none
Convert Column Numerical Data to Human Readable values (RRAS Activity Logs) RRS feed

  • Question

  • I've written a small script (see below) which outputs the last seven days worth of RRAS log files ( I check these once a week) so I can identify proper and improper VPN access.

    The second to the last command of the script works just fine except that the data in Pack-Type column are numeric. Since there are only four values, it's not hard to remember what each one stands for, but I would like to display their human readable equivalent values instead.

    In an attempt to achieve this, I've created a custom column expression. As you can see in the last command of the script, I replaced the Packet-Type column property of the Select-Object command with my expression. But the command's output results in the column heading being the literal string value of the expression and not it's process/executed value.

    Is what I'm trying even possible? Can the switch command be used in a column expression? If so, what is needed to get the expression to execute?

    TIA

    $ErrorActionPreference = "Continue"

    $LogHeader = "ComputerName","ServiceName","Record-Date","Record-Time","Packet-Type","User-Name","Fully-Qualified-Distinguished-Name","Called-Station-ID","Calling-Station-ID","Callback-Number","Framed-IP-Address","NAS-Identifier","NAS-IP-Address","NAS-Port","Client-Vendor","Client-IP-Address","Client-Friendly-Name","Event-Timestamp","Port-Limit","NAS-Port-Type","Connect-Info","Framed-Protocol","Service-Type","Authentication-Type","Policy-Name","Reason-Code","Class","Session-Timeout","Idle-Timeout","Termination-Action","EAP-Friendly-Name","Acct-Status-Type","Acct-Delay-Time","Acct-Input-Octets","Acct-Output-Octets","Acct-Session-Id","Acct-Authentic","Acct-Session-Time","Acct-Input-Packets","Acct-Output-Packets","Acct-Terminate-Cause","Acct-Multi-Ssn-ID","Acct-Link-Count","Acct-Interim-Interval","Tunnel-Type","Tunnel-Medium-Type","Tunnel-Client-Endpt","Tunnel-Server-Endpt","Acct-Tunnel-Conn","Tunnel-Pvt-Group-ID","Tunnel-Assignment-ID","Tunnel-Preference","MS-Acct-Auth-Type","MS-Acct-EAP-Type","MS-RAS-Version","MS-RAS-Vendor","MS-CHAP-Error","MS-CHAP-Domain","MS-MPPE-Encryption-Types","MS-MPPE-Encryption-Policy","Proxy-Policy-Name","Provider-Type","Provider-Name","Remote-Server-Address","MS-RAS-Client-Name","MS-RAS-Client-Version"

    $HomeBase = "C:\Scripts\RRAS"
    $LOGBase = "C:\Windows\System32\LogFiles\RRAS"

    Set-Location $HomeBase

    $StartDate = (Get-Date).AddDays(-7)

    $CurrentLogs = Get-Childitem -path $LogBase -filter "*.log" | Where-Object {$_.CreationTime -ge $StartDate} | Select-Object FullName


    $PT2Value = @{Expression={
      switch ($_."Packet-Type")
       { "1" {"Access_Request"}
         "2" {"Access_Accept"}
         "3" {"Access_Reject"}
         "4" {"Accounting_Request"}
         default {"Invalid_Type"}
       };Label="Packet-Type"
      }
    }

    #$CurrentLogs | ForEach { import-csv -Header $LogHeader -path $_.FullName  | Select-Object Record-Date,Record-Time,Packet-Type,User-Name,Fully-Qualified-Distinguished-Name,Calling-Station-ID,Framed-IP-Address,Policy-Name | Out-GridView -Title "RRAS Activity Logs"}

    $CurrentLogs | ForEach { import-csv -Header $LogHeader -path $_.FullName  | Select-Object Record-Date,Record-Time,$PT2Value,User-Name,Fully-Qualified-Distinguished-Name,Calling-Station-ID,Framed-IP-Address,Policy-Name | Out-GridView -Title "RRAS Activity Logs"}

    Tuesday, April 5, 2016 3:51 PM

Answers

  • No need for so much complexity.  Just use PowerShell and logic:

    $PT2Value = @(
        'Unknown',
        'Access_Request',
        'Access_Accept', 
        'Access_Reject',
        'Accounting_Request'
    )
    
