Member_2_6492660_1
asked on
Powershell Extracting info from Event Log Error
Windows 2008 Server
I get this event Error every now and then and I want to create a script to extract the ip address from this message and place it in a file to build a file of all the ip address from all the messages then I can update my Firewall rule to add the list to the not allowed in my rule.
My code
Results
PS C:\util> ./getipfrom1035
Get-EventLog : No matches found
At C:\util\GetIPFrom1035.ps1: 3 char:6
+ $l = Get-EventLog Application -InstanceId 1035 -after $DT
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~
+ CategoryInfo : ObjectNotFound: (:) [Get-EventLog], ArgumentException
+ FullyQualifiedErrorId : GetEventLogNoEntriesFound, Microsoft. PowerShell .Commands. GetEventLo gCommand
PS C:\util>
The event log message
Log Name: Application
Source: MSExchangeTransport
Date: 7/21/2015 6:32:12 PM
Event ID: 1035
Task Category: SmtpReceive
Level: Warning
Keywords: Classic
User: N/A
Computer: SERV025.FQDN.com
Description:
Inbound authentication failed with error LogonDenied for Receive connector Default SERV025. The authentication mechanism is Ntlm. The source IP address of the client who tried to authenticate to Microsoft Exchange is [193.0.200.134].
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="MSExchangeTransport" />
<EventID Qualifiers="32772">1035</E ventID>
<Level>3</Level>
<Task>1</Task>
<Keywords>0x80000000000000 </Keywords >
<TimeCreated SystemTime="2015-07-21T22: 32:12.0000 00000Z" />
<EventRecordID>206324</Eve ntRecordID >
<Channel>Application</Chan nel>
<Computer>SERV025.FQDN.com </Computer >
<Security />
</System>
<EventData>
<Data>LogonDenied</Data>
<Data>Default SERV025</Data>
<Data>Ntlm</Data>
<Data>193.0.200.134</Data>
</EventData>
</Event>
Also I want to run this command in the script
Need to read the file and create this line
Thoughts.
I get this event Error every now and then and I want to create a script to extract the ip address from this message and place it in a file to build a file of all the ip address from all the messages then I can update my Firewall rule to add the list to the not allowed in my rule.
My code
$DT = [DateTime]::Now.AddDays(-1)
$l = Get-EventLog Application -InstanceId 1035 -after $DT
$l | select-string -inputobject {$_.message} -pattern "Microsoft Exchange is (.)*\.*\.*\.*" -allmatches | foreach-object {$_.Matches} | foreach-object {$_.Value} | foreach-object {$_.replace("Microsoft Exchange is ", "")} | group-object -property $_ | where-object {$_.count -gt 10} | select-object -property name | format-list | out-file c:\rdpblock.txt get-content -path c:\rdpblock.txt | foreach-object {$_.replace("Name :", "")} | out-file c:\rdpblockcleaned.txt
get-content -path c:\rdpblockcleaned.txt | select-object -unique | out-file c:\rdpblocknospaces.txt
$c = get-content -path c:\rdpblocknospaces.txt | select-object -skip 1
Results
PS C:\util> ./getipfrom1035
Get-EventLog : No matches found
At C:\util\GetIPFrom1035.ps1:
+ $l = Get-EventLog Application -InstanceId 1035 -after $DT
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (:) [Get-EventLog], ArgumentException
+ FullyQualifiedErrorId : GetEventLogNoEntriesFound,
PS C:\util>
The event log message
Log Name: Application
Source: MSExchangeTransport
Date: 7/21/2015 6:32:12 PM
Event ID: 1035
Task Category: SmtpReceive
Level: Warning
Keywords: Classic
User: N/A
Computer: SERV025.FQDN.com
Description:
Inbound authentication failed with error LogonDenied for Receive connector Default SERV025. The authentication mechanism is Ntlm. The source IP address of the client who tried to authenticate to Microsoft Exchange is [193.0.200.134].
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="MSExchangeTransport"
<EventID Qualifiers="32772">1035</E
<Level>3</Level>
<Task>1</Task>
<Keywords>0x80000000000000
<TimeCreated SystemTime="2015-07-21T22:
<EventRecordID>206324</Eve
<Channel>Application</Chan
<Computer>SERV025.FQDN.com
<Security />
</System>
<EventData>
<Data>LogonDenied</Data>
<Data>Default SERV025</Data>
<Data>Ntlm</Data>
<Data>193.0.200.134</Data>
</EventData>
</Event>
Also I want to run this command in the script
netsh advfirewall firewall set rule name="Block_IP" new remoteip=38.87.45.44,193.0.200.134 etc
Need to read the file and create this line
Thoughts.
From what I've seen, you will get the error when there is an event with a matching ID, but not one that falls within the specified timeframe. However, you can hide the error by using -errorAction SilentlyContinue.
Since you have Server 2008, I'll advocate using Get-WinEvent with a filter hashtable as it is faster. See how this bit works for you (should work for a single event).
Besides getting the IP, I don't know where you're going with line 5 of your code, so maybe you can explain what you have in mind.
Since you have Server 2008, I'll advocate using Get-WinEvent with a filter hashtable as it is faster. See how this bit works for you (should work for a single event).
$l = Get-WinEvent -FilterHashtable @{ LogName = "Application"; id = 1035; StartTime = (Get-Date).AddDays(-1) } -ErrorAction SilentlyContinue
$IP = ([xml]$l.ToXml()).Event.EventData.Data[3]
For more than one event, this should work.Get-WinEvent -FilterHashtable @{ LogName = "Application"; id = 1035; StartTime = (Get-Date).AddDays(-1) } -ErrorAction SilentlyContinue |
ForEach { ([xml]$_.ToXml()).Event.EventData.Data[3] }
Besides getting the IP, I don't know where you're going with line 5 of your code, so maybe you can explain what you have in mind.
found the reason.
the time stamp doesn't work after -After parameter
you will need to change to this
$DT = [DateTime]::Now.AddDays(-1 ).ToshortD ateString( )
the time stamp doesn't work after -After parameter
you will need to change to this
$DT = [DateTime]::Now.AddDays(-1
ASKER
Thanks Guys
Made both changes now the job runs
But the output file rdpblock.txt is empty.
My current code.
This runs on the server itself not remotely.
Footech
Besides getting the IP, I don't know where you're going with line 5 of your code, so maybe you can explain what you have in mind.
I need to build a file rdpblock.txt to look like this
38.13.85.101
151.11.112.32
192.168.38.100
etc etc etc.
Then lastly build the
netsh advfirewall firewall set rule name="Block_IP" new remoteip=38.87.45.44,193.0 .200.134 etc
which needs to read the rdpblock.txt file to get all the ip addresses.
Hope that explains
Made both changes now the job runs
But the output file rdpblock.txt is empty.
My current code.
$DT = [DateTime]::Now.AddDays(-1).ToshortDateString()
$l = Get-WinEvent -FilterHashtable @{ LogName = "Application"; id = 1035; StartTime = (Get-Date).AddDays(-1) } -ErrorAction SilentlyContinue
$IP = ([xml]$l.ToXml()).Event.EventData.Data[3]
$l | select-string -inputobject {$_.message} -pattern "Microsoft Exchange is (.)*\.*\.*\.*" -allmatches | foreach-object {$_.Matches} | foreach-object {$_.Value} | foreach-object {$_.replace("Microsoft Exchange is ", "")} | group-object -property $_ | where-object {$_.count -gt 10} | select-object -property name | format-list | out-file c:\rdpblock.txt
This runs on the server itself not remotely.
Footech
Besides getting the IP, I don't know where you're going with line 5 of your code, so maybe you can explain what you have in mind.
I need to build a file rdpblock.txt to look like this
38.13.85.101
151.11.112.32
192.168.38.100
etc etc etc.
Then lastly build the
netsh advfirewall firewall set rule name="Block_IP" new remoteip=38.87.45.44,193.0
which needs to read the rdpblock.txt file to get all the ip addresses.
Hope that explains
@Justin - I don't think that's right. I've used a datetime object for the parameter. One thing I've noticed that may affect the results is that InstanceID and EventID are not always the same thing.
The pattern in Select-String won't match, so that's one problem.
Your description doesn't quite cover everything. What's the Group-Object and Where-Object and so forth in there for? Rather than making (educated) guesses, I'd rather hear it from you.
Your description doesn't quite cover everything. What's the Group-Object and Where-Object and so forth in there for? Rather than making (educated) guesses, I'd rather hear it from you.
$IPs = Get-WinEvent -FilterHashtable @{ LogName = "Application"; id = 1035; StartTime = (Get-Date).AddDays(-1) } -ErrorAction SilentlyContinue |
ForEach { ([xml]$_.ToXml()).Event.EventData.Data[3] } |
Select -Unique
If ( Test-Path c:\rdpblock.txt )
{
$read = Get-Content c:\rdpblock.txt
$IPs += $read
$IPs = $IPs | Select -Unique
}
$IPs | Out-File c:\rdpblock.txt -Encoding ascii
$netIPs = $IPs -join ","
netsh advfirewall firewall set rule name="Block_IP" new remoteip=$netIPs
ASKER
Footech
the above is working now just one minor problem
the netsh command failed
The contents of rdpblock.txt are:
193.0.200.13438.87.45.4422 0.130.108. 48
My script is this now
I ran it and this is the console I also showed what the Firewall rule looks like
PS C:\util> set-psbreakpoint -script c:\util\getipfrom1035.ps1 -variable cn
ID Script Line Command Variable Action
-- ------ ---- ------- -------- ------
0 getipfrom1035.ps1 cn
PS C:\util> ./getipfrom1035
A specified IP address or address keyword is not valid.
Usage: set rule
group=<string> | name=<string>
[dir=in|out]
[profile=public|private|do main|any[, ...]]
[program=<program path>]
[service=service short name|any]
[localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>| <list>]
[remoteip=any|localsubnet| dns|dhcp|w ins|defaul tgateway|
<IPv4 address>|<IPv6 address>|<subnet>|<range>| <list>]
[localport=0-65535|<port range>[,...]|RPC|RPC-EPMap |IPHTTPS|a ny]
[remoteport=0-65535|<port range>[,...]|any]
[protocol=0-255|icmpv4|icm pv6|icmpv4 :type,code |icmpv6:ty pe,code|
tcp|udp|any]
new
[name=<string>]
[dir=in|out]
[program=<program path>
[service=<service short name>|any]
[action=allow|block|bypass ]
[description=<string>]
[enable=yes|no]
[profile=public|private|do main|any[, ...]]
[localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>| <list>]
[remoteip=any|localsubnet| dns|dhcp|w ins|defaul tgateway|
<IPv4 address>|<IPv6 address>|<subnet>|<range>| <list>]
[localport=0-65535|RPC|RPC -EPMap|any [,...]]
[remoteport=0-65535|any[,. ..]]
[protocol=0-255|icmpv4|icm pv6|icmpv4 :type,code |icmpv6:ty pe,code|
tcp|udp|any]
[interfacetype=wireless|la n|ras|any]
[rmtcomputergrp=<SDDL string>]
[rmtusrgrp=<SDDL string>]
[edge=yes|deferapp|deferus er|no (default=no)]
[security=authenticate|aut henc|authd ynenc|notr equired]
Remarks:
- Sets a new parameter value on an identified rule. The command fails
if the rule does not exist. To create a rule, use the add command.
- Values after the new keyword are updated in the rule. If there are
no values, or keyword new is missing, no changes are made.
- A group of rules can only be enabled or disabled.
- If multiple rules match the criteria, all matching rules will
be updated.
- Rule name should be unique and cannot be "all".
- If a remote computer or user group is specified, security must be
authenticate, authenc or authdynenc.
- Setting security to authdynenc allows systems to dynamically
negotiate the use of encryption for traffic that matches
a given Windows Firewall rule. Encryption is negotiated based on
existing connection security rule properties. This option
enables the ability of a machine to accept the first TCP
or UDP packet of an inbound IPsec connection as long as
it is secured, but not encrypted, using IPsec.
Once the first packet is processed, the server will
re-negotiate the connection and upgrade it so that
all subsequent communications are fully encrypted.
- Authdynenc is valid only when dir=in.
- If action=bypass, the remote computer group must be specified when dir=in.
- If service=any, the rule applies only to services.
- ICMP type or code can be "any".
- Edge can only be specified for inbound rules.
Examples:
Change the remote IP address on a rule called "allow80":
netsh advfirewall firewall set rule name="allow80" new
remoteip=192.168.0.2
Enable a group with grouping string "Remote Desktop":
netsh advfirewall firewall set rule group="remote desktop" new
enable=yes
Change the localports on the rule "Allow port range" for udp-
Set rule name="Allow port range" dir=out protocol=udp localport=5000-5020 action=allow
Rule Name: Block_IP
-------------------------- ---------- ---------- ---------- ---------- ----
Enabled: Yes
Direction: In
Profiles: Domain,Private,Public
Grouping:
LocalIP: Any
RemoteIP: 38.87.45.44/32,220.130.108 .48/32
Protocol: TCP
LocalPort: Any
RemotePort: 25
Edge traversal: No
Action: Block
Ok.
PS C:\util>
Not sure what $netIPS looks like before it is passed to the command line can we display it to see?
I think it needs comma's between the ip addresses
Thoughts
the above is working now just one minor problem
the netsh command failed
The contents of rdpblock.txt are:
193.0.200.13438.87.45.4422
My script is this now
$IPs = Get-WinEvent -FilterHashtable @{ LogName = "Application"; id = 1035; StartTime = (Get-Date).AddDays(-1) } -ErrorAction SilentlyContinue |
ForEach { ([xml]$_.ToXml()).Event.EventData.Data[3] } |
Select -Unique
If ( Test-Path c:\rdpblock.txt )
{
$read = Get-Content c:\rdpblock.txt
$IPs += $read
$IPs = $IPs | Select -Unique
}
$IPs | Out-File c:\rdpblock.txt -Encoding ascii
$netIPs = $IPs -join ","
netsh advfirewall firewall set rule name="Block_IP" new remoteip=$netIPs
netsh advfirewall firewall show rule name="Block_IP"
I ran it and this is the console I also showed what the Firewall rule looks like
PS C:\util> set-psbreakpoint -script c:\util\getipfrom1035.ps1 -variable cn
ID Script Line Command Variable Action
-- ------ ---- ------- -------- ------
0 getipfrom1035.ps1 cn
PS C:\util> ./getipfrom1035
A specified IP address or address keyword is not valid.
Usage: set rule
group=<string> | name=<string>
[dir=in|out]
[profile=public|private|do
[program=<program path>]
[service=service short name|any]
[localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|
[remoteip=any|localsubnet|
<IPv4 address>|<IPv6 address>|<subnet>|<range>|
[localport=0-65535|<port range>[,...]|RPC|RPC-EPMap
[remoteport=0-65535|<port range>[,...]|any]
[protocol=0-255|icmpv4|icm
tcp|udp|any]
new
[name=<string>]
[dir=in|out]
[program=<program path>
[service=<service short name>|any]
[action=allow|block|bypass
[description=<string>]
[enable=yes|no]
[profile=public|private|do
[localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|
[remoteip=any|localsubnet|
<IPv4 address>|<IPv6 address>|<subnet>|<range>|
[localport=0-65535|RPC|RPC
[remoteport=0-65535|any[,.
[protocol=0-255|icmpv4|icm
tcp|udp|any]
[interfacetype=wireless|la
[rmtcomputergrp=<SDDL string>]
[rmtusrgrp=<SDDL string>]
[edge=yes|deferapp|deferus
[security=authenticate|aut
Remarks:
- Sets a new parameter value on an identified rule. The command fails
if the rule does not exist. To create a rule, use the add command.
- Values after the new keyword are updated in the rule. If there are
no values, or keyword new is missing, no changes are made.
- A group of rules can only be enabled or disabled.
- If multiple rules match the criteria, all matching rules will
be updated.
- Rule name should be unique and cannot be "all".
- If a remote computer or user group is specified, security must be
authenticate, authenc or authdynenc.
- Setting security to authdynenc allows systems to dynamically
negotiate the use of encryption for traffic that matches
a given Windows Firewall rule. Encryption is negotiated based on
existing connection security rule properties. This option
enables the ability of a machine to accept the first TCP
or UDP packet of an inbound IPsec connection as long as
it is secured, but not encrypted, using IPsec.
Once the first packet is processed, the server will
re-negotiate the connection and upgrade it so that
all subsequent communications are fully encrypted.
- Authdynenc is valid only when dir=in.
- If action=bypass, the remote computer group must be specified when dir=in.
- If service=any, the rule applies only to services.
- ICMP type or code can be "any".
- Edge can only be specified for inbound rules.
Examples:
Change the remote IP address on a rule called "allow80":
netsh advfirewall firewall set rule name="allow80" new
remoteip=192.168.0.2
Enable a group with grouping string "Remote Desktop":
netsh advfirewall firewall set rule group="remote desktop" new
enable=yes
Change the localports on the rule "Allow port range" for udp-
Set rule name="Allow port range" dir=out protocol=udp localport=5000-5020 action=allow
Rule Name: Block_IP
--------------------------
Enabled: Yes
Direction: In
Profiles: Domain,Private,Public
Grouping:
LocalIP: Any
RemoteIP: 38.87.45.44/32,220.130.108
Protocol: TCP
LocalPort: Any
RemotePort: 25
Edge traversal: No
Action: Block
Ok.
PS C:\util>
Not sure what $netIPS looks like before it is passed to the command line can we display it to see?
I think it needs comma's between the ip addresses
Thoughts
Hmm... There should one IP per line in the rdpblock.txt file. Easiest fix right now is to edit the file so it is so. I suppose it could have happened if the file was first created with only a single line - then when it was read in it was just a string type instead of an array of strings. That would cause the append to happen in way we don't want.
You could modify line 6 so this wouldn't happen again if you started over.
You can write out the contents of a variable at any time during a script. If you want to do it after a script is ran, then easiest is to run the script in the global scope.
You could modify line 6 so this wouldn't happen again if you started over.
$read = @(Get-Content c:\rdpblock.txt)
You can write out the contents of a variable at any time during a script. If you want to do it after a script is ran, then easiest is to run the script in the global scope.
. .\getipfrom1035
ASKER
Footech
Yes I agree one ip address per line would be the best
So I changed the file rdpblock.txt to this
193.0.200.134
38.87.45.44
220.130.108.48
Changed Line 6 to
$read = @(Get-Content c:\rdpblock.txt)
New Code is
Now the RDPBLOACK.TXT file is back to a single line
193.0.200.134193.0.200.134 38.87.45.4 4220.130.1 08.48
So what do you think is wrong ?
Also I tried
. .\getipfrom1035
Same results and no variables displayed
The RDPBlock.TXT file needs to be corrected first but not sure where to go from here
Thoughts
Yes I agree one ip address per line would be the best
So I changed the file rdpblock.txt to this
193.0.200.134
38.87.45.44
220.130.108.48
Changed Line 6 to
$read = @(Get-Content c:\rdpblock.txt)
New Code is
$IPs = Get-WinEvent -FilterHashtable @{ LogName = "Application"; id = 1035; StartTime = (Get-Date).AddDays(-1) } -ErrorAction SilentlyContinue |
ForEach { ([xml]$_.ToXml()).Event.EventData.Data[3] } |
Select -Unique
If ( Test-Path c:\rdpblock.txt )
{
$read = @(Get-Content c:\rdpblock.txt)
$IPs += $read
$IPs = $IPs | Select -Unique
}
$IPs | Out-File c:\rdpblock.txt -Encoding ascii
$netIPs = $IPs -join ","
netsh advfirewall firewall set rule name="Block_IP" new remoteip=$netIPs
netsh advfirewall firewall show rule name="Block_IP"
Now the RDPBLOACK.TXT file is back to a single line
193.0.200.134193.0.200.134
So what do you think is wrong ?
Also I tried
. .\getipfrom1035
Same results and no variables displayed
The RDPBlock.TXT file needs to be corrected first but not sure where to go from here
Thoughts
ASKER
Footech
I did this that may help you
PS C:\Util> ls variable:
Name Value
---- -----
$ variable:
? False
^ is
args {}
ConfirmPreference High
ConsoleFileName
CurrentlyExecutingCommand
DebugPreference SilentlyContinue
Error {The term 'is' is not recognized as the name of a cmdlet, function, script f...
ErrorActionPreference Continue
ErrorView NormalView
ExecutionContext System.Management.Automati on.EngineI ntrinsics
false False
FormatEnumerationLimit 4
HOME C:\Users\administrator.myd om
Host System.Management.Automati on.Interna l.Host.Int ernalHost
input System.Collections.ArrayLi st+ArrayLi stEnumerat orSimple
IPs 193.0.200.134193.0.200.134 38.87.45.4 4 220.130.108.48
LASTEXITCODE 0
MaximumAliasCount 4096
MaximumDriveCount 4096
MaximumErrorCount 256
MaximumFunctionCount 4096
MaximumHistoryCount 4096
MaximumVariableCount 4096
MyInvocation System.Management.Automati on.Invocat ionInfo
NestedPromptLevel 0
netIPs 193.0.200.134193.0.200.134 38.87.45.4 4 220.130.108.48
null
OutputEncoding System.Text.SBCSCodePageEn coding
PID 8224
profile C:\Users\administrator.myd om\Documen ts\Windows PowerShell \Microsoft .PowerShel lI...
ProgressPreference Continue
PSBoundParameters {}
PSCommandPath C:\Util\GetIPFrom1035.ps1
PSCulture en-US
PSDefaultParameterValues {}
PSEmailServer
PSHOME C:\Windows\System32\Window sPowerShel l\v1.0
psISE Microsoft.PowerShell.Host. ISE.Object ModelRoot
PSScriptRoot C:\Util
PSSessionApplicationName wsman
PSSessionConfigurationName http://schemas.microsoft.com/powershell/Microsoft.PowerShell
PSSessionOption System.Management.Automati on.Remotin g.PSSessio nOption
PSUICulture en-US
psUnsupportedConsoleApplic a... {wmic, wmic.exe, cmd, cmd.exe...}
PSVersionTable {PSVersion, WSManStackVersion, SerializationVersion, CLRVersion...}
PWD C:\Util
read {193.0.200.13438.87.45.44 220.130.108.48}
ShellId Microsoft.PowerShell
StackTrace at System.Management.Automati on.Command Discovery. LookupComm andInfo(St ring...
true True
VerbosePreference SilentlyContinue
WarningPreference Continue
WhatIfPreference False
Shows how the IP's are not correctly formatted
HTH
I did this that may help you
PS C:\Util> ls variable:
Name Value
---- -----
$ variable:
? False
^ is
args {}
ConfirmPreference High
ConsoleFileName
CurrentlyExecutingCommand
DebugPreference SilentlyContinue
Error {The term 'is' is not recognized as the name of a cmdlet, function, script f...
ErrorActionPreference Continue
ErrorView NormalView
ExecutionContext System.Management.Automati
false False
FormatEnumerationLimit 4
HOME C:\Users\administrator.myd
Host System.Management.Automati
input System.Collections.ArrayLi
IPs 193.0.200.134193.0.200.134
LASTEXITCODE 0
MaximumAliasCount 4096
MaximumDriveCount 4096
MaximumErrorCount 256
MaximumFunctionCount 4096
MaximumHistoryCount 4096
MaximumVariableCount 4096
MyInvocation System.Management.Automati
NestedPromptLevel 0
netIPs 193.0.200.134193.0.200.134
null
OutputEncoding System.Text.SBCSCodePageEn
PID 8224
profile C:\Users\administrator.myd
ProgressPreference Continue
PSBoundParameters {}
PSCommandPath C:\Util\GetIPFrom1035.ps1
PSCulture en-US
PSDefaultParameterValues {}
PSEmailServer
PSHOME C:\Windows\System32\Window
psISE Microsoft.PowerShell.Host.
PSScriptRoot C:\Util
PSSessionApplicationName wsman
PSSessionConfigurationName
PSSessionOption System.Management.Automati
PSUICulture en-US
psUnsupportedConsoleApplic
PSVersionTable {PSVersion, WSManStackVersion, SerializationVersion, CLRVersion...}
PWD C:\Util
read {193.0.200.13438.87.45.44 220.130.108.48}
ShellId Microsoft.PowerShell
StackTrace at System.Management.Automati
true True
VerbosePreference SilentlyContinue
WarningPreference Continue
WhatIfPreference False
Shows how the IP's are not correctly formatted
HTH
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Footech
You got it, now working.
Can I email the report in PowerShell?
I would like the output of this command in the body of an email
netsh advfirewall firewall show rule name="Block_IP"
Look like this
Rule Name: Block_IP
-------------------------- ---------- ---------- ---------- ---------- ----
Enabled: Yes
Direction: In
Profiles: Domain,Private,Public
Grouping:
LocalIP: Any
RemoteIP: 38.87.45.44/32,193.0.200.1 34/32,220. 130.108.48 /32
Protocol: TCP
LocalPort: Any
RemotePort: 25
Edge traversal: No
Action: Block
Ok.
I can add these two lines for sending email
$PSEmailServer = "serv025.mydomain.net"
PS C:\> Send-MailMessage -From "no-reply@mydomain.net" -To "support@mydomain.net" -Subject "SERV025 Firewall Rule BlockIP Updated" -Body " XXXXXXXXXXXXXX "
This works sending email just need way to get the output into the body?
Thoughts?
You got it, now working.
Can I email the report in PowerShell?
I would like the output of this command in the body of an email
netsh advfirewall firewall show rule name="Block_IP"
Look like this
Rule Name: Block_IP
--------------------------
Enabled: Yes
Direction: In
Profiles: Domain,Private,Public
Grouping:
LocalIP: Any
RemoteIP: 38.87.45.44/32,193.0.200.1
Protocol: TCP
LocalPort: Any
RemotePort: 25
Edge traversal: No
Action: Block
Ok.
I can add these two lines for sending email
$PSEmailServer = "serv025.mydomain.net"
PS C:\> Send-MailMessage -From "no-reply@mydomain.net" -To "support@mydomain.net" -Subject "SERV025 Firewall Rule BlockIP Updated" -Body " XXXXXXXXXXXXXX "
This works sending email just need way to get the output into the body?
Thoughts?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Footech we are getting very close to finishing this one Thanks for all the help
The above works when I am connected from my machine to the Server using PowerShell
From my computer I start PowerShell and then issue
Enter-pssession -computername serv025
Then I run this and I get an email sent to my account all good
When I run the code above on my Server Windows 2008 R2 running Exchange 2010
The email is never sent.
I even changed the $PSEmailServer = "serv025.mydomain.net"
to $PSEmailServer = "10.2.8.2" the ip address of SERV025
No luck
Thoughts
The above works when I am connected from my machine to the Server using PowerShell
From my computer I start PowerShell and then issue
Enter-pssession -computername serv025
Then I run this and I get an email sent to my account all good
$body = netsh advfirewall firewall show rule name="Block_IP" | Out-String
$PSEmailServer = "serv025.mydomain.net"
Send-MailMessage -From "no-reply@mydomain.net" -To "support@mydomain.net" -Subject "SERV025 Firewall Rule BlockIP Updated" -Body $body -smtpserver $PSEmailServer
When I run the code above on my Server Windows 2008 R2 running Exchange 2010
The email is never sent.
I even changed the $PSEmailServer = "serv025.mydomain.net"
to $PSEmailServer = "10.2.8.2" the ip address of SERV025
No luck
Thoughts
You just keep adding on don't you? :)
I think you would best be served by asking a new question for the last. Sounds like Exchange is blocking the email or it's not getting routed correctly. I no longer deal with on-site Exchange so can't really help. I also don't see why it would be different in a local session on the Exhange vs. a remote session to that same machine.
I think you would best be served by asking a new question for the last. Sounds like Exchange is blocking the email or it's not getting routed correctly. I no longer deal with on-site Exchange so can't really help. I also don't see why it would be different in a local session on the Exhange vs. a remote session to that same machine.
ASKER
Footech
Yes indeed it works
Chceked the exchange server found event id 1020 going to open new case for that one if needed
Thanks for all your help
Yes indeed it works
Chceked the exchange server found event id 1020 going to open new case for that one if needed
Thanks for all your help
are you running this remotely or on the box itself?