Created
July 5, 2023 11:44
-
-
Save itsecworks/a8b9d49972dd08a5482fc38ecea7248b to your computer and use it in GitHub Desktop.
VPN Client Monitoring - Collector Scripts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
############################################################################################################################################################## | |
# # | |
# This Script collects measurements from netstat command # | |
# Syntax for output lines is json that devided by newline # | |
# Example: # | |
# {"name":"In_Receives","currentuser":"akdaniel","gpgatewayaddress":"130.41.235.50","currentdomain":"PALOALTONETWORK","value":"1636236", # | |
# "timestamp":"2023-06-09 02:19:52","subtype":"ipstats","gpipv4address":"10.47.140.216"} # | |
# # | |
############################################################################################################################################################## | |
# | |
# set the timeperiod in seconds between 2 measurements | |
$timeperiod = 30 | |
# set the timeout if no reply comes | |
[string]$DefaultTimeout = "5000" | |
# set log lines to cache before trying to upload | |
[long]$CacheExportSize = 5 | |
# psping binary folder | |
$binpath = "$home\Downloads\PSTools" | |
#create log folder if not exists for the logs | |
$logpath = "$binpath\log" | |
if(!(Test-Path -Path $logpath )){ | |
New-Item -ItemType directory -Path $logpath | |
} | |
#set the shared folder from where logstash reads the data | |
$SharedFolder = $logpath + "\serverside" | |
# Get the current username with domain to synch with globalprotect logs | |
$CurrentDomain = $env:userdomain | |
$CurrentUser = $env:username | |
#date with hours written in the filename | |
$FileTimestamp = (get-date).ToString("yyyy-MM-dd_HH-mm-ss") | |
$ScriptBlock = { | |
param($timeperiod, $DefaultTimeout, $CacheExportSize, $binpath, $logpath, $SharedFolder, $CurrentDomain, $CurrentUser, $FileTimestamp) | |
# command to execute | |
$CmdName = "cpu_mem" | |
$counter = 0 | |
[array]$ExportCache = $null | |
while($true){ | |
# Get the GlobalProtect allocated IP with ServiceName PanGpd: | |
$gp_ipaddrs = Get-WmiObject Win32_NetworkAdapterConfiguration -Filter IPEnabled=True | where {$_.ServiceName -eq 'PanGpd'} | Select-Object -Property IPAddress | |
# Its an array of 2 IPs in Windows, the 1st one is IPv4 and the 2nd one is IPV6. | |
if ([bool]$gp_ipaddrs.IPAddress) { | |
[string]$GPIPv4Address = $gp_ipaddrs.IPAddress[0] | |
} | |
else { | |
[string]$GPIPv4Address = "0.0.0.0" | |
} | |
# Get the processid for PanGPS | |
$pangps_pid = (Get-Process | Where-Object {$_.ProcessName -match 'PanGPS'}).Id | |
# Get the GlobalProtect Gateway IP from netstat with the processid: | |
$pangps_conns = (netstat -ano | Select-String -Pattern $pangps_pid) | |
Foreach ($item in $pangps_conns) { | |
$item = $item -replace '^\s+', '' | |
$item = $item -split '\s+' | |
$Proto = $item[0] | |
$LocalAddressPort = $item[1] | |
$ForeignAddressPort = $item[2] | |
if ($ForeignAddressPort -notlike "127.0.0.*" -and $ForeignAddressPort -notlike "0.0.0.*" -and $ForeignAddressPort -notlike '`*:`*') { | |
$GPGatewayAddress = ($ForeignAddressPort -split ':')[0] | |
} | |
} | |
if (![bool]$GPGatewayAddress) { | |
$GPGatewayAddress = "0.0.0.0" | |
} | |
#get date for timestamp | |
$TimeStamp = (get-date).ToString("yyyy-MM-dd HH:mm:ss") | |
#run the command with parameters and save the output. | |
$cpuTime = ((Get-Counter '\Processor(_Total)\% Processor Time').CounterSamples.CookedValue).ToString("#,0.00") | |
$totalMem = (((Get-CimInstance Win32_PhysicalMemory | Measure-Object -Property capacity -Sum).Sum)/1048576).ToString() | |
$availMem = ((Get-Counter '\Memory\Available MBytes').CounterSamples.CookedValue).ToString() | |
$usageMem = (100 * $availMem / $totalMem).ToString("#,0.00") | |
$jsonBase = @{} | |
$jsonBase.Add("timestamp",$TimeStamp) | |
$jsonBase.Add("currentdomain",$CurrentDomain) | |
$jsonBase.Add("currentuser",$CurrentUser) | |
$jsonBase.Add("gpgatewayaddress",$GPGatewayAddress) | |
$jsonBase.Add("gpipv4address",$GPIPv4Address) | |
$jsonBase.Add("subtype",$CmdName) | |
$jsonBase.Add("cpu",[long]$cpuTime) | |
$jsonBase.Add("totalmem",[long]$totalMem) | |
$jsonBase.Add("availmem",[long]$availMem) | |