    $CurrentLogs | 
         ForEach {
              import-csv -Header $LogHeader -path $_.FullName |
              Select-Object Record-Date,Record-Time,@{n='Packet-Type';e={$PT2Value[$_.'Packet-Type']}},User-Name,Fully-Qualified-Distinguished-Name,Calling-Station-ID,Framed-IP-Address,Policy-Name |
    Out-GridView -Title 'RRAS Activity Logs'
    }


    \_(ツ)_/




    • Edited by jrv Tuesday, April 5, 2016 6:31 PM
    • Marked as answer by Harvey Colwell Wednesday, April 6, 2016 1:50 PM
    Tuesday, April 5, 2016 6:28 PM

All replies

  • Good Day
    My recommendation is to use the if or elsif statement

    $PT2Value = if ($_."Packet-Type" -eq '1') {Write-Output "Access Request"}
                        Elseif ($_."Packet-Type" -eq '2') {Write-Output "Access Accept"}
                        Elseif ($_."Packet-Type" -eq '3') {Write-Output "Access Reject"}

    $output = New-Object PSObject
    $output | Add-Member NoteProperty "Packet Type" $PT2Value


    And so on
    Hope this works

    Regards





    Tuesday, April 5, 2016 4:14 PM
  • No need for so much complexity.  Just use PowerShell and logic:

    $PT2Value = @(
        'Unknown',
        'Access_Request',
        'Access_Accept', 
        'Access_Reject',
        'Accounting_Request'
    )
    
    $CurrentLogs | 
         ForEach {
              import-csv -Header $LogHeader -path $_.FullName |
              Select-Object Record-Date,Record-Time,@{n='Packet-Type';e={$PT2Value[$_.'Packet-Type']}},User-Name,Fully-Qualified-Distinguished-Name,Calling-Station-ID,Framed-IP-Address,Policy-Name |
    Out-GridView -Title 'RRAS Activity Logs'
    }


    \_(ツ)_/




    • Edited by jrv Tuesday, April 5, 2016 6:31 PM
    • Marked as answer by Harvey Colwell Wednesday, April 6, 2016 1:50 PM
    Tuesday, April 5, 2016 6:28 PM

  • The second to the last command of the script works just fine except that the data in Pack-Type column are numeric. Since there are only four values, it's not hard to remember what each one stands for, but I would like to display their human readable equivalent values instead.

    @JRV
    And inside that logic, how do you know the numeric equivalent to Unknown and the other status?
    Tuesday, April 5, 2016 7:14 PM
  • Because with RRAS there can only be these four types of packets. This is not an IP packet-type. It is an RRAS management packet type. It only applies to packets used for connection management.  It should be blank or 1-4 in  value.  "blank" would be interpreted as zero by powershell.

    Proof:

    PS C:\scripts> $x=1,2,3,4
    PS C:\scripts> $x[0]
    1
    PS C:\scripts> $x['']
    1


    \_(ツ)_/


    • Edited by jrv Tuesday, April 5, 2016 7:23 PM
    Tuesday, April 5, 2016 7:22 PM
  • Got it
    Didnt know that about RRAS
    Learned something new
    Thanks
    Regards
    Tuesday, April 5, 2016 7:25 PM
  • No problem.  I believe you can still find these lists in  the platform SDK.  RRAS is pretty well documented as is the log format.  I believe it is also a VPN industry standard.  Here is the online reference for this: https://technet.microsoft.com/en-us/library/cc771748%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    1

    Packet-Type

    Number

    The type of packet, which can be:

    • 1 = Access-Request
    • 2 = Access-Accept
    • 3 = Access-Reject
    • 4 = Accounting-Request

    This is an IAS-internal attribute.


    \_(ツ)_/


    • Edited by jrv Tuesday, April 5, 2016 7:40 PM
    Tuesday, April 5, 2016 7:38 PM
  • The same TechNet documentation that gave me the column/field names (The article called them attributes).

    I not yet allowed to enter in links, but the article title is "Interpret NPS Database Format Log Files".


    Wednesday, April 6, 2016 1:44 PM
  • Thank you, this worked perfectly.
    Wednesday, April 6, 2016 1:50 PM