Link to home
Start Free TrialLog in
Avatar of Member_2_6492660_1
Member_2_6492660_1Flag for United States of America

asked on

Powershell Extract info from Event Error help needed

windows 2012 ServerR2
Powershell 4.0

Wrote a powershell script to extract the ip address from event id 1309 then takes that ip address adds to a file and passes the ip address to a netsh command line to update the firewall rule.

I have one I wrote that runs on a Windows 2008 Server with no problems.

I have one of the errors still in the application event log which was entered on 8/2//2015 at 9:51 pm  but it does not find it

my code is this

del c:\util\reboterr.txt
del C:\util\blockip.txt
$IPs = @(Get-WinEvent -FilterHashtable @{ LogName = "Application"; id = 1309; StartTime = (Get-Date).AddDays(-1) } -ErrorAction SilentlyContinue |
 ForEach { ([xml]$_.ToXml()).Event.EventData.Data[3] } |
 Select -Unique)
If ( Test-Path c:\util\rebotlist.txt )
{
    $read = @(Get-Content c:\util\rebotlist.txt)
    $IPs += $read
    $IPs = $IPs | Select -Unique
}
$IPs | Out-File c:\util\rebotlist.txt -Encoding ascii
$netIPs = $IPs -join "," 

nslookup $netIPs >c:\util\reboterr.txt

netsh advfirewall firewall set rule name="Block_IP" new remoteip=$netIPs
netsh advfirewall firewall show rule name="Block_IP" | Out-file c:\util\blockip.txt

Open in new window


Log Name:      Application
Source:        ASP.NET 4.0.30319.0
Date:          8/2/2015 9:51:18 PM
Event ID:      1309
Task Category: Web Event
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      SERV013.FQDNcom
Description:
Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 8/2/2015 9:51:18 PM
Event time (UTC): 8/3/2015 1:51:18 AM
Event ID: c087d8ccd13b4fd792a3b3f90060dab5
Event sequence: 2
Event occurrence: 1
Event detail code: 0
 
Application information:
    Application domain: /LM/W3SVC/4/ROOT-1-130830402780931787
    Trust level: Full
    Application Virtual Path: /
    Application Path: C:\inetpub\wwwroot\Music\
    Machine name: SERV013
 
Process information:
    Process ID: 6292
    Process name: w3wp.exe
    Account name: IIS APPPOOL\Music
 
Exception information:
    Exception type: HttpException
    Exception message: A potentially dangerous Request.Path value was detected from the client (&).
   at System.Web.HttpRequest.ValidateInputIfRequiredByConfig()
   at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)

 
 
Request information:
    Request URL: http://www.tomsmp3.com/mp3/mp3musicalbums/&artistname&/&recordingtitle&/&trackfilename&amp 
    Request path: /mp3/mp3musicalbums/&artistname&/&recordingtitle&/&trackfilename&amp
    User host address: 180.76.15.160
    User:  
    Is authenticated: False
    Authentication Type:  
    Thread account name: IIS APPPOOL\Music
 
Thread information:
    Thread ID: 6
    Thread account name: IIS APPPOOL\Music
    Is impersonating: False
    Stack trace:    at System.Web.HttpRequest.ValidateInputIfRequiredByConfig()
   at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)
 
 
Custom event details: Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="ASP.NET 4.0.30319.0" />
    <EventID Qualifiers="32768">1309</EventID>
    <Level>3</Level>
    <Task>3</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-08-03T01:51:18.000000000Z" />
    <EventRecordID>41709</EventRecordID>
    <Channel>Application</Channel>
    <Computer>SERV013.FQDNcom</Computer>
    <Security />
  </System>
  <EventData>
    <Data>3005</Data>
    <Data>An unhandled exception has occurred.</Data>
    <Data>8/2/2015 9:51:18 PM</Data>
    <Data>8/3/2015 1:51:18 AM</Data>
    <Data>c087d8ccd13b4fd792a3b3f90060dab5</Data>
    <Data>2</Data>
    <Data>1</Data>
    <Data>0</Data>
    <Data>/LM/W3SVC/4/ROOT-1-130830402780931787</Data>
    <Data>Full</Data>
    <Data>/</Data>
    <Data>C:\inetpub\wwwroot\Music\</Data>
    <Data>SERV013</Data>
    <Data>
    </Data>
    <Data>6292</Data>
    <Data>w3wp.exe</Data>
    <Data>IIS APPPOOL\Music</Data>
    <Data>HttpException</Data>
    <Data>A potentially dangerous Request.Path value was detected from the client (&amp;).
   at System.Web.HttpRequest.ValidateInputIfRequiredByConfig()
   at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)

</Data>
    <Data>http://www.tomsmp3.com/mp3/mp3musicalbums/&amp;amp;amp;artistname&amp;amp;amp;/&amp;amp;amp;recordingtitle&amp;amp;amp;/&amp;amp;amp;trackfilename&amp;amp;amp</Data>
    <Data>/mp3/mp3musicalbums/&amp;amp;amp;amp;artistname&amp;amp;amp;amp;/&amp;amp;amp;amp;recordingtitle&amp;amp;amp;amp;/&amp;amp;amp;amp;trackfilename&amp;amp;amp;amp</Data>
    <Data>180.76.15.160</Data>
    <Data>
    </Data>
    <Data>False</Data>
    <Data>
    </Data>
    <Data>IIS APPPOOL\Music</Data>
    <Data>6</Data>
    <Data>IIS APPPOOL\Music</Data>
    <Data>False</Data>
    <Data>   at System.Web.HttpRequest.ValidateInputIfRequiredByConfig()
   at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)
</Data>
  </EventData>
</Event>



The ip address is "User host address: 180.76.15.160"

In the code I have "StartTime = (Get-Date).AddDays(-1) "     I tried making it this  "StartTime = (Get-Date).AddDays(-4)"  

No luck.

I am using PowerShell ISE

I only want the script to pick up the last occurrence  
I will be adding a task the the event ID Error 1309 so when that error occurs it will run this script.

It may work was is but I want to test to make sure my code is ok so I found they error 3 days ago trying to get that one to work.



Any ideas

Thanks
ASKER CERTIFIED SOLUTION
Avatar of Brian Scholer
Brian Scholer

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of footech
If you just run
Get-WinEvent -FilterHashtable @{ LogName = "Application"; id = 1309; StartTime = (Get-Date).AddDays(-1) }

Open in new window

It probably finds the event.  Correct?

Looks like the data for that event is different - the IP isn't in the fourth spot, but rather the 22nd.  Without knowing the variability that can occur in event data for event ID 1309 it's hard to come up with a solution.

Do you know if any IP that shows in ID 1309 is one that you want to block?

Might have to do something like change
ForEach { ([xml]$_.ToXml()).Event.EventData.Data[3] } |
to
 ForEach { ([xml]$_.ToXml()).Event.EventData.Data } | Where { $_ -match "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$" } |

Open in new window

Avatar of Member_2_6492660_1

ASKER

Guys

Thanks for responding

Made the change to 21

 ForEach { ([xml]$_.ToXml()).Event.EventData.Data[3] } |

Open in new window



That worked  The script now works only one problem yet

this line fails

nslookup $netIPs >c:\util\reboterr.txt

Open in new window


I know what the problem is the variable $netIPS    is the total number of ips that I have collected in the file rebotlist.txt

I need the Ip address from the current Event message to be placed on the nslookup line

In this case it should be

nslookup 180.76.15.160  >c:\util\reboterr.txt


Thoughts
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Guys


Thanks for the help  Script now does what I need.

I even have it send me an email with the information so I know the firewall settings have been updated.


Great Job