• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 686
  • Last Modified:

Powershell query windows event log for %1 variables

Hello

Event ID: 20272 logged in windows system event log, http://technet.microsoft.com/en-us/library/cc733849(WS.10).aspx 
The user: %1 connected on port: %2 on: %3 at: %4 and disconnected on: %5 at: %6. The user was active for: %7 minutes %8 seconds. %9 bytes were sent and %10 bytes were received. The reason for disconnecting was: %11.

When viewwed in the event log appears as
CoID={DCF3376C-A901-4685-ACC5-698EAC5876B8}: The user domain\first.last connected on port VPN2-127 on 1/10/2011 at 7:53 PM and disconnected on 1/10/2011 at 9:13 PM.  The user was active for 80 minutes 33 seconds.  19113013 bytes were sent and 2478245 bytes were received. The reason for disconnecting was user request.

Question, the message does not contain the ":" colon character, is there a way in powershell to extract the %1 to %11 values with out assuming instring posistioning?

I have code in powershell to locate, read and export to csv. Looking for code to extract system entered values.

Thanks in advance.
0
hairylots
Asked:
hairylots
  • 4
  • 3
  • 2
1 Solution
 
QlemoC++ DeveloperCommented:
You  can use the following expression. $msg is the event log entry, $tpl the template as shown above.
$msg -match ($tpl -split ":* %\d+" -join " (.*)")
$matches
$matches[1..($matches.count-1)]

Open in new window

The last two lines show the original result, including the complete line as $matches[0], where the matches are displayed in reversed order, and how to access specific values.
0
 
hairylotsAuthor Commented:
Hello Qlemo

Thanks for that responce, this approach is working except I missed one value from the string you have used as a template. Note the actual message has a value at the begining of the line: "CoID={DCF3376C-A901-4685-ACC5-698EAC5876B8}: ", this value appears to be randomly generated in the format of 43 characters: "CoID={random-string-of-numbers}: "
Message
-------
CoID={2BFA4324-66E9-49A3-984B-94747A711C62}:
CoID={35B2473E-17C9-497C-B16C-C145DA0BD7D0}:
CoID={DCF3376C-A901-4685-ACC5-698EAC5876B8}:
CoID={ED43C659-D7AE-49AD-9169-FC2168656290}:
CoID={E953708F-66BE-480D-94F6-B7FFB9D0AF56}:
CoID={ED43C659-D7AE-49AD-9169-FC2168656290}:
CoID={E953708F-66BE-480D-94F6-B7FFB9D0AF56}:
CoID={ED43C659-D7AE-49AD-9169-FC2168656290}:
CoID={E953708F-66BE-480D-94F6-B7FFB9D0AF56}:
CoID={ED43C659-D7AE-49AD-9169-FC2168656290}:

How can I modify the $tpl to deal with this startof string value?

Thanks in advance, your assitance is appreciated.
0
 
hairylotsAuthor Commented:
Hello Qlemo

Found a workable solution but woudl prefer a better one if avaiable.

$tpl = "The user: %1 connected on port: %2 on: %3 at: %4 and disconnected on: %5 at: %6. The user was active for: %7 minutes %8 seconds. %9 bytes were sent and %10 bytes were received. The reason for disconnecting was: %11."
$msg = "CoID={2BFA4324-66E9-49A3-984B-94747A711C62}: The user domain\first.last connected on port VPN2-127 on 1/10/2011 at 7:53 PM and disconnected on 1/10/2011 at 9:13 PM.  The user was active for 80 minutes 33 seconds.  19113013 bytes were sent and 2478245 bytes were received. The reason for disconnecting was user request."
$pos = $msg.IndexOf(" ")
$msg = $msg.Substring($pos+1)
$msg -match ($tpl -split ":* %\d+" -join " (.*)")
$matches
$matches[1..($matches.count-1)]

Thanks.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
chrismerrittCommented:
Slight modification:

$tpl = "The user: %1 connected on port: %2 on: %3 at: %4 and disconnected on: %5 at: %6. The user was active for: %7 minutes %8 seconds. %9 bytes were sent and %10 bytes were received. The reason for disconnecting was: %11."
$msg = "CoID={2BFA4324-66E9-49A3-984B-94747A711C62}: The user domain\first.last connected on port VPN2-127 on 1/10/2011 at 7:53 PM and disconnected on 1/10/2011 at 9:13 PM.  The user was active for 80 minutes 33 seconds.  19113013 bytes were sent and 2478245 bytes were received. The reason for disconnecting was user request."
$msg = $msg.SubString($msg.IndexOf(":") + 2)
$msg -match ($tpl -split ":* %\d+" -join " (.*)")
$matches
$matches[1..($matches.count-1)]

Matching stuff looks cool, not played around with it before.

Though to be honest I am wondering why you don't simply query the event logs with WMI and utilise the built in functions to retrieve the values?

For example:

$Events = get-wmiobject -class win32_ntlogevent -computerName "ENTER COMPUTER NAME HERE" -filter "(EventCode=1221) and (LogFile='Application')"

foreach ($Event in $Events)
{
	$Event.InsertionStrings[0]
	$Event.InsertionStrings[1]
	$Event.InsertionStrings[2]
}

Open in new window


InsertionStrings is an array of items assigned to the Event.

Obviously you will need to change the above filter to work with your server, and pick the right log and eventid you are looking for.
0
 
QlemoC++ DeveloperCommented:
If that part is occuring with all your event log entries, then this is most simple:
$tpl = "The user: %1 connected on port: %2 on: %3 at: %4 and disconnected on: %5 at: %6. The user was active for: %7 minutes %8 seconds. %9 bytes were sent and %10 bytes were received. The reason for disconnecting was: %11."
$msg = "CoID={2BFA4324-66E9-49A3-984B-94747A711C62}: The user domain\first.last connected on port VPN2-127 on 1/10/2011 at 7:53 PM and disconnected on 1/10/2011 at 9:13 PM.  The user was active for 80 minutes 33 seconds.  19113013 bytes were sent and 2478245 bytes were received. The reason for disconnecting was user request."
$msg -match ("CoID={.*}: " + $tpl -split ":* %\d+" -join " (.*)")
$matches
$matches[1..($matches.count-1)]

Open in new window

If you wonder why the CoID does not appear in $matches, while the other regular expression patterns do: I did not enclose them in parens (), so they are not grouped, and hence not stored in $matches.
0
 
hairylotsAuthor Commented:
Sorry for the delay in responding.

Thansk to both recommendations. Wish I could understand the suggestion from Qlemo as it looks quite impressive. I did find suggestion from chrismerritt easier to work with tho.

Here is end result that displays desired report to cli.
========================
$strComputer="1.1.1.1"
$strHostName="hostname"

$promptpass = Read-Host -Assecurestring "Please enter a password"
$mycreds = New-Object System.Management.Automation.PSCredential ("dcdomainname\user.name", $promptpass)

$logfile = "System"
$EventCode = "20272"

$Events = get-wmiobject -computerName $strComputer -Credential $mycreds win32_ntlogevent -filter "(EventCode='$EventCode') and (LogFile='$logfile')"

foreach ($Event in $Events)
{
      for ($i=1; $i -le 11; $i++)
      {
            if ($i -lt 11)
            {$strMessage1 = $strMessage1 + $Event.InsertionStrings[$i] + ", "}
            else
            {$strMessage1 = $strMessage1 + $Event.InsertionStrings[$i]}
      }
      $strMessage1 = $strMessage1 + "`r`n"
      $strMessage2 = $strMessage2 + $strMessage1
}
$myCollection += $strMessage2
$myCollection
===============

Thanks again.
0
 
hairylotsAuthor Commented:
thanks
0
 
QlemoC++ DeveloperCommented:
I agree that using WMI for this purpose is easier to work with, if you do not get the regular expression syntax right and understandable. RegExp isn't an easy-to-get topic ...
0
 
chrismerrittCommented:
Glad my suggestion helped, I had the same problem when looking for whitespace events id's for exchange and the WMI stuff was really good for it :)
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

  • 4
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now