Created
April 8, 2021 03:34
-
-
Save cameronkerrnz/3398f1bf33fe18d6e09ce913945d7d3c to your computer and use it in GitHub Desktop.
Tail and Filter Windows Firewall Log (like tail -f ... | awk)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Get-Content -Head 5 c:\windows\system32\LogFiles\Firewall\pfirewall.log | |
| Get-Content -Wait -Tail 5 C:\Windows\System32\LogFiles\Firewall\pfirewall.log | % { | |
| do { | |
| $a=$_.split(' ') | |
| # DROP or ACCEPT (the only values AFAIK) | |
| # | |
| if ($a[2] -ne 'DROP') {continue} | |
| # Aims to drop common multicast addresses (no CIDR easily available) | |
| # | |
| # if ($a[4] -like '^(239|224)\.') {continue} | |
| # Direction | |
| # | |
| # if ($a[16] -eq 'SEND') {continue} | |
| # Port number | |
| # | |
| if ($a[7] -in @(137, 135, 1900, 5353, 7680)) {continue} | |
| #Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path | |
| # 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | |
| # | |
| # Unfortunately you don't seem to be able to pass $a (an array) to -f, nor can you splat it. | |
| # | |
| # You could just use write-host $a but I'm just wanting to align a subset of records. | |
| # | |
| write-host ("{0} {1} {2,-5} {3,-4} {4,-15} {5,-15} {6,5} {7,5} {8} {9} {10} {11}" -f ` | |
| $a[0], $a[1], # date time | |
| $a[2], $a[3], # action protocol | |
| $a[4], $a[5], # src-ip dst-ip | |
| $a[6], $a[7], # src-port dst-port | |
| $a[9], # tcpflags | |
| $a[13], $a[14], # icmptype icmpcode | |
| $a[16] # path | |
| ) | |
| } while($false) | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment