Parsing Windows Firewall logs

[Kurt Buff]

I'm trying this, and getting nothing out of it - it's an extract of c:\windows\system32\pfirewall.log.old from a remote machine - I discarded all lines that had 127.0.0.1, and I also manually edited the heard down, and changed the header entries from dst-port, src-port, src-ip and dst-ip to DstPort, SrcPort, SrcIP and DstIP respectively, because I didn't want to surround them in double quotes. I then changed the space character to a comma, so that I didn't have to declare the delimiter.

import-csv -Path c:\temp\POSFWLogs\firewall-nolocal.csv | where ($_.DstPort -eq 443)

I get no error from the above - no output of any kind, actually

What I'd really like do do is more like this:

import-csv -Path c:\temp\POSFWLogs\firewall-nolocal.csv | where ($_.DstPort -eq 443 -and $_.DstIP -notlike "10.5.10.")

So that I can see what these restricted workstations are trying to talk to. Ditto for a bunch of other ports.

Any clues for me on this?

Thanks,

Kurt

[Michael B. Smith]

*scratches head*

 

Why make it hard?

 

I changed the header from

 

#Version: 1.5

#Software: Microsoft Windows Firewall

#Time Format: Local

#Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path

 

                                                                                                                                                                                                                

2021-03-27 18:54:41 DROP UDP 192.168.231.149 192.168.231.255 40533 15600 63 - - - - - - - RECEIVE

 

To

 

date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path

2021-03-27 18:54:41 DROP UDP 192.168.231.149 192.168.231.255 40533 15600 63 - - - - - - - RECEIVE

 

That’s it.

 

               $c = import-csv -path .\p.log -Delimiter ( [char]32 ) -Encoding ascii

               $c | where { $_.'dst-port' -eq 443 -and $_.'dst-ip' -notlike '172.217.7.*' }

 

Works perfectly well. Note that I had to fix your “notlike” clause.

 

If you want to remove the dashes (and therefore the quotes) it still works. It’s just a bit more work on the header.

 

               $c | where { $_.dstport -eq 443 -and $_.dstip -notlike '172.217.7.*' }

 

Regards,

Michael B.

--
You received this message because you are subscribed to the Google Groups "ntpowershell" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntpowershell...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/CADy1Ce4P7EUTHRazbGDEaXe6Pq%3DRU97EopTwFGB_QQab7%2BopTw%40mail.gmail.com.

[Kurt Buff]

On Sat, Mar 27, 2021 at 5:14 PM Michael B. Smith <mic...@smithcons.com> wrote:
> *scratches head*
>
> Why make it hard?
>
> I changed the header from
> #Version: 1.5
> #Software: Microsoft Windows Firewall
> #Time Format: Local
> #Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path
> 2021-03-27 18:54:41 DROP UDP 192.168.231.149 192.168.231.255 40533 15600 63 - - - - - - - RECEIVE
>
> To
>
> date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path
> 2021-03-27 18:54:41 DROP UDP 192.168.231.149 192.168.231.255 40533 15600 63 - - - - - - - RECEIVE
>
> That’s it.

That's what I did - but there was also a line of nuls between the
header lines and the data as well, so I just nuked all of that.

> $c = import-csv -path .\p.log -Delimiter ( [char]32 ) -Encoding ascii
> $c | where { $_.'dst-port' -eq 443 -and $_.'dst-ip' -notlike '172.217.7.*' }
>
> Works perfectly well. Note that I had to fix your “notlike” clause.

I presume you mean the lack of the asterisk? Yeah, that's a bonehead
oversight. I presume the single quotes below should be used instead of
double quotes?

Also. I don't remember seeing the delimiter configured like that
before, and it didn't come up in my searching. That's kinda cool.

> If you want to remove the dashes (and therefore the quotes) it still works. It’s just a bit more work on the header.
>
> $c | where { $_.dstport -eq 443 -and $_.dstip -notlike '172.217.7.*' }

OK - I'll try again, and see what happens.

Thanks!

> Regards,
>
> Michael B.
>
>
>
> From: ntpowe...@googlegroups.com <ntpowe...@googlegroups.com> On Behalf Of Kurt Buff
> Sent: Saturday, March 27, 2021 6:42 PM
> To: ntpowe...@googlegroups.com
> Subject: [ntpowershell] Parsing Windows Firewall logs
>
>
>
> I'm trying this, and getting nothing out of it - it's an extract of c:\windows\system32\pfirewall.log.old from a remote machine - I discarded all lines that had 127.0.0.1, and I also manually edited the heard down, and changed the header entries from dst-port, src-port, src-ip and dst-ip to DstPort, SrcPort, SrcIP and DstIP respectively, because I didn't want to surround them in double quotes. I then changed the space character to a comma, so that I didn't have to declare the delimiter.
>
>
>
> import-csv -Path c:\temp\POSFWLogs\firewall-nolocal.csv | where ($_.DstPort -eq 443)
>
>
>
> I get no error from the above - no output of any kind, actually
>
>
>
> What I'd really like do do is more like this:
>
> import-csv -Path c:\temp\POSFWLogs\firewall-nolocal.csv | where ($_.DstPort -eq 443 -and $_.DstIP -notlike "10.5.10.")
>
>
>
> So that I can see what these restricted workstations are trying to talk to. Ditto for a bunch of other ports.
>
>
>
> Any clues for me on this?
>
>
>
> Thanks,
>
> Kurt
>
> --
> You received this message because you are subscribed to the Google Groups "ntpowershell" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ntpowershell...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/CADy1Ce4P7EUTHRazbGDEaXe6Pq%3DRU97EopTwFGB_QQab7%2BopTw%40mail.gmail.com.
>
> --
> You received this message because you are subscribed to the Google Groups "ntpowershell" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ntpowershell...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/15b8c8522c26420e955bf7bfc28eed00%40smithcons.com.

[Aakash Shah]

Here's another approach to avoid needing to remove the comments or edit the log file:

 

$FirewallHeaders = 'date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path'.split(' ')

 

Get-Content 'C:\Windows\System32\LogFiles\Firewall\pfirewall.log' | ConvertFrom-Csv -Delimiter ' ' -Header $FirewallHeaders | Out-GridView

 

-Aakash Shah

To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/CADy1Ce42Z6mdcEhyk1MCRiMhp97V50VjhtJ9C0qRrnvA9-Odpw%40mail.gmail.com.

[Kurt Buff]

The problem was the use of () instead of {}.

I really need better reading glasses.

Thank you again.

Kurt

On Sat, Mar 27, 2021 at 5:14 PM Michael B. Smith <mic...@smithcons.com> wrote:
>

> To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/15b8c8522c26420e955bf7bfc28eed00%40smithcons.com.

[Hood, Jeff]

Thank you for this. So much better to review firewall logs.

 

From: ntpowe...@googlegroups.com <ntpowe...@googlegroups.com> On Behalf Of Aakash Shah
Sent: Saturday, March 27, 2021 7:13 PM
To: ntpowe...@googlegroups.com
Subject: [SOCIAL NETWORK] RE: [ntpowershell] Parsing Windows Firewall logs

 

*** External email - Exercise caution ***

To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/BYAPR06MB5685710CCC5C91AF231A99E0F27F9%40BYAPR06MB5685.namprd06.prod.outlook.com.

[Aakash Shah]

Sure!

 

I forgot to mention that I used Get-Content here instead of Import-Csv since we can use the -Tail parameter to keep refreshing the display with new entries. So for instance if you’re monitoring for something, you can use something like this:

 

Get-Content 'C:\Windows\System32\LogFiles\Firewall\pfirewall.log' -Tail 1 -Wait | ConvertFrom-Csv -Delimiter ' ' -Header $FirewallHeaders | Where-Object {$_.'dst-port' -eq '443'} | Format-Table

 

Also note not to use the -AutoSize parameter with Format-Table since I found it didn’t return any results.

 

-Aakash Shah

To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/SA1PR09MB80328CA3E2D7E061FDAFCF398E7C9%40SA1PR09MB8032.namprd09.prod.outlook.com.