$jsonBase.Add("usagemem",[long]$usageMem) | |
$jsonBase | ConvertTo-Json -Compress | Out-File -FilePath "$logpath\${CmdName}_${FileTimestamp}_${CurrentUser}.json" -Append -Encoding Utf8 | |
$ExportCache += $jsonBase | ConvertTo-Json -Compress | |
$counter++ | |
if ($counter%$CacheExportSize -eq 0 -and (Test-Path -Path $SharedFolder )){ | |
$ExportCache | Out-File -FilePath "$SharedFolder\${CmdName}_${FileTimestamp}_${CurrentUser}.json" -Append -Encoding utf8 | |
if ($?){ [array]$ExportCache = $null } | |
} | |
sleep $timeperiod | |
} | |
} | |
Start-Job -Name $CmdName -scriptblock $ScriptBlock -ArgumentList($timeperiod, $DefaultTimeout, $CacheExportSize, $binpath, $logpath, $SharedFolder, $CurrentDomain, $CurrentUser, $FileTimestamp) | |
while ((Get-Job).State -contains 'Running') { | |
Start-Sleep 60 | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
############################################################################################################################################################## | |
# # | |
# This Script collects measurements from nslookup command # | |
# Syntax for output lines is json that devided by newline # | |
# Example: # | |
# {"name":"In_Receives","currentuser":"akdaniel","gpgatewayaddress":"130.41.235.50","currentdomain":"PALOALTONETWORK","value":"1636236", # | |
# "timestamp":"2023-06-09 02:19:52","subtype":"ipstats","gpipv4address":"10.47.140.216"} # | |
# # | |
############################################################################################################################################################## | |
$TestDomain = "www.bing.com" | |
# | |
# set the timeperiod in seconds between 2 measurements | |
$timeperiod = 30 | |
# set the timeout if no reply comes | |
[string]$DefaultTimeout = "5000" | |
# set log lines to cache before trying to upload | |
[long]$CacheExportSize = 5 | |
# psping binary folder | |
$binpath = "$home\Downloads\PSTools" | |
#create log folder if not exists for the logs | |
$logpath = "$binpath\log" | |
if(!(Test-Path -Path $logpath )){ | |
New-Item -ItemType directory -Path $logpath | |
} | |
#set the shared folder from where logstash reads the data | |
$SharedFolder = $logpath + "\serverside" | |
# Get the current username with domain to synch with globalprotect logs | |
$CurrentDomain = $env:userdomain | |
$CurrentUser = $env:username | |
#date with hours written in the filename | |
$FileTimestamp = (get-date).ToString("yyyy-MM-dd_HH-mm-ss") | |
$ScriptBlock = { | |
param($TestDomain, $timeperiod, $DefaultTimeout, $CacheExportSize, $binpath, $logpath, $SharedFolder, $CurrentDomain, $CurrentUser, $FileTimestamp) | |
# command to execute | |
$CmdName = "dnsrtt" | |
$counter = 0 | |
[array]$ExportCache = $null | |
while($true){ | |
# Get the GlobalProtect allocated IP with ServiceName PanGpd: | |
$gp_ipaddrs = Get-WmiObject Win32_NetworkAdapterConfiguration -Filter IPEnabled=True | where {$_.ServiceName -eq 'PanGpd'} | Select-Object -Property IPAddress | |
# Its an array of 2 IPs in Windows, the 1st one is IPv4 and the 2nd one is IPV6. | |
if ([bool]$gp_ipaddrs.IPAddress) { | |
[string]$GPIPv4Address = $gp_ipaddrs.IPAddress[0] | |
} | |
else { | |
[string]$GPIPv4Address = "0.0.0.0" | |
} | |
# Get the processid for PanGPS | |
$pangps_pid = (Get-Process | Where-Object {$_.ProcessName -match 'PanGPS'}).Id | |
# Get the GlobalProtect Gateway IP from netstat with the processid: | |
$pangps_conns = (netstat -ano | Select-String -Pattern $pangps_pid) | |
Foreach ($item in $pangps_conns) { | |
$item = $item -replace '^\s+', '' | |
$item = $item -split '\s+' | |
$Proto = $item[0] | |
$LocalAddressPort = $item[1] | |
$ForeignAddressPort = $item[2] | |
if ($ForeignAddressPort -notlike "127.0.0.*" -and $ForeignAddressPort -notlike "0.0.0.*" -and $ForeignAddressPort -notlike '`*:`*') { | |
$GPGatewayAddress = ($ForeignAddressPort -split ':')[0] | |
} | |
} | |
if (![bool]$GPGatewayAddress) { | |
$GPGatewayAddress = "0.0.0.0" | |
} | |
#get date for timestamp | |
$TimeStamp = (get-date).ToString("yyyy-MM-dd HH:mm:ss") | |
$value = (Measure-Command {Resolve-DnsName $TestDomain -Type A}).Milliseconds | Out-String | |
$value = $value.Trim() | |
$jsonBase = @{} | |
$jsonBase.Add("timestamp",$TimeStamp) | |
