ,

I recently needed to check and see whether a backup drive (which was just a 4TB USB drive) was plugged into a server. But the server had no GUI, so I had to use the command line. There was no drive letter mapped to this drive, so I needed to use something else and I needed to make a script that could be used long-term. Luckily, PowerShell can be used to obtain WMI information on the hardware installed on a computer. This allows administrators to query WMI about the USB devices currently installed on a server. In the following command, we’re going to use gwmi from PowerShell and we’re going to query
for Win32_USBControllerDevice. We’re going to run the command against the computer name in question (example here is host.krypted.com although if we left the -computername option off it would run against the host the command is run on).

Get-WMiObject Win32_USBControllerDevice -computername host.krypted.com | fl Antecedent,Dependent

This will apply a filter, similar to using grep in bash. That filters only the antecedent and dependent fields from the host.krypted.com computer. You could also remove the pipe and pull a full export, but if I’m using this in a script the less data to parse the better. If you think of WMI as containing a big tree about the hardware installed, the filter for Antecedent brings back what must be running in order for the drive to be present and the Dependent returns those that are dependent on the drive.

You can also obtain a lot more information through WMI. For example, you can pull information from any of the WMI classes, such as win32_bios

Get-WmiObject win32_bios -computername host.krypted.com

Note, you can derive properties and methods for a given class by using the get-member commandlet:

Get-WmiObject win32_bios | get-member

Once you know which property you need, you can then parse the information a little further to get a very specific answer:

get-wmiobject win32_bios -computername host.krypted.com | Select-Object displayname

Finally, you can shorten this by replacing the Get-WmiObject commandlet with gwmi, which is an alias for that command. Test it out, if you like:

gwmi win32_bios | get-member

March 28th, 2014

Posted In: Windows Server, Windows XP

Tags: , , , ,

Microsoft doesn’t want any old tool to execute PowerShell scripts. But sometimes when we’re running a tool, we need the tool to be run in a way that violates the default execution policy. In order to facilitate this, Microsoft has also provided four levels of security for the PowerShell execution policy. These include:

  • Restricted: The default execution policy, which forces commands to be entered interactively.
  • All Signed: Only signed scripts can be run by a trusted publisher.
  • Remote Signed: Any scripts created locally can run.
  • Unrestricted: Any script can run.

To configure an execution policy interactively, simply use the Set-ExecutionPolicy command followed by the name of the execution policy you wish to use. So to run the policy as unrestricted (e.g. while you’re in the midst of a deployment), you could run the following:

Set-ExecutionPolicy Unrestricted

Once run, use the Get-ExecutionPolicy with no options to see that the execution policy is configured as desired:

Get-ExecutionPolicy

March 27th, 2014

Posted In: Windows Server

Tags: , , , , , , ,

On a Mac, I frequently use the tail command to view files as they’re being written to or in use. You can use the Get-EventLog cmdlet to view logs. The Get-EventLog cmdlet has two options I’ll point out in this article. The first is -list and -newest.

The first is used to view a list of event logs, along with retention cycles for logs, log sizes, etc.

Get-EventLog -list

You can then take any of the log types and view information about them. To see System information:

Get-EventLog System

There will be too much information in many of these cases, so use the -newest option to see just the latest:

Get-EventLog system -newest 5

The list will have an Index number and an EventID. The EventID can then be used to research information about each error code. For example, at http://eventid.net.

February 8th, 2014

Posted In: Microsoft Exchange Server, Windows Server, Windows XP

Tags: , , , , , , , , , , ,

If you use Symantec’s Enterprise Vault solution and you need to migrate the SQL tables for Enterprise Vault to another server, you might have noticed that it’s not as simple as dumping tables from one host, restoring tables to another and changing some information on the Enterprise Vault server. This process takes a lot of time and is a relatively painful endeavor.

But now Symantec has made the process much simpler, releasing a migration tool just for the database, available here: http://www.symantec.com/business/support//index?page=content&id=TECH214373

I guess they were listening to customers who complained about the process. Good for them!

January 28th, 2014

Posted In: Microsoft Exchange Server

Tags: , , , , , ,

Windows Server tracks the sessions that have been authenticated into the system, those that have been timed out, those that have errored, kb sent/received, response time, errors, permission problems, password problems, files opened, print job spooling and buffers quickly and easily. Simply use the net command we’ve all been using for 20 years, followed by stats or statistics:

net statistics

When prompted choose server or workstation. In this case, we’ll use Server.

net statistics Server

Here’s the output from a new server:

Screen Shot 2013-12-01 at 11.21.50 PM

And if you’re trying to troubleshoot client/server communications, keep in mind that you can look at much of this on the workstation side as well, but from the client perspective:

net statistics Workstation

Screen Shot 2013-12-01 at 11.23.34 PM

December 16th, 2013

Posted In: Windows Server, Windows XP

Tags: , , , , , , , ,

By default, when you require an SSL certificate in IIS on an Exchange server, if users hit the page without providing an https:// in front they will get an error. Rather than require certificates, it’s better in most cases to redirect unsecured traffic to a secured login page. In order to do so, first configure the redirect. To do so, open IIS Manager and click on the Default Web Site.

At the bottom of the pane for the Default Web Site, click Features View if not already selected.
Screen Shot 2013-12-02 at 1.17.09 PM
Then open HTTP Redirect. Here, check the box for “Redirect requests to this destination” and provide the path to the owa virtual directory (e.g. https://krypted.com/owa).

Screen Shot 2013-12-02 at 1.18.03 PMIn the Redirect Behavior section, select the “Only redirect requests to content in this directory (not subdirectories)” check box and set the Status code to “Found (302)”.

In the Actions pane to the right of the screen, click Apply. Then click on Default Web Site again and open the SSL Settings pane. Here, uncheck the box for Require SSL.

Screen Shot 2013-12-02 at 1.17.19 PMOnce done, restart IIS by right-clicking on the service and choosing Restart or by running iisreset:

iisreset /noforce

Next, edit the offline address book web.config file on the CAS, stored by default at (assuming Exchange is installed on the C drive) C:\Program Files\Microsoft\Exchange Server\\ClientAccess\oab. To edit, right-click web.config and click Properties. Then click Security and then Edit. Under Group, click on Authenticated Users. Then click Read & execute for Authenticated Users in Permissions. Then click OK to save your changes.

Finally, if you have any issues with any messages not working, start the IIS Manager. Then browse to the virtual directories and open HTTP Redirect. Then uncheck “Redirect requests to this destination” and click Apply. When you’re done, restart IIS again and test the ability to send and receive emails to make sure that mail flow functions without error from within the web interface.

December 6th, 2013

Posted In: Microsoft Exchange Server, Windows Server

Tags: , , , , , , , , ,

Next Page »