2
\$\begingroup\$

Background

I'm using MS Exchange 2013 in my environment, and have a separate siem box which analyze logs produced by different systems (i.e exchange). The logs for Exchange are internally stored and can however be extracted such as 

Get-MailboxAuditLog -Identity test-mailbox-1 -LogonTypes
Admin,Delegate –ShowDetails -StartDate mm/dd/2014 -EndDate mm/dd/2014
| Export-Csv "c:\test-Audit-Results.csv"

Steps taken so far

  • Enabling audit on Exchange
  • Got the command Google which needs to put in a script (above)

My requirements (in algorithm)

  1. check presence of properties file with last collect time.

  2. If file is absent query the data from some period of time before till the current moment:

    1. Search-AdminAuditLog -StartDate (get-date).adddays(-30) -EndDate (get-date) | Export-Csv "c:\admin-results-temp.csv"
    2. remember "get-date" value to properties file
    3. copy "admin-results-temp.csv" file contents to the final file to be forwarder by ALE

  3. If file is present:

    1. Get last collect time calculate difference in time from present time. If time-difference is more then 1 hours ...pull the log again
    2. execute Search-AdminAuditLog with StartDate = date from props file, EndDate = current
    3. remember current time to the props file
    4. copy "admin-results-temp.csv" file contents to the final file to be forwarder by ALE
  4. You can clean up final file once a week to avoid over-grow. ALE will forward it from the beginning at that case.
  5. Schedule the script/code described above to run each minute
  6. Configure ALE in a File Forwarder mode to send file

Note: On part of ALE that part is already automated. No need for file-forwarding required.

I want the above algorithm in a power shell script.

Current code:

<#
#>
#...................................
# Variables
#...................................
$check_collect_last
#...................................
# Initialize
#...................................
#Set recipient scope
2007ドルsnapin = Get-PSSnapin -Name Microsoft.Exchange.Management.PowerShell.Admin
if (2007ドルsnapin)
{
 $AdminSessionADSettings.ViewEntireForest = 1
}
else
{
 2010ドルsnapin = Get-PSSnapin -Name Microsoft.Exchange.Management.PowerShell.E2010
 if (2010ドルsnapin)
 {
 Set-ADServerSettings -ViewEntireForest $true
 }
}
#If no filename specified, generate report file name with random strings for uniqueness
 $source=c:\results-audit 
 $check_last = (ls $source).LastWriteTime
#...................................
# Script
#...................................
#Add dependencies
Import-Module ActiveDirectory
#Get the mailbox list
$mailboxcount = $mailboxes.count
$i = 0
$mailboxdatabases = @(Get-MailboxDatabase)
$directoryInfo = Get-ChildItem C:\Mail-audit-results | Measure-Object
$directoryInfo.count #Returns the count of all of the files in the directory
If $directoryInfo.count -eq 0
{
#Loop through mailbox list
foreach ($mb in $mailboxes)
{
 $i = $i + 1
 $pct = $i/$mailboxcount * 100 
 Write-Progress -Activity "Collecting audit details for Mail admin" -Status "Processing mailbox $i of $mailboxcount - $mb" -PercentComplete $pct
 $Startdate=((Get-Date).adddays(-30)).ToShortDateString()
 $Enddate=(Get-Date).ToShortDateString()
 $check_collect_last=Get-Date -format HH:mm:ss
 $auditAdmin_search = $mb | Search-MailboxAuditLog -Identity $i -LogonTypes Admin,Delegate –ShowDetails -StartDate $Startdate -EndDate $Enddate | Export-Csv "c:\Mail-audit-results\Temp-Audit-Results.csv" 
 #appending file to final audit csv file
 [System.IO.File]::ReadAllText("c:\Mail-audit-results\Temp-Audit-Results.csv") | Out-File c:\Mail-audit-results\Final-mail-admin.csv -Append -Encoding Unicode 
}
}
else
 # if difference between last collect time and present is more then #1 hours collect logs in cycle / hrs
$Now = Get-Date -format HH:mm:ss
 $check_collect_last = New-TimeSpan $check_collect_last $Now
 if ($check_collect_last.Hours -gt 1) 
 {
 foreach ($mb in $mailboxes)
{
$i = $i + 1
 $pct = $i/$mailboxcount * 100 
 Write-Progress -Activity "Collecting audit details for Mail admin" -Status "Processing mailbox $i of $mailboxcount - $mb" -PercentComplete $pct
 $Startdate=((Get-Date).ToShortDateString()
 $Enddate=(Get-Date).ToShortDateString()
 $auditAdmin_search = $mb | Search-MailboxAuditLog -Identity $i -LogonTypes Admin,Delegate –ShowDetails -StartDate -EndDate $Enddate | Export-Csv "c:\Mail-audit-results\Temp-Audit-Results.csv
 $check_collect_last=$Startdate
}
 }
 else
 return 0

This is my first powershell script. I'd appreciate it if someone can suggest/review if possible, especially in regard to date functions.

Jamal
35.2k13 gold badges134 silver badges238 bronze badges
asked Apr 23, 2014 at 10:22
\$\endgroup\$

1 Answer 1

1
\$\begingroup\$

You have multiple syntax errors. As a start, I would fix those. Also, fix up the indenting to make it easier to see what is going on. Which editor are you using? You could try using the PowerShell ISE. It will show you some of your errors with red wiggly lines.

As a general strategy, I would suggest writing your code step-by-step. Get one thing working before moving on to the next. Break your code up into functions.

answered May 9, 2014 at 0:05
\$\endgroup\$

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.