$jsonBase.Add("currentdomain",$CurrentDomain) | |
$jsonBase.Add("currentuser",$CurrentUser) | |
$jsonBase.Add("gpgatewayaddress",$GPGatewayAddress) | |
$jsonBase.Add("gpipv4address",$GPIPv4Address) | |
$jsonBase.Add("subtype",$CmdName) | |
$jsonBase.Add("dnsrtt",[long]$value) | |
$jsonBase | ConvertTo-Json -Compress | Out-File -FilePath "$logpath\${CmdName}_${FileTimestamp}_${CurrentUser}.json" -Append -Encoding Utf8 | |
$ExportCache += $jsonBase | ConvertTo-Json -Compress | |
$counter++ | |
if ($counter%$CacheExportSize -eq 0 -and (Test-Path -Path $SharedFolder )){ | |
$ExportCache | Out-File -FilePath "$SharedFolder\${CmdName}_${FileTimestamp}_${CurrentUser}.json" -Append -Encoding utf8 | |
if ($?){ [array]$ExportCache = $null } | |
} | |
sleep $timeperiod | |
} | |
} | |
Start-Job -Name $CmdName -scriptblock $ScriptBlock -ArgumentList($TestDomain, $timeperiod, $DefaultTimeout, $CacheExportSize, $binpath, $logpath, $SharedFolder, $CurrentDomain, $CurrentUser, $FileTimestamp) | |
while ((Get-Job).State -contains 'Running') { | |
Start-Sleep 60 | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
############################################################################################################################################################## | |
# # | |
# This Script collects measurements from netstat command # | |
# Syntax for output lines is json that devided by newline # | |
# Example: # | |
# {"name":"In_Receives","currentuser":"akdaniel","gpgatewayaddress":"130.41.235.50","currentdomain":"PALOALTONETWORK","value":"1636236", # | |
# "timestamp":"2023-06-09 02:19:52","subtype":"ipstats","gpipv4address":"10.47.140.216"} # | |
# # | |
############################################################################################################################################################## | |
# | |
# set the timeperiod in seconds between 2 measurements | |
$timeperiod = 30 | |
# set the timeout if no reply comes | |
[string]$DefaultTimeout = "5000" | |
# set log lines to cache before trying to upload | |
[long]$CacheExportSize = 5 | |
# psping binary folder | |
$binpath = "$home\Downloads\PSTools" | |
#create log folder if not exists for the logs | |
$logpath = "$binpath\log" | |
if(!(Test-Path -Path $logpath )){ | |
New-Item -ItemType directory -Path $logpath | |
} | |
#set the shared folder from where logstash reads the data | |
$SharedFolder = $logpath + "\serverside" | |
# Get the current username with domain to synch with globalprotect logs | |
$CurrentDomain = $env:userdomain | |
$CurrentUser = $env:username | |
#date with hours written in the filename | |
$FileTimestamp = (get-date).ToString("yyyy-MM-dd_HH-mm-ss") | |
$ScriptBlock = { | |
param($timeperiod, $DefaultTimeout, $CacheExportSize, $binpath, $logpath, $SharedFolder, $CurrentDomain, $CurrentUser, $FileTimestamp) | |
# command to execute | |
$CmdName = "ipstats" | |
$Cmd = "netsh interface ipv4 show ipstats" | |
$counter = 0 | |
[array]$ExportCache = $null | |
function Is-Numeric ($Value) { | |
return $Value -match "^(\d+|\.\d+|\d+\.\d+)$" | |
} | |
while($true){ | |
# Get the GlobalProtect allocated IP with ServiceName PanGpd: | |
$gp_ipaddrs = Get-WmiObject Win32_NetworkAdapterConfiguration -Filter IPEnabled=True | where {$_.ServiceName -eq 'PanGpd'} | Select-Object -Property IPAddress | |
# Its an array of 2 IPs in Windows, the 1st one is IPv4 and the 2nd one is IPV6. | |
if ([bool]$gp_ipaddrs.IPAddress) { | |
[string]$GPIPv4Address = $gp_ipaddrs.IPAddress[0] | |
} | |
else { | |
[string]$GPIPv4Address = "0.0.0.0" | |
} | |
# Get the processid for PanGPS | |
$pangps_pid = (Get-Process | Where-Object {$_.ProcessName -match 'PanGPS'}).Id | |
# Get the GlobalProtect Gateway IP from netstat with the processid: | |
$pangps_conns = (netstat -ano | Select-String -Pattern $pangps_pid) | |
Foreach ($item in $pangps_conns) { | |
$item = $item -replace '^\s+', '' | |
$item = $item -split '\s+' | |
$Proto = $item[0] | |
$LocalAddressPort = $item[1] | |
$ForeignAddressPort = $item[2] | |
if ($ForeignAddressPort -notlike "127.0.0.*" -and $ForeignAddressPort -notlike "0.0.0.*" -and $ForeignAddressPort -notlike '`*:`*') { | |
$GPGatewayAddress = ($ForeignAddressPort -split ':')[0] | |
} | |
} | |
if (![bool]$GPGatewayAddress) { | |
$GPGatewayAddress = "0.0.0.0" | |
} | |
#get date for timestamp | |
$TimeStamp = (get-date).ToString("yyyy-MM-dd HH:mm:ss") | |
#run the command with parameters and save the output. | |
$Output = Invoke-Expression $Cmd | |
$p1 = "(?<measurement_name>.*):\s+(?<measurement_value>.*)" | |
Foreach ($item in $Output) { | |
$result = [regex]::Matches($item, $p1) | |
if ([bool]$result[0]) { | |
$name = ($result[0].Groups['measurement_name'].Value).replace(" ","_") | |
$value = ($result[0].Groups['measurement_value'].Value).replace(" ","_") | |
if (Is-Numeric $value) { | |
$value = [long]$value | |
$jsonBase = @{} | |
$jsonBase.Add("timestamp",$TimeStamp) | |
$jsonBase.Add("currentdomain",$CurrentDomain) | |
$jsonBase.Add("currentuser",$CurrentUser) | |
$jsonBase.Add("gpgatewayaddress",$GPGatewayAddress) | |
$jsonBase.Add("gpipv4address",$GPIPv4Address) | |
$jsonBase.Add("subtype",$CmdName) | |
$jsonBase.Add($name,$value) | |
$jsonBase | ConvertTo-Json -Compress | Out-File -FilePath "$logpath\${CmdName}_${FileTimestamp}_${CurrentUser}.json" -Append -Encoding Utf8 | |
$ExportCache += $jsonBase | ConvertTo-Json -Compress | |
} | |
} | |
} | |
$counter++ | |
if ($counter%$CacheExportSize -eq 0 -and (Test-Path -Path $SharedFolder )){ | |
$ExportCache | Out-File -FilePath "$SharedFolder\${CmdName}_${FileTimestamp}_${CurrentUser}.json" -Append -Encoding utf8 | |
if ($?){ [array]$ExportCache = $null } | |
} | |
sleep $timeperiod | |
} | |
} | |
Start-Job -Name $CmdName -scriptblock $ScriptBlock -ArgumentList($timeperiod, $DefaultTimeout, $CacheExportSize, $binpath, $logpath, $SharedFolder, $CurrentDomain, $CurrentUser, $FileTimestamp) | |
while ((Get-Job).State -contains 'Running') { | |
Start-Sleep 60 | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
############################################################################################################################################################## | |
# # | |
# This Script collects measurements from netstat command # | |
# Syntax for output lines is json that devided by newline # | |
# Example: # | |
# {"name":"In_Receives","currentuser":"akdaniel","gpgatewayaddress":"130.41.235.50","currentdomain":"PALOALTONETWORK","value":"1636236", # | |
# "timestamp":"2023-06-09 02:19:52","subtype":"ipstats","gpipv4address":"10.47.140.216"} # | |
# # | |
############################################################################################################################################################## | |
# | |
# set the timeperiod in seconds between 2 measurements | |
$timeperiod = 30 | |
# set the timeout if no reply comes | |
[string]$DefaultTimeout = "5000" | |
# set log lines to cache before trying to upload | |
[long]$CacheExportSize = 5 | |
# psping binary folder | |
$binpath = "$home\Downloads\PSTools" | |
#create log folder if not exists for the logs | |
$logpath = "$binpath\log" | |
if(!(Test-Path -Path $logpath )){ | |
New-Item -ItemType directory -Path $logpath | |
} | |
#set the shared folder from where logstash reads the data | |
$SharedFolder = $logpath + "\serverside" | |
# Get the current username with domain to synch with globalprotect logs | |
$CurrentDomain = $env:userdomain | |
$CurrentUser = $env:username | |
#date with hours written in the filename | |
$FileTimestamp = (get-date).ToString("yyyy-MM-dd_HH-mm-ss") | |
$ScriptBlock = { | |
param($timeperiod, $DefaultTimeout, $CacheExportSize, $binpath, $logpath, $SharedFolder, $CurrentDomain, $CurrentUser, $FileTimestamp) | |
# command to execute | |
$CmdName = "netstats" | |
$Cmd = "netstat" | |
$CmdParams = "-e" -split " " | |
$counter = 0 | |
[array]$ExportCache = $null | |
while($true){ | |
# Get the GlobalProtect allocated IP with ServiceName PanGpd: | |
$gp_ipaddrs = Get-WmiObject Win32_NetworkAdapterConfiguration -Filter IPEnabled=True | where {$_.ServiceName -eq 'PanGpd'} | Select-Object -Property IPAddress | |
# Its an array of 2 IPs in Windows, the 1st one is IPv4 and the 2nd one is IPV6. | |
if ([bool]$gp_ipaddrs.IPAddress) { | |
[string]$GPIPv4Address = $gp_ipaddrs.IPAddress[0] | |
} | |
else { | |
[string]$GPIPv4Address = "0.0.0.0" | |
} | |
# Get the processid for PanGPS | |
$pangps_pid = (Get-Process | Where-Object {$_.ProcessName -match 'PanGPS'}).Id | |
# Get the GlobalProtect Gateway IP from netstat with the processid: | |
$pangps_conns = (netstat -ano | Select-String -Pattern $pangps_pid) | |
Foreach ($item in $pangps_conns) { | |
$item = $item -replace '^\s+', '' | |
$item = $item -split '\s+' | |
$Proto = $item[0] | |
$LocalAddressPort = $item[1] | |
$ForeignAddressPort = $item[2] | |
if ($ForeignAddressPort -notlike "127.0.0.*" -and $ForeignAddressPort -notlike "0.0.0.*" -and $ForeignAddressPort -notlike '`*:`*') { | |
$GPGatewayAddress = ($ForeignAddressPort -split ':')[0] | |
} | |
} | |
if (![bool]$GPGatewayAddress) { | |
$GPGatewayAddress = "0.0.0.0" | |
} | |
#get date for timestamp | |
$TimeStamp = (get-date).ToString("yyyy-MM-dd HH:mm:ss") | |
#run the command with parameters and save the output. | |
$Output = & "$Cmd" $CmdParams | |
$p1 = "(?<measurement_name>.*)\s+(?<measurement_value_recv>\d+)\s+(?<measurement_value_sent>\d+)" | |
Foreach ($item in $Output) { | |
$result = [regex]::Matches($item, $p1) | |
if ([bool]$result[0]) { | |
$name = ($result[0].Groups['measurement_name'].Value).Trim().replace(" ","_") | |
$value_recv = ($result[0].Groups['measurement_value_recv'].Value).Trim().replace(" ","_") | |
$value_sent = ($result[0].Groups['measurement_value_sent'].Value).Trim().replace(" ","_") | |
$name_recv = $name + "_recv" | |
$name_sent = $name + "_sent" | |
$jsonBase = @{} | |
$jsonBase.Add("timestamp",$TimeStamp) | |
$jsonBase.Add("currentdomain",$CurrentDomain) | |
$jsonBase.Add("currentuser",$CurrentUser) | |
$jsonBase.Add("gpgatewayaddress",$GPGatewayAddress) | |
$jsonBase.Add("gpipv4address",$GPIPv4Address) | |
$jsonBase.Add("subtype",$CmdName) | |
$jsonBase.Add($name_recv,[long]$value_recv) | |
$jsonBase.Add($name_sent,[long]$value_sent) | |
$jsonBase | ConvertTo-Json -Compress | Out-File -FilePath "$logpath\${CmdName}_${FileTimestamp}_${CurrentUser}.json" -Append -Encoding Utf8 | |
$ExportCache += $jsonBase | ConvertTo-Json -Compress | |
} | |
} | |
$counter++ | |
if ($counter%$CacheExportSize -eq 0 -and (Test-Path -Path $SharedFolder )){ | |
$ExportCache | Out-File -FilePath "$SharedFolder\${CmdName}_${FileTimestamp}_${CurrentUser}.json" -Append -Encoding utf8 | |
if ($?){ [array]$ExportCache = $null } | |
} | |
sleep $timeperiod | |
} | |
} | |
Start-Job -Name $CmdName -scriptblock $ScriptBlock -ArgumentList($timeperiod, $DefaultTimeout, $CacheExportSize, $binpath, $logpath, $SharedFolder, $CurrentDomain, $CurrentUser, $FileTimestamp) | |
while ((Get-Job).State -contains 'Running') { | |
Start-Sleep 60 | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
############################################################################################################################################################## | |
# # | |
# This Script collects measurements from netstat command # | |
# Syntax for output lines is json that devided by newline # | |
# Example: # | |
# {"name":"In_Receives","currentuser":"akdaniel","gpgatewayaddress":"130.41.235.50","currentdomain":"PALOALTONETWORK","value":"1636236", # | |
# "timestamp":"2023-06-09 02:19:52","subtype":"ipstats","gpipv4address":"10.47.140.216"} # | |
# # | |
############################################################################################################################################################## | |
# | |
# set the timeperiod in seconds between 2 measurements | |
$timeperiod = 30 | |
# set the timeout if no reply comes | |
[string]$DefaultTimeout = "5000" | |
# set log lines to cache before trying to upload | |
[long]$CacheExportSize = 5 | |
# psping binary folder | |
$binpath = "$home\Downloads\PSTools" | |
#create log folder if not exists for the logs | |
$logpath = "$binpath\log" | |
if(!(Test-Path -Path $logpath )){ | |
New-Item -ItemType directory -Path $logpath | |
} | |
#set the shared folder from where logstash reads the data | |
$SharedFolder = $logpath + "\serverside" | |
# Get the current username with domain to synch with globalprotect logs | |
$CurrentDomain = $env:userdomain | |
$CurrentUser = $env:username | |
#date with hours written in the filename | |
$FileTimestamp = (get-date).ToString("yyyy-MM-dd_HH-mm-ss") | |
