Tuesday, September 2, 2008

Parsing Event Logs for Windows Firewall Entries

Note:Sat Jun  9 11:39:23 Pacific Daylight Time 2012
A number of posts  on my Network Security blog update this post some -THX RMF

Parsing Event Logs. So what I am trying to do is fish out all the Windows Firewall Entries that tell me what internal ports communicate with the outside world. This is a useful way to use pfirewall.log (Windows Firewall to check for Trojans). I have eventviewer entries like below that give me more information than the pfirewall.log

Event Type: Failure Audit
Event Source: Security
Event Category: Detailed Tracking
Event ID: 861
Date: 9/3/2008
Time: 6:58:53 AM
User: NT AUTHORITY\NETWORK SERVICE
Computer: RMFMEDIA
Description:
The Windows Firewall has detected an application listening for incoming traffic.

Name: -
Path: C:\WINDOWS\system32\svchost.exe
Process identifier: 1432
User account: NETWORK SERVICE
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 61248
Allowed: No
User notified: No

D:\>tail pfirewall.log
2008-09-03 07:27:37 OPEN UDP 192.168.1.114 69.7.46.8 56319 53 - - - - - - - - -
2008-09-03 07:27:37 OPEN TCP 192.168.1.114 72.14.207.191 1551 80 - - - - - - - - -
2008-09-03 07:27:38 OPEN UDP 192.168.1.114 192.168.0.2 1025 514 - - - - - - - - -
2008-09-03 07:27:44 CLOSE TCP 192.168.1.114 72.14.223.191 1550 80 - - - - - - - - -
2008-09-03 07:27:44 DROP TCP 72.14.223.191 192.168.1.114 80 1550 288 AP 2880782099

This is the basic idea:

( ( get-eventlog -logname security | where {$_.EntryType -eq "FailureAudit"} )| Select ReplacementStrings,TimeGenerated,Message )

The spew below also works now. What I wanted to do is limit the event log entries to today's date, but I couldn't find any easy way to embed a 'get-date' command without parsing it.

$date = (get-date -format g).Split(" ")
$now = $date[0].ToString()
$TodaysFA = ( ( get-eventlog -logname security | where {$_.EntryType -eq "FailureAudit" -and $_.TimeGenerated -match "$now" } )| Select ReplacementStrings,TimeGenerated,Message )

$date = (get-date -format g).Split(" ")
$now = $date[0].ToString()
$Todays_861 = ( ( get-eventlog -logname security | where {$_.EventID -eq "861" -and $_.TimeGenerated -match "$now" } )| Select ReplacementStrings,TimeGenerated,Message )

Next up: to dump just the Message field and extract out the port number and other various info into a csv. What I really want is just this information in a csv:

Process identifier: 1432
User account: NETWORK SERVICE
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 61248
Allowed: No

No comments: