Member_2_6492660_1
asked on
Powershell Extract info from Event Error help needed
windows 2012 ServerR2
Powershell 4.0
Wrote a powershell script to extract the ip address from event id 1309 then takes that ip address adds to a file and passes the ip address to a netsh command line to update the firewall rule.
I have one I wrote that runs on a Windows 2008 Server with no problems.
I have one of the errors still in the application event log which was entered on 8/2//2015 at 9:51 pm but it does not find it
my code is this
Log Name: Application
Source: ASP.NET 4.0.30319.0
Date: 8/2/2015 9:51:18 PM
Event ID: 1309
Task Category: Web Event
Level: Warning
Keywords: Classic
User: N/A
Computer: SERV013.FQDNcom
Description:
Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 8/2/2015 9:51:18 PM
Event time (UTC): 8/3/2015 1:51:18 AM
Event ID: c087d8ccd13b4fd792a3b3f900 60dab5
Event sequence: 2
Event occurrence: 1
Event detail code: 0
Application information:
Application domain: /LM/W3SVC/4/ROOT-1-1308304 0278093178 7
Trust level: Full
Application Virtual Path: /
Application Path: C:\inetpub\wwwroot\Music\
Machine name: SERV013
Process information:
Process ID: 6292
Process name: w3wp.exe
Account name: IIS APPPOOL\Music
Exception information:
Exception type: HttpException
Exception message: A potentially dangerous Request.Path value was detected from the client (&).
at System.Web.HttpRequest.Val idateInput IfRequired ByConfig()
at System.Web.HttpApplication .PipelineS tepManager .ValidateH elper(Http Context context)
Request information:
Request URL: http://www.tomsmp3.com/mp3/mp3musicalbums/&artistname&/&recordingtitle&/&trackfilename&amp
Request path: /mp3/mp3musicalbums/&a mp;amp;art istname&am p;amp;amp; /& amp;record ingtitle&a mp;amp;amp ;/&amp ;amp;track filename&a mp;amp;amp
User host address: 180.76.15.160
User:
Is authenticated: False
Authentication Type:
Thread account name: IIS APPPOOL\Music
Thread information:
Thread ID: 6
Thread account name: IIS APPPOOL\Music
Is impersonating: False
Stack trace: at System.Web.HttpRequest.Val idateInput IfRequired ByConfig()
at System.Web.HttpApplication .PipelineS tepManager .ValidateH elper(Http Context context)
Custom event details: Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="ASP.NET 4.0.30319.0" />
<EventID Qualifiers="32768">1309</E ventID>
<Level>3</Level>
<Task>3</Task>
<Keywords>0x80000000000000 </Keywords >
<TimeCreated SystemTime="2015-08-03T01: 51:18.0000 00000Z" />
<EventRecordID>41709</Even tRecordID>
<Channel>Application</Chan nel>
<Computer>SERV013.FQDNcom< /Computer>
<Security />
</System>
<EventData>
<Data>3005</Data>
<Data>An unhandled exception has occurred.</Data>
<Data>8/2/2015 9:51:18 PM</Data>
<Data>8/3/2015 1:51:18 AM</Data>
<Data>c087d8ccd13b4fd792a3 b3f90060da b5</Data>
<Data>2</Data>
<Data>1</Data>
<Data>0</Data>
<Data>/LM/W3SVC/4/ROOT-1-1 3083040278 0931787</D ata>
<Data>Full</Data>
<Data>/</Data>
<Data>C:\inetpub\wwwroot\M usic\</Dat a>
<Data>SERV013</Data>
<Data>
</Data>
<Data>6292</Data>
<Data>w3wp.exe</Data>
<Data>IIS APPPOOL\Music</Data>
<Data>HttpException</Data>
<Data>A potentially dangerous Request.Path value was detected from the client (&).
at System.Web.HttpRequest.Val idateInput IfRequired ByConfig()
at System.Web.HttpApplication .PipelineS tepManager .ValidateH elper(Http Context context)
</Data>
<Data>http://www.tomsmp3.com/mp3/mp3musicalbums/&amp;amp;artistname&amp;amp;/&amp;amp;recordingtitle&amp;amp;/&amp;amp;trackfilename&amp;amp</Data>
<Data>/mp3/mp3musicalbums/ &amp;a mp;amp;art istname&am p;amp;amp; amp;/& amp;amp;am p;recordin gtitle& ;amp;amp;a mp;/&a mp;amp;amp ;trackfile name&a mp;amp;amp </Data>
<Data>180.76.15.160</Data>
<Data>
</Data>
<Data>False</Data>
<Data>
</Data>
<Data>IIS APPPOOL\Music</Data>
<Data>6</Data>
<Data>IIS APPPOOL\Music</Data>
<Data>False</Data>
<Data> at System.Web.HttpRequest.Val idateInput IfRequired ByConfig()
at System.Web.HttpApplication .PipelineS tepManager .ValidateH elper(Http Context context)
</Data>
</EventData>
</Event>
The ip address is "User host address: 180.76.15.160"
In the code I have "StartTime = (Get-Date).AddDays(-1) " I tried making it this "StartTime = (Get-Date).AddDays(-4)"
No luck.
I am using PowerShell ISE
I only want the script to pick up the last occurrence
I will be adding a task the the event ID Error 1309 so when that error occurs it will run this script.
It may work was is but I want to test to make sure my code is ok so I found they error 3 days ago trying to get that one to work.
Any ideas
Thanks
Powershell 4.0
Wrote a powershell script to extract the ip address from event id 1309 then takes that ip address adds to a file and passes the ip address to a netsh command line to update the firewall rule.
I have one I wrote that runs on a Windows 2008 Server with no problems.
I have one of the errors still in the application event log which was entered on 8/2//2015 at 9:51 pm but it does not find it
my code is this
del c:\util\reboterr.txt
del C:\util\blockip.txt
$IPs = @(Get-WinEvent -FilterHashtable @{ LogName = "Application"; id = 1309; StartTime = (Get-Date).AddDays(-1) } -ErrorAction SilentlyContinue |
ForEach { ([xml]$_.ToXml()).Event.EventData.Data[3] } |
Select -Unique)
If ( Test-Path c:\util\rebotlist.txt )
{
$read = @(Get-Content c:\util\rebotlist.txt)
$IPs += $read
$IPs = $IPs | Select -Unique
}
$IPs | Out-File c:\util\rebotlist.txt -Encoding ascii
$netIPs = $IPs -join ","
nslookup $netIPs >c:\util\reboterr.txt
netsh advfirewall firewall set rule name="Block_IP" new remoteip=$netIPs
netsh advfirewall firewall show rule name="Block_IP" | Out-file c:\util\blockip.txt
Log Name: Application
Source: ASP.NET 4.0.30319.0
Date: 8/2/2015 9:51:18 PM
Event ID: 1309
Task Category: Web Event
Level: Warning
Keywords: Classic
User: N/A
Computer: SERV013.FQDNcom
Description:
Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 8/2/2015 9:51:18 PM
Event time (UTC): 8/3/2015 1:51:18 AM
Event ID: c087d8ccd13b4fd792a3b3f900
Event sequence: 2
Event occurrence: 1
Event detail code: 0
Application information:
Application domain: /LM/W3SVC/4/ROOT-1-1308304
Trust level: Full
Application Virtual Path: /
Application Path: C:\inetpub\wwwroot\Music\
Machine name: SERV013
Process information:
Process ID: 6292
Process name: w3wp.exe
Account name: IIS APPPOOL\Music
Exception information:
Exception type: HttpException
Exception message: A potentially dangerous Request.Path value was detected from the client (&).
at System.Web.HttpRequest.Val
at System.Web.HttpApplication
Request information:
Request URL: http://www.tomsmp3.com/mp3/mp3musicalbums/&amp;artistname&amp;/&amp;recordingtitle&amp;/&amp;trackfilename&amp
Request path: /mp3/mp3musicalbums/&a
User host address: 180.76.15.160
User:
Is authenticated: False
Authentication Type:
Thread account name: IIS APPPOOL\Music
Thread information:
Thread ID: 6
Thread account name: IIS APPPOOL\Music
Is impersonating: False
Stack trace: at System.Web.HttpRequest.Val
at System.Web.HttpApplication
Custom event details: Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="ASP.NET 4.0.30319.0" />
<EventID Qualifiers="32768">1309</E
<Level>3</Level>
<Task>3</Task>
<Keywords>0x80000000000000
<TimeCreated SystemTime="2015-08-03T01:
<EventRecordID>41709</Even
<Channel>Application</Chan
<Computer>SERV013.FQDNcom<
<Security />
</System>
<EventData>
<Data>3005</Data>
<Data>An unhandled exception has occurred.</Data>
<Data>8/2/2015 9:51:18 PM</Data>
<Data>8/3/2015 1:51:18 AM</Data>
<Data>c087d8ccd13b4fd792a3
<Data>2</Data>
<Data>1</Data>
<Data>0</Data>
<Data>/LM/W3SVC/4/ROOT-1-1
<Data>Full</Data>
<Data>/</Data>
<Data>C:\inetpub\wwwroot\M
<Data>SERV013</Data>
<Data>
</Data>
<Data>6292</Data>
<Data>w3wp.exe</Data>
<Data>IIS APPPOOL\Music</Data>
<Data>HttpException</Data>
<Data>A potentially dangerous Request.Path value was detected from the client (&).
at System.Web.HttpRequest.Val
at System.Web.HttpApplication
</Data>
<Data>http://www.tomsmp3.com/mp3/mp3musicalbums/&amp;amp;artistname&amp;amp;/&amp;amp;recordingtitle&amp;amp;/&amp;amp;trackfilename&amp;amp</Data>
<Data>/mp3/mp3musicalbums/
<Data>180.76.15.160</Data>
<Data>
</Data>
<Data>False</Data>
<Data>
</Data>
<Data>IIS APPPOOL\Music</Data>
<Data>6</Data>
<Data>IIS APPPOOL\Music</Data>
<Data>False</Data>
<Data> at System.Web.HttpRequest.Val
at System.Web.HttpApplication
</Data>
</EventData>
</Event>
The ip address is "User host address: 180.76.15.160"
In the code I have "StartTime = (Get-Date).AddDays(-1) " I tried making it this "StartTime = (Get-Date).AddDays(-4)"
No luck.
I am using PowerShell ISE
I only want the script to pick up the last occurrence
I will be adding a task the the event ID Error 1309 so when that error occurs it will run this script.
It may work was is but I want to test to make sure my code is ok so I found they error 3 days ago trying to get that one to work.
Any ideas
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Guys
Thanks for responding
Made the change to 21
That worked The script now works only one problem yet
this line fails
I know what the problem is the variable $netIPS is the total number of ips that I have collected in the file rebotlist.txt
I need the Ip address from the current Event message to be placed on the nslookup line
In this case it should be
nslookup 180.76.15.160 >c:\util\reboterr.txt
Thoughts
Thanks for responding
Made the change to 21
ForEach { ([xml]$_.ToXml()).Event.EventData.Data[3] } |
That worked The script now works only one problem yet
this line fails
nslookup $netIPs >c:\util\reboterr.txt
I know what the problem is the variable $netIPS is the total number of ips that I have collected in the file rebotlist.txt
I need the Ip address from the current Event message to be placed on the nslookup line
In this case it should be
nslookup 180.76.15.160 >c:\util\reboterr.txt
Thoughts
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Guys
Thanks for the help Script now does what I need.
I even have it send me an email with the information so I know the firewall settings have been updated.
Great Job
Thanks for the help Script now does what I need.
I even have it send me an email with the information so I know the firewall settings have been updated.
Great Job
Open in new window
It probably finds the event. Correct?Looks like the data for that event is different - the IP isn't in the fourth spot, but rather the 22nd. Without knowing the variability that can occur in event data for event ID 1309 it's hard to come up with a solution.
Do you know if any IP that shows in ID 1309 is one that you want to block?
Might have to do something like change
ForEach { ([xml]$_.ToXml()).Event.Ev
to
Open in new window