Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save cameronkerrnz/3398f1bf33fe18d6e09ce913945d7d3c to your computer and use it in GitHub Desktop.
Save cameronkerrnz/3398f1bf33fe18d6e09ce913945d7d3c to your computer and use it in GitHub Desktop.
Tail and Filter Windows Firewall Log (like tail -f ... | awk)
Get-Content -Head 5 c:\windows\system32\LogFiles\Firewall\pfirewall.log
Get-Content -Wait -Tail 5 C:\Windows\System32\LogFiles\Firewall\pfirewall.log | % {
do {
$a=$_.split(' ')
# DROP or ACCEPT (the only values AFAIK)
#
if ($a[2] -ne 'DROP') {continue}
# Aims to drop common multicast addresses (no CIDR easily available)
#
# if ($a[4] -like '^(239|224)\.') {continue}
# Direction
#
# if ($a[16] -eq 'SEND') {continue}
# Port number
#
if ($a[7] -in @(137, 135, 1900, 5353, 7680)) {continue}
#Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path
# 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
#
# Unfortunately you don't seem to be able to pass $a (an array) to -f, nor can you splat it.
#
# You could just use write-host $a but I'm just wanting to align a subset of records.
#
write-host ("{0} {1} {2,-5} {3,-4} {4,-15} {5,-15} {6,5} {7,5} {8} {9} {10} {11}" -f `
$a[0], $a[1], # date time
$a[2], $a[3], # action protocol
$a[4], $a[5], # src-ip dst-ip
$a[6], $a[7], # src-port dst-port
$a[9], # tcpflags
$a[13], $a[14], # icmptype icmpcode
$a[16] # path
)
} while($false)
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment