Wednesday, September 10, 2008

Creates a columnar listing of Ports to which the Windows Firewall has denied access. No doubt there is a simpler way....This uses Lee Holmes 'Convert-TextObject.ps1' from the "The Windows Powershell Cookbook". To get around parsing the message fields in the Event Log which aren't objects, I used findstr.exe with "MessageFilters.txt" as far below.

$now = [System.DateTime]::get_now()
$nowshort = ($now.ToShortDateString()).ToString()
$TodaysFA = ( ( get-eventlog -logname security | where {$_.EntryType -eq "FailureAudit" -and $_.TimeGenerated -match "$nowshort" } )| Select TimeGenerated,Message )
$TodaysFA_Delimited = ($TodaysFA | fl * | findstr /g:MessageFilters.txt) | .\Convert-TextObject.ps1 -Delimiter ":"
$TodaysFA_Ports = $TodaysFA_Delimited | where-object {$_.Property1 -match "Port"} | sort-object {$_.Property2}
$TodaysFA_PortNumber =  $TodaysFA_Ports | Select {$_.Property2} 

MessageFilters.txt

TimeGenerated :
Message:
Process identifier:
User account:
User domain:
Service:
RPC server:
IP version:
IP protocol:
Port number:
Allowed:
User notified:


No comments: