none
Windows Firewall Log Parsing RRS feed

  • Question

  • Greetings,

    I have a Powershell newbie question here that I can't quite get my head wrapped around.  What I'm wanting to do is "tail" the Windows Firewall Log (pfirewall.log), and have it show up on the screen when a certain pattern occurs.

    Date | Time | action | proto | src-ip | dst-ip | size | src-port | dst-port | etc...

    013-05-20 11:20:38 ALLOW TCP 1.1.1.1 5.5.5.5 63149 80 0 - - - - - - - SEND
    2013-05-20 11:20:38 ALLOW TCP 2.2.2.2 5.5.5.5 63149 80 0 - - - - - - - SEND
    2013-05-20 11:20:38 ALLOW TCP 3.3.3.3 5.5.5.5 63149 80 0 - - - - - - - SEND
    2013-05-20 11:20:38 ALLOW TCP 4.4.4.4 5.5.5.5 63149 80 0 - - - - - - - SEND

    I want to see any line where the src-ip isn't "1.1.1.1" or "2.2.2.2", but the src-port must be "80", and the dst-port must be "0".

    For Example:

    I don't want to see this:

    013-05-20 11:20:38 ALLOW TCP 1.1.1.1 5.5.5.5 63149 80 0 - - - - - - - SEND (src-ip is 1.1.1.1)
    2013-05-20 11:20:38 ALLOW TCP 2.2.2.2 5.5.5.5 63149 80 0 - - - - - - - SEND (src-ip is 2.2.2.2)
    2013-05-20 11:20:38 ALLOW TCP 3.3.3.3 5.5.5.5 63149 88 0 - - - - - - - SEND (dst-port isn't 80)

    I DO want to see these lines:

    2013-05-20 11:20:38 ALLOW TCP 3.3.3.3 5.5.5.5 63149 80 0 - - - - - - - SEND
    2013-05-20 11:20:38 ALLOW TCP 4.4.4.4 5.5.5.5 63149 80 0 - - - - - - - SEND

    I've tried splitting the path on the whitespace and then watching [4], but I'm still not quite getting something right.  Can anyone help?

    Best Regards,

    T



    • Edited by Misterr T Monday, May 20, 2013 5:07 PM typo
    Monday, May 20, 2013 5:05 PM

Answers

  • Hi T,

    hi think the solution with filtering the text line per regular expression will become very difficult on search for more complex connections.

    I think an object based solution is the better way. If my example did't work, you can post the error. I tested in on Windows 8 where the 3rd line has the format "date time action protocol src-ip ...". In you example this line was diffrent.  If it has really the the "|" diverders you could use this code:

    $Log = Get-Content .\pfirewall.log
    $Log = $Log.replace("#Fields: ","")
    $Log = $Log.replace(" | "," ")
    $FWObjects = $Log|ConvertFrom-Csv -Delimiter ' '
    $FWObjects|?{$_."src-id" -ne "1.1.1.1" -and $_."src-id" -ne "1.1.1.1" -and $_.port -eq 88}
    Greetings Malte

    • Marked as answer by Misterr T Wednesday, May 22, 2013 4:09 PM
    Tuesday, May 21, 2013 4:05 PM

All replies

  • try something like this

    $text = @"
    2013-05-20 11:20:38 ALLOW TCP 1.1.1.1 5.5.5.5 63149 80 0 - - - - - - - SEND
    2013-05-20 11:20:38 ALLOW TCP 2.2.2.2 5.5.5.5 63149 80 0 - - - - - - - SEND
    2013-05-20 11:20:38 ALLOW TCP 3.3.3.3 5.5.5.5 63149 80 0 - - - - - - - SEND
    2013-05-20 11:20:38 ALLOW TCP 4.4.4.4 5.5.5.5 63149 80 0 - - - - - - - SEND
    "@
    foreach($line in $text -split "\n"){
    if($line -match "80\s0"){
    if($line -notmatch "1.1.1.1|2.2.2.2"){
    $line
    }
    }
    }

    Monday, May 20, 2013 5:57 PM
  • Hi T,

    this should parse the log into an PSObject, which you can filter with normal PS expression. :-)

    also you can access the right fields (ip port proto etc.) after filtering...

    $Log = Get-Content .\pfirewall.log
    $Log = $Log.replace("#Fields: ","")
    $FWObjects = $Log|ConvertFrom-Csv -Delimiter ' '
    $FWObjects|?{$_."src-id" -ne "1.1.1.1" -and $_."src-id" -ne "1.1.1.1" -and $_.port -eq 88}


    Greetings Malte

    Monday, May 20, 2013 6:21 PM
  • $text = get-content c:\windows\system32\logfiles\firewall\pfirewall.log -ReadCount 0
    foreach($line in $text -split "\n"){
    if($line -match "80\s0"){
    if($line -notmatch "1.1.1.1|2.2.2.2"){
    $line
    }
    }
    }

    try something like this

    $text = @"
    2013-05-20 11:20:38 ALLOW TCP 1.1.1.1 5.5.5.5 63149 80 0 - - - - - - - SEND
    2013-05-20 11:20:38 ALLOW TCP 2.2.2.2 5.5.5.5 63149 80 0 - - - - - - - SEND
    2013-05-20 11:20:38 ALLOW TCP 3.3.3.3 5.5.5.5 63149 80 0 - - - - - - - SEND
    2013-05-20 11:20:38 ALLOW TCP 4.4.4.4 5.5.5.5 63149 80 0 - - - - - - - SEND
    "@
    foreach($line in $text -split "\n"){
    if($line -match "80\s0"){
    if($line -notmatch "1.1.1.1|2.2.2.2"){
    $line
    }
    }
    }

    ImMax,

    I modified your code a little, however, I need the "-notmatch" to be checking the 4th item (src-ip) in the array because there are some lines like this:

    2013-05-20 11:20:38 ALLOW TCP 3.3.3.3 1.1.1.1 63149 80 0 - - - - - - - SEND

    I tried $line[4], but powershell ignored that.

    Regards,
    T



    • Edited by Misterr T Monday, May 20, 2013 7:34 PM typo
    Monday, May 20, 2013 7:31 PM
  • Hi T,

    hi think the solution with filtering the text line per regular expression will become very difficult on search for more complex connections.

    I think an object based solution is the better way. If my example did't work, you can post the error. I tested in on Windows 8 where the 3rd line has the format "date time action protocol src-ip ...". In you example this line was diffrent.  If it has really the the "|" diverders you could use this code:

    $Log = Get-Content .\pfirewall.log
    $Log = $Log.replace("#Fields: ","")
    $Log = $Log.replace(" | "," ")
    $FWObjects = $Log|ConvertFrom-Csv -Delimiter ' '
    $FWObjects|?{$_."src-id" -ne "1.1.1.1" -and $_."src-id" -ne "1.1.1.1" -and $_.port -eq 88}
    Greetings Malte

    • Marked as answer by Misterr T Wednesday, May 22, 2013 4:09 PM
    Tuesday, May 21, 2013 4:05 PM
  • then you could just add TCP\s in regex

    $text = @"
    2013-05-20 11:20:38 ALLOW TCP 1.1.1.1 5.5.5.5 63149 80 0 - - - - - - - SEND
    2013-05-20 11:20:38 ALLOW TCP 2.2.2.2 5.5.5.5 63149 80 0 - - - - - - - SEND
    2013-05-20 11:20:38 ALLOW TCP 3.3.3.3 1.1.1.1 63149 80 0 - - - - - - - SEND
    2013-05-20 11:20:38 ALLOW TCP 3.3.3.3 5.5.5.5 63149 80 0 - - - - - - - SEND
    "@
    foreach($line in $text -split "\n"){
    if($line -match "80\s0"){
    if($line -notmatch "TCP\s1.1.1.1|2.2.2.2"){
    $line
    }
    }
    }

    Although malte has a nice solution if you want to take this further
    Tuesday, May 21, 2013 4:31 PM
  • Malte & ImMax,

    Thank you both for your assistance!  I ended up going with Malte's example, as it best fit my needs.  ImMax, your example was very useful as well.

    Regards,
    T

    Wednesday, May 22, 2013 4:13 PM