# define the host to ping with icmp or to tcp syn if port is set with colon after the IP. | |
[array]$PingTable = $null | |
# 1. icmp Ping test to GP Gateway (dynamic object or dummy object) | |
# This tests the connection out the Prisma Gateway Firewalls to the Internet to the VPN gateway. Dont change it! | |
$PingTable += [PSCustomObject]@{ Name = "gp_gateway"; PingTarget = "66.66.66.66" } | |
# 2. icmp Ping test to local Gateway (dynamic object or dummy object) | |
# This tests the connection to the local gateway. Dont change it! | |
$PingTable += [PSCustomObject]@{ Name = "df_gateway"; PingTarget = "66.66.66.66" } | |
# 3. icmp Ping test to Google root DNS | |
# This tests the connection out the Prisma Gateway Firewalls to the Internet | |
$PingTable += [PSCustomObject]@{ Name = "google_root_dns"; PingTarget = "8.8.8.8" } | |
# 4. tcp Ping test to cnn.com tcp 443 | |
# This tests the connection out the Prisma Gateway Firewalls to the Internet | |
$PingTable += [PSCustomObject]@{ Name = "cnn"; PingTarget = "151.101.195.5:443" } | |
# 5. tcp Ping test to internal server | |
# This tests the connection through the Prisma Gateway -> Prisma Sevice Connection | |
$PingTable += [PSCustomObject]@{ Name = "jira_server"; PingTarget = "10.0.2.227:443" } | |
# 6. tcp Ping test to Internal server 2 | |
# This tests the connection through the Prisma Gateway -> Prisma Sevice Connection | |
$PingTable += [PSCustomObject]@{ Name = "confluence_server"; PingTarget = "10.0.16.130:443" } | |
# 7. icmp Ping test to intranet | |
# This tests the connection through the Prisma Gateway -> Prisma Sevice Connection | |
$PingTable += [PSCustomObject]@{ Name = "intranet"; PingTarget = "34.98.108.69" } | |
Foreach($Ping in $PingTable){ | |
$ScriptBlock_Ping = { | |
param($timeperiod, $DefaultTimeout, $CacheExportSize, $binpath, $logpath, $SharedFolder, $CurrentDomain, $CurrentUser, $FileTimestamp, $Ping) | |
$CmdName = "psping" | |
$Cmd = "$binpath\psping.exe" | |
$CmdParams = "-n 1 -w 0 $($Ping.PingTarget) -nobanner" -split " " | |
$counter = 0 | |
[array]$ExportCache = $null | |
while($true){ | |
# Get the GlobalProtect allocated IP with ServiceName PanGpd: | |
$gp_ipaddrs = Get-WmiObject Win32_NetworkAdapterConfiguration -Filter IPEnabled=True | where {$_.ServiceName -eq 'PanGpd'} | Select-Object -Property IPAddress | |
# Its an array of 2 IPs in Windows, the 1st one is IPv4 and the 2nd one is IPV6. | |
if ([bool]$gp_ipaddrs.IPAddress) { | |
[string]$GPIPv4Address = $gp_ipaddrs.IPAddress[0] | |
} | |
else { | |
[string]$GPIPv4Address = "0.0.0.0" | |
} | |
# Get the processid for PanGPS | |
$pangps_pid = (Get-Process | Where-Object {$_.ProcessName -match 'PanGPS'}).Id | |
# Get the GlobalProtect Gateway IP from netstat with the processid: | |
$pangps_conns = (netstat -ano | Select-String -Pattern $pangps_pid) | |
Foreach ($item in $pangps_conns) { | |
$item = $item -replace '^\s+', '' | |
$item = $item -split '\s+' | |
$Proto = $item[0] | |
$LocalAddressPort = $item[1] | |
$ForeignAddressPort = $item[2] | |
if ($ForeignAddressPort -notlike "127.0.0.*" -and $ForeignAddressPort -notlike "0.0.0.*" -and $ForeignAddressPort -notlike '`*:`*') { | |
$GPGatewayAddress = ($ForeignAddressPort -split ':')[0] | |
} | |
} | |
if (![bool]$GPGatewayAddress) { | |
$GPGatewayAddress = "0.0.0.0" | |
} | |
#get date for timestamp | |
$TimeStamp = (get-date).ToString("yyyy-MM-dd HH:mm:ss") | |
# fillup the gp_gateway dummy object with real IP of the VPN gateway | |
if ($Ping.Name -eq "gp_gateway") { | |
$Ping.PingTarget = $GPGatewayAddress | |
$CmdParams = "-n 1 -w 0 $($Ping.PingTarget) -nobanner" -split " " | |
} | |
# fillup the df_gateway dummy object with real IP of the default gateway | |
elseif ($Ping.Name -eq "df_gateway") { | |
$Ping.PingTarget = (Get-NetRoute "0.0.0.0/0").NextHop -ne "0.0.0.0" | |
$CmdParams = "-n 1 -w 0 $($Ping.PingTarget) -nobanner" -split " " | |
} | |
#run the psping command with parameters and save the output. | |
$Output = & "$Cmd" $CmdParams | |
# check if PingTarget contains port number and use tcp ping instead of icmp. | |
if ($CmdParams[4].Contains(':')) { | |
#named capture group | |
# pattern with ms value for tcp | |
$p1 = "Connecting to (?<DestinationIP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(?<DestinationPort>\d+): from (?<SourceIP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(?<SourcePort>\d+): (?<ReplyTime>\d+\.\d+)ms" | |
# pattern without ms value for tcp | |
$p2 = "Connecting to (?<DestinationIP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(?<DestinationPort>\d+): from (?<SourceIP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(?<SourcePort>\d+):" | |
$result = [regex]::Matches($Output, $p1) | |
if ([bool]$result[0]) { | |
$rtt = $result[0].Groups['ReplyTime'].Value | |
} | |
else { | |
$result = [regex]::Matches($Output, $p2) | |
$rtt = $DefaultTimeout | |
} | |
$DstIP = $result[0].Groups['DestinationIP'].Value | |
$DstPort = $result[0].Groups['DestinationPort'].Value | |
$SrcIP = $result[0].Groups['SourceIP'].Value | |
} | |
# If PingTarget does not contain port number use icmp. | |
else { | |
if ($Output[4].Contains('100% loss')) { | |
# pattern without ms value for icmp if all packets lost | |
$p1 = "Ping statistics for (?<DestinationIP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):" | |
$result = [regex]::Matches($Output, $p1) | |
$DstIP = $result[0].Groups['DestinationIP'].Value | |
$rtt = $DefaultTimeout | |
} | |
else { | |
# pattern with ms value for icmp | |
$p1 = "Reply from (?<DestinationIP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}): (?<ReplyTime>\d+\.\d+)ms" | |
$result = [regex]::Matches($Output, $p1) | |
$DstIP = $result[0].Groups['DestinationIP'].Value | |
$rtt = $result[0].Groups['ReplyTime'].Value | |
} | |
} | |
$jsonBase = @{} | |
$jsonBase.Add("timestamp",$TimeStamp) | |
$jsonBase.Add("currentdomain",$CurrentDomain) | |
$jsonBase.Add("currentuser",$CurrentUser) | |
$jsonBase.Add("gpgatewayaddress",$GPGatewayAddress) | |
$jsonBase.Add("gpipv4address",$GPIPv4Address) | |
$jsonBase.Add("subtype",$CmdName) | |
$jsonBase.Add("dstip",$DstIP) | |
$jsonBase.Add("dstname",$Ping.Name) | |
$jsonBase.Add("rtt",[long]$rtt) | |
$jsonBase | ConvertTo-Json -Compress | Out-File -FilePath "$logpath\${CmdName}_${FileTimestamp}_${CurrentUser}.json" -Append -Encoding Utf8 | |
$ExportCache += $jsonBase | ConvertTo-Json -Compress | |
$counter++ | |
if ($counter%$CacheExportSize -eq 0 -and (Test-Path -Path $SharedFolder )){ | |
$ExportCache | Out-File -FilePath "$SharedFolder\${CmdName}_${FileTimestamp}_${CurrentUser}.json" -Append -Encoding utf8 | |
if ($?){ [array]$ExportCache = $null } | |
} | |
sleep $timeperiod | |
} | |
} | |
$JobName = $CmdName + "_" + $Ping.Name | |
Start-Job -Name $JobName -scriptblock $ScriptBlock_Ping -ArgumentList($timeperiod, $DefaultTimeout, $CacheExportSize, $binpath, $logpath, $SharedFolder, $CurrentDomain, $CurrentUser, $FileTimestamp, $Ping) | |
} | |
while ((Get-Job).State -contains 'Running') { | |
Start-Sleep 60 | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
############################################################################################################################################################## | |
# # | |
# This Script collects measurements from netstat command # | |
# Syntax for output lines is json that devided by newline # | |
# Example: # | |
# {"name":"Retransmitted_Segments","currentuser":"akdaniel","gpgatewayaddress":"130.41.235.50","currentdomain":"PALOALTONETWORK","value":"1373", # | |
# "timestamp":"2023-06-09 02:19:46","subtype":"tcpstats","gpipv4address":"10.47.140.216"} # | |
# # | |
############################################################################################################################################################## | |
# | |
# set the timeperiod in seconds between 2 measurements | |
$timeperiod = 30 | |
# set the timeout if no reply comes | |
[string]$DefaultTimeout = "5000" | |
# set log lines to cache before trying to upload | |
[long]$CacheExportSize = 5 | |
# psping binary folder | |
$binpath = "$home\Downloads\PSTools" | |
#create log folder if not exists for the logs | |
$logpath = "$binpath\log" | |
if(!(Test-Path -Path $logpath )){ | |
New-Item -ItemType directory -Path $logpath | |
} | |
#set the shared folder from where logstash reads the data | |
$SharedFolder = $logpath + "\serverside" | |
# Get the current username with domain to synch with globalprotect logs | |
$CurrentDomain = $env:userdomain | |
$CurrentUser = $env:username | |
#date with hours written in the filename | |
$FileTimestamp = (get-date).ToString("yyyy-MM-dd_HH-mm-ss") | |
$ScriptBlock = { | |
param($timeperiod, $DefaultTimeout, $CacheExportSize, $binpath, $logpath, $SharedFolder, $CurrentDomain, $CurrentUser, $FileTimestamp) | |
# command to execute | |
$CmdName = "tcpstats" | |
$Cmd = "netsh interface ipv4 show tcpstats" | |
$counter = 0 | |
[array]$ExportCache = $null | |
function Is-Numeric ($Value) { | |
return $Value -match "^(\d+|\.\d+|\d+\.\d+)$" | |
} | |
while($true){ | |
# Get the GlobalProtect allocated IP with ServiceName PanGpd: | |
$gp_ipaddrs = Get-WmiObject Win32_NetworkAdapterConfiguration -Filter IPEnabled=True | where {$_.ServiceName -eq 'PanGpd'} | Select-Object -Property IPAddress | |
# Its an array of 2 IPs in Windows, the 1st one is IPv4 and the 2nd one is IPV6. | |
if ([bool]$gp_ipaddrs.IPAddress) { | |
[string]$GPIPv4Address = $gp_ipaddrs.IPAddress[0] | |
} | |
else { | |
[string]$GPIPv4Address = "0.0.0.0" | |
} | |
# Get the processid for PanGPS | |
$pangps_pid = (Get-Process | Where-Object {$_.ProcessName -match 'PanGPS'}).Id | |
# Get the GlobalProtect Gateway IP from netstat with the processid: | |
$pangps_conns = (netstat -ano | Select-String -Pattern $pangps_pid) | |
Foreach ($item in $pangps_conns) { | |
$item = $item -replace '^\s+', '' | |
$item = $item -split '\s+' | |
$Proto = $item[0] | |
$LocalAddressPort = $item[1] | |
$ForeignAddressPort = $item[2] | |
if ($ForeignAddressPort -notlike "127.0.0.*" -and $ForeignAddressPort -notlike "0.0.0.*" -and $ForeignAddressPort -notlike '`*:`*') { | |
$GPGatewayAddress = ($ForeignAddressPort -split ':')[0] | |
} | |
} | |
if (![bool]$GPGatewayAddress) { | |
$GPGatewayAddress = "0.0.0.0" | |
} | |
#get date for timestamp | |
$TimeStamp = (get-date).ToString("yyyy-MM-dd HH:mm:ss") | |
#run the command with parameters and save the output. | |
$Output = Invoke-Expression $Cmd | |
$jsonBase = @{} | |
$jsonBase.Add("timestamp",$TimeStamp) | |
$jsonBase.Add("currentdomain",$CurrentDomain) | |
$jsonBase.Add("currentuser",$CurrentUser) | |
$jsonBase.Add("gpgatewayaddress",$GPGatewayAddress) | |
$jsonBase.Add("gpipv4address",$GPIPv4Address) | |
$jsonBase.Add("subtype",$CmdName) | |
$p1 = "(?<measurement_name>.*):\s+(?<measurement_value>.*)" | |
Foreach ($item in $Output) { | |
$result = [regex]::Matches($item, $p1) | |
if ([bool]$result[0]) { | |
$name = ($result[0].Groups['measurement_name'].Value).replace(" ","_") | |
$value = ($result[0].Groups['measurement_value'].Value).replace(" ","_") | |
if (Is-Numeric $value) { | |
$value = [long]$value | |
$jsonBase.Add($name,$value) | |
} | |
} | |
} | |
$jsonBase | ConvertTo-Json -Compress | Out-File -FilePath "$logpath\${CmdName}_${FileTimestamp}_${CurrentUser}.json" -Append -Encoding Utf8 | |
$ExportCache += $jsonBase | ConvertTo-Json -Compress | |
$counter++ | |
if ($counter%$CacheExportSize -eq 0 -and (Test-Path -Path $SharedFolder )){ | |
$ExportCache | Out-File -FilePath "$SharedFolder\${CmdName}_${FileTimestamp}_${CurrentUser}.json" -Append -Encoding utf8 | |
if ($?){ [array]$ExportCache = $null } | |
} | |
sleep $timeperiod | |
} | |
} | |
Start-Job -Name $CmdName -scriptblock $ScriptBlock -ArgumentList($timeperiod, $DefaultTimeout, $CacheExportSize, $binpath, $logpath, $SharedFolder, $CurrentDomain, $CurrentUser, $FileTimestamp) | |
while ((Get-Job).State -contains 'Running') { | |
Start-Sleep 60 | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
############################################################################################################################################################## | |
# # | |
# This Script collects measurements from netsh command # | |
# Syntax for output lines is json that devided by newline # | |
# Example: # | |
# {"name":"In_Receives","currentuser":"akdaniel","gpgatewayaddress":"130.41.235.50","currentdomain":"PALOALTONETWORK","value":"1636236", # | |
# "timestamp":"2023-06-09 02:19:52","subtype":"ipstats","gpipv4address":"10.47.140.216"} # | |
# # | |
############################################################################################################################################################## | |
# | |
# set the timeperiod in seconds between 2 measurements | |
$timