Monday, January 12, 2009

Parsing Logs again....Following up from a few posts ago. I would like to figure out how to get multiple log types working together with the simplest syntax in Powershell.  I think the goal would be to take events that happen from whatever handlers (Event Logs, Application Verifier, Windbg, NetMonitor, Syslogd, Firewall, IDS) and parse them into "congruent datetime stamped events" as objects (??). To get today's dump from Windows Firewall Audit (set this up in auditing...) messaging out of my Security Event Log, I do something like this:

$now = [System.DateTime]::get_now()
$NowSDS = $now.ToShortDateString()
$SEL = get-eventlog -logname Security | where-object {($_.timegenerated -match "$NowSDS") -and ($_.message -match "Windows Firewall")}  | fl * 
$SEL | out-file $pwd\SEL.txt
Select-string SEL.txt -pattern "Process Identifier","Path","Port number" -allmatches
## or 
Select-string SEL.txt -pattern "Process Identifier","Path","Port number" -allmatches | out-file SEL_SR.txt
$sr = [System.IO.StreamReader]("$pwd\SEL_SR.txt")

Results are like:

SEL.txt:11669:                     Path: C:\WINDOWS\system32\svchost.exe
SEL.txt:11671:                     Process identifier: 1588
SEL.txt:11685:                     Port number: 50386
SEL.txt:11712:                     Path: C:\WINDOWS\system32\svchost.exe
SEL.txt:11714:                     Process identifier: 1588
SEL.txt:11728:                     Port number: 59453


Ungainly. Not parsing an object in the end but eventually text! So here we are parsing the Message descriptions from the Security Event log MSG field (which is text!) into an object:

$now = [System.DateTime]::get_now()
$NowSDS = $now.ToShortDateString()
$SEL = get-eventlog -logname Security | where-object {($_.timegenerated -match "$NowSDS") -and ($_.message -match "Windows Firewall")} 
$SEL_MSG =  $SEL | %{$_.message}
Select-string -inputobject $SEL_MSG -pattern "Process Identifier","Path","Port number" -allmatches

Okay, an object but not what I want yet....And Select-String isn't helping any here:

Name: -
Path: C:\WINDOWS\system32\svchost.exe
Process identifier: 1588
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 55033
Allowed: No
User notified: No The Windows Firewall has detected an application listening for incoming traffic.

## This doesn't work
## $SR = [System.IO.StreamReader]($SEL)
## $sr.readToEnd()

to be continued....

No comments: