Archive/_GetFirewallLogs.ps1
|
function Get-FirewallLogs { # TODO get from remote server [CmdletBinding()] param ( [Parameter()] [ValidateSet('Domain', 'Private', 'Public')] [string]$ProfileName = 'Domain', [Parameter()] [string] $LastNEntries ) begin { $ProfileInfo = Get-NetFirewallProfile $FirewallLogLocation = ($ProfileInfo | Where-Object name -EQ $ProfileName | Select-Object -ExpandProperty LogFileName) -replace '%systemroot%', 'C:\Windows' $FirewallLog = Get-Content $FirewallLogLocation if ($LastNEntries) { $FirewallLog = $FirewallLog | Select-Object -Last $LastNEntries } $Output = @() } process { foreach ($LogEntry in $FirewallLog) { if ($LogEntry -like '2*') { $Output += [PSCustomObject]@{ Date = $LogEntry.Split(' ')[0] Time = $LogEntry.Split(' ')[1] Action = $LogEntry.Split(' ')[2] Protocol = $LogEntry.Split(' ')[3] SourceIP = $LogEntry.Split(' ')[4] DestinationIP = $LogEntry.Split(' ')[5] SourcePort = $LogEntry.Split(' ')[6] DestinationPort = $LogEntry.Split(' ')[7] Size = $LogEntry.Split(' ')[8] TCPFlags = $LogEntry.Split(' ')[9] TCPSyn = $LogEntry.Split(' ')[10] TCPAck = $LogEntry.Split(' ')[11] TCPWin = $LogEntry.Split(' ')[12] ICMPType = $LogEntry.Split(' ')[13] ICMPCode = $LogEntry.Split(' ')[14] Info = $LogEntry.Split(' ')[15] Path = $LogEntry.Split(' ')[16] PID = $LogEntry.Split(' ')[17] } } else { # Start of file, don't care. } } } end { return $Output } } |