'**************************************************************************************************
' MOM Script
'
' Name: 	Collect NT4 Security Events
'
' Function: 	Collects security events from the specified NT4 PDC/BDC and raises 
'		equivalent in MOM.
'
' Parameters: 	ServerName - Name of the server.
'		ServerDomain - Domain of the server.
'
' Notes:	RPC must be available between agent server and NT4 server.
'		Agent action account must have admin access to NT4 domain.
'		
'**************************************************************************************************

'========== Constant definitions
Const strKeyPath = "SOFTWARE\MOM\Nt4Servers"

Const EVENT_TYPE_SUCCESS = 0
Const EVENT_TYPE_ERROR = 1
Const EVENT_TYPE_WARNING = 2
Const EVENT_TYPE_INFORMATION = 4
Const EVENT_TYPE_AUDIT_SUCCESS = 8
Const EVENT_TYPE_AUDIT_FAILURE = 16

Const HKEY_CURRENT_USER = &H80000001
Const HKEY_LOCAL_MACHINE = &H80000002


'========== Parameters and initial values
Set objParams = ScriptContext.Parameters
strServerName = objParams.Get("ServerName")
strServerDomain = objParams.Get("ServerDomain")

strServerPath = Trim(strServerDomain) & "\" & Trim(strServerName) 
datLastEventTime = GetLastDateTime(strServerName)
	
ScriptContext.Echo "Server: " & strServerName


'========== Make the WMI connection to the target computer 
On Error Resume Next
Set objWMIService = GetObject("winmgmts:\\" & strServerName & "\root\cimv2")
If Err <> 0 Then 
	CreateEvent "Could not connect to WMI on " & strServerName & ". Server is either unavailable or WMI is not available.",201,EVENT_TYPE_ERROR
	ScriptContext.Quit
End If
On Error Goto 0


'========== Build query string and retrieve events from target computer
strWMIQuery = ""
strWMIQuery = strWMIQuery & "SELECT SourceName, CategoryString, Message, EventCode, Type, InsertionStrings, TimeGenerated "
strWMIQuery = strWMIQuery & "FROM Win32_NTLogEvent WHERE Logfile = 'Security' "
strWMIQuery = strWMIQuery & "and TimeGenerated > '" & datLasteventTime & "' "

Set colLoggedEvents = objWMIService.ExecQuery(strWMIQuery,,16+32)


'========== Step through each event
For Each objWindowsEvent In colLoggedEvents
		
	ScriptContext.Echo objWindowsEvent.RecordNumber & "," & objWindowsEvent.EventCode & "," & objWindowsEvent.TimeGenerated
	
	'========== Create MOM event and set properties to Windows event equivalents.
	Set objMOMEvent = ScriptContext.CreateEvent()
	objMOMEvent.UTCTime = ConvertDateFromUTC(objWindowsEvent.TimeGenerated)	
	objMOMEvent.EventSource = objWindowsEvent.SourceName
	objMOMEvent.Category = objWindowsEvent.CategoryString
	objMOMEvent.Message = Replace(objWindowsEvent.Message,Chr(13) & Chr(10) & Chr(13) & Chr(10),Chr(13) & Chr(10))
	objMOMEvent.EventNumber = objWindowsEvent.EventCode
	objMOMEvent.EventType = GetEventTypeCode(objWindowsEvent.Type)
	
	'========== Setting Logging Computer and Domain properties cause event to "attach" to NT4 computer name in MOM.
	objMOMEvent.LoggingComputer = strServerName
	objMOMEvent.LoggingDomain = strServerDomain

	'========== Walk through Windows event parameters and convert to MOM event parameters.
	If IsArray(objWindowsEvent.InsertionStrings) Then
		For i = 0 To UBound(objWindowsEvent.InsertionStrings)
			objMOMEvent.SetEventParameter(objWindowsEvent.InsertionStrings(i))
		Next
	End If
	
	'========== Submit new event.
	ScriptContext.Submit objMOMEvent		
	
	'========== Store the date/time of this event in case it turns out to be last.
	If datTimeGenerated > ConvertDateFromUTC(datLastEventTime) Then
		datLastEventTime = objWindowsEvent.TimeGenerated
	End If

Next

''========== Generate event providing summary information.
CreateEvent "Collected " & intEventCount & " security events from " & strServerName & ".",101,EVENT_TYPE_INFORMATION

'========== Set last date/time for next execution.
SetLastDateTime strServerName,datLastEventTime


'**************************************************************************************************
' Sub: 		GetEventTypeCode
' Purpose: 	Returns a value for the MOM event type corresponding to the event string from a Windows event.
' Returns:	Integer value indicating event type.
'**************************************************************************************************
Function GetEventTypeCode(strEventType)

	Select Case lcase(strEventType)
		
			Case "success"
				GetEventTypeCode = 0
			Case "error"
				GetEventTypeCode = 1
			Case "warning"
				GetEventTypeCode = 2
			Case "information"
				GetEventTypeCode = 4
			Case "audit success"
				GetEventTypeCode = 8
			Case "audit failure"
				GetEventTypeCode = 16

	End Select

End Function


'**************************************************************************************************
' Sub: 		ConvertDateToUTC
' Purpose: 	Converts a variant date to UTC format.
' Returns:	Date in UTC format.
'**************************************************************************************************
Function ConvertDateToUTC(datDateTime,intMinuteOffset)

	ConvertDateToUTC = Year(datDateTime) & LeadingZero(Month(datDateTime)) & LeadingZero(Day(datDateTime))  & LeadingZero(Hour(datDateTime)) & LeadingZero(Minute(datDateTime)) & LeadingZero(Second(datDateTime))
	ConvertDateToUTC = ConvertDateToUTC & ".000000"
	If intMinuteOffset > 0 Then
		ConvertDateToUTC = ConvertDateToUTC & "+" & intMinuteOffset
	Else
		ConvertDateToUTC = ConvertDateToUTC & intMinuteOffset
	End If
	
End Function


'**************************************************************************************************
' Sub: 		ConvertDateFromUTC
' Purpose: 	Converts a date UTC format to a variant.
' Returns:	Variant date in GMT.
'**************************************************************************************************
Function ConvertDateFromUTC(strUTCDate)

	strDateTime = Left(strUTCDate,InStr(strUTCDate,"."))
	intHourOffset = 0 - Right(strUTCDate,4)/60
	ConvertDateFromUTC = DateAdd("h",intHourOffset,Mid(strUTCDate,5,2) & "/" & Mid(strUTCDate,7,2) & "/" & Mid(strUTCDate,1,4) & " " & Mid(strUTCDate,9,2) & ":" & Mid(strUTCDate,11,2) & ":" & Mid(strUTCDate,13,2))
	
End Function

'**************************************************************************************************
' Function: GetLastDateTime
' Purpose: 	Gets the date/time of the last event collected for specified computer.
' Returns:	Date/time in UTC format.
'**************************************************************************************************
Function GetLastDateTime(strServerName)
		
	Const HKEY_CURRENT_USER = &H80000001
	Const HKEY_LOCAL_MACHINE = &H80000002
	
	'The last date/time is stored in the following registry key.
	strEntryName = strServerName
	Set objReg=GetObject("winmgmts:\\.\root\default:StdRegProv")
	objReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath,strEntryName,strValue
	
	'If the key doesn't exist, we use current date/time and create key.
	If IsNull(strValue) Then 
		Set objWMI = GetObject("winmgmts:\\.\root\cimv2")
		Set colOperatingSystems = objWMI.InstancesOf("Win32_OperatingSystem")
		For Each objOperatingSystem In colOperatingSystems
			intMinuteOffset = objOperatingSystem.CurrentTimeZone
		Next
		strValue = ConvertDateToUTC(Now,intMinuteOffset)
	End If
	
	GetLastDateTime = strValue
		
End Function

'**************************************************************************************************
' Sub: 		SetLastDateTime
' Purpose: 	Stores the date/time of the last event collected for specified computer.
' Returns:	None.
'**************************************************************************************************
Sub SetLastDateTime(strServerName,strUTCDate)
		
	Const HKEY_CURRENT_USER = &H80000001
	Const HKEY_LOCAL_MACHINE = &H80000002
	
	strEntryName = strServerName
	Set objReg=GetObject("winmgmts:\\.\root\default:StdRegProv")
	objReg.SetStringValue HKEY_LOCAL_MACHINE,strKeyPath,strServerName,strUTCDate
		
End Sub

'**************************************************************************************************
' Sub: 		LeadingZero
' Purpose: 	Puts a leading zero in front of a single digit integer.
' Returns:	Variant with leading zero for single digit.  Unchanged variant for double digit.
'**************************************************************************************************
Function LeadingZero(intNumber)

	If intNumber < 10 Then
		LeadingZero = "0" & intNumber
	Else
		LeadingZero = intNumber
	End If

End Function

'**************************************************************************************************
' Sub: 		CreateEvent
' Purpose: 	Creates a MOM event
' Returns:	None.
'**************************************************************************************************
Sub CreateEvent(strMessage,lngEventID,lngEventType)

  	Set objNewEvent = ScriptContext.CreateEvent
	objNewEvent.Message = strMessage
  	objNewEvent.EventNumber = lngEventID
  	objNewEvent.EventType = lngEventType
  
  	ScriptContext.Submit objNewEvent

End Sub