# Powershell Security Event log search utility
# VARIABLES 'n' STUFF 'n' THAT
$version="1.0"
$outputfile1="c:\User_Events.csv"
$outputfile2="c:\IP_Events.csv"
$kbalink="https://support.opendns.com/entries/100851587"
$ErrorActionPreference="silentlycontinue"

	write-host "`n"
	write-host $_.name -foregroundcolor Yellow "Welcome to the OpenDNS Windows Security Event Log Parsing Utility"
	write-host "Version $version"
	write-host "Copyright (c) 2015, OpenDNS UK Ltd (Part of Cisco), http://www.opendns.com"
	write-host "`n"
	write-host "This utility searches the Event Viewer Security logs for logon and logoff events which the OpenDNS Connector service watches for."
	write-host "It is useful for troubleshooting issues where unexpected User to IP mappings occur, or when an incorrect policy is being applied."
	write-host "Further information on using this utility can be found at the page below"
	write-host $_.name -foregroundcolor Yellow "$kbalink"

#Delete output files if they already exist
IF (Test-Path $outputfile1) {
		Remove-Item $outputfile1
		}
IF (Test-Path $outputfile2) {
		Remove-Item $outputfile2
		}		
	write-host "`n"
$User = Read-Host -Prompt 'Please enter the account name of the user you are searching for' 
$IP = Read-Host -Prompt 'Please enter the IP address you are searching for' 

IF ($User -eq "") {
	write-host "You did not enter a Username"
	} ELSE {
	Get-WinEvent -LogName Security -FilterXPath "*[EventData[Data[@Name='TargetUserName']='$User']]" | Export-Csv $outputfile1 ; 
	Import-Csv $outputfile1 | select-object -property Id, TimeCreated, MachineName
	}		
	write-host "`n"
	write-host $_.name -foregroundcolor Yellow "An export of the Security event log filtered for this username has been saved in $outputfile1 if you want to look further into these events"
			
IF ($IP -eq "") {
	write-host "You did not enter an IP address"
	} ELSE {
	Get-WinEvent -LogName Security -FilterXPath "*[EventData[Data[@Name='IpAddress']='$IP']]" | Export-Csv $outputfile2 ; 
	Import-Csv $outputfile2 | select-object -property Id, TimeCreated, MachineName
	}
	write-host "`n"
	write-host $_.name -foregroundcolor Yellow "An export of the Security event log filtered for this IP Address has been saved in $outputfile2 if you want to look further into these events"