Powershell Extract info from Event Error help needed

windows 2012 ServerR2
Powershell 4.0

Wrote a powershell script to extract the ip address from event id 1309 then takes that ip address adds to a file and passes the ip address to a netsh command line to update the firewall rule.

I have one I wrote that runs on a Windows 2008 Server with no problems.

I have one of the errors still in the application event log which was entered on 8/2//2015 at 9:51 pm  but it does not find it

my code is this

del c:\util\reboterr.txt
del C:\util\blockip.txt
$IPs = @(Get-WinEvent -FilterHashtable @{ LogName = "Application"; id = 1309; StartTime = (Get-Date).AddDays(-1) } -ErrorAction SilentlyContinue |
 ForEach { ([xml]$_.ToXml()).Event.EventData.Data[3] } |
 Select -Unique)
If ( Test-Path c:\util\rebotlist.txt )
    $read = @(Get-Content c:\util\rebotlist.txt)
    $IPs += $read
    $IPs = $IPs | Select -Unique
$IPs | Out-File c:\util\rebotlist.txt -Encoding ascii
$netIPs = $IPs -join "," 

nslookup $netIPs >c:\util\reboterr.txt

netsh advfirewall firewall set rule name="Block_IP" new remoteip=$netIPs
netsh advfirewall firewall show rule name="Block_IP" | Out-file c:\util\blockip.txt

Open in new window

Log Name:      Application
Source:        ASP.NET 4.0.30319.0
Date:          8/2/2015 9:51:18 PM
Event ID:      1309
Task Category: Web Event
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      SERV013.FQDNcom
Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 8/2/2015 9:51:18 PM
Event time (UTC): 8/3/2015 1:51:18 AM
Event ID: c087d8ccd13b4fd792a3b3f90060dab5
Event sequence: 2
Event occurrence: 1
Event detail code: 0
Application information:
    Application domain: /LM/W3SVC/4/ROOT-1-130830402780931787
    Trust level: Full
    Application Virtual Path: /
    Application Path: C:\inetpub\wwwroot\Music\
    Machine name: SERV013
Process information:
    Process ID: 6292
    Process name: w3wp.exe
    Account name: IIS APPPOOL\Music
Exception information:
    Exception type: HttpException
    Exception message: A potentially dangerous Request.Path value was detected from the client (&).
   at System.Web.HttpRequest.ValidateInputIfRequiredByConfig()
   at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)

Request information:
    Request URL: http://www.tomsmp3.com/mp3/mp3musicalbums/&artistname&/&recordingtitle&/&trackfilename&amp 
    Request path: /mp3/mp3musicalbums/&artistname&/&recordingtitle&/&trackfilename&amp
    User host address:
    Is authenticated: False
    Authentication Type:  
    Thread account name: IIS APPPOOL\Music
Thread information:
    Thread ID: 6
    Thread account name: IIS APPPOOL\Music
    Is impersonating: False
    Stack trace:    at System.Web.HttpRequest.ValidateInputIfRequiredByConfig()
   at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)
Custom event details: Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <Provider Name="ASP.NET 4.0.30319.0" />
    <EventID Qualifiers="32768">1309</EventID>
    <TimeCreated SystemTime="2015-08-03T01:51:18.000000000Z" />
    <Security />
    <Data>An unhandled exception has occurred.</Data>
    <Data>8/2/2015 9:51:18 PM</Data>
    <Data>8/3/2015 1:51:18 AM</Data>
    <Data>IIS APPPOOL\Music</Data>
    <Data>A potentially dangerous Request.Path value was detected from the client (&amp;).
   at System.Web.HttpRequest.ValidateInputIfRequiredByConfig()
   at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)

    <Data>IIS APPPOOL\Music</Data>
    <Data>IIS APPPOOL\Music</Data>
    <Data>   at System.Web.HttpRequest.ValidateInputIfRequiredByConfig()
   at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)

The ip address is "User host address:"

In the code I have "StartTime = (Get-Date).AddDays(-1) "     I tried making it this  "StartTime = (Get-Date).AddDays(-4)"  

No luck.

I am using PowerShell ISE

I only want the script to pick up the last occurrence  
I will be adding a task the the event ID Error 1309 so when that error occurs it will run this script.

It may work was is but I want to test to make sure my code is ok so I found they error 3 days ago trying to get that one to work.

Any ideas

LVL 23
Thomas GrassiSystems AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Brian ScholerCommented:
Maybe I'm reading it wrong, but .Event.EventData.Data[3] seems to refer to a DateTime. I believe .Event.EventData.Data[21] would return the IP in the example XML you posted.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
If you just run
Get-WinEvent -FilterHashtable @{ LogName = "Application"; id = 1309; StartTime = (Get-Date).AddDays(-1) }

Open in new window

It probably finds the event.  Correct?

Looks like the data for that event is different - the IP isn't in the fourth spot, but rather the 22nd.  Without knowing the variability that can occur in event data for event ID 1309 it's hard to come up with a solution.

Do you know if any IP that shows in ID 1309 is one that you want to block?

Might have to do something like change
ForEach { ([xml]$_.ToXml()).Event.EventData.Data[3] } |
 ForEach { ([xml]$_.ToXml()).Event.EventData.Data } | Where { $_ -match "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$" } |

Open in new window

Thomas GrassiSystems AdministratorAuthor Commented:

Thanks for responding

Made the change to 21

 ForEach { ([xml]$_.ToXml()).Event.EventData.Data[3] } |

Open in new window

That worked  The script now works only one problem yet

this line fails

nslookup $netIPs >c:\util\reboterr.txt

Open in new window

I know what the problem is the variable $netIPS    is the total number of ips that I have collected in the file rebotlist.txt

I need the Ip address from the current Event message to be placed on the nslookup line

In this case it should be

nslookup  >c:\util\reboterr.txt

You would need something like
$IPs | % { nslookup $_ } | Out-File c:\util\reboterr.txt

Open in new window

and you would have to move it up to like line 6 before that variable is redefined to include all the previous IPs as well.
Thomas GrassiSystems AdministratorAuthor Commented:

Thanks for the help  Script now does what I need.

I even have it send me an email with the information so I know the firewall settings have been updated.

Great Job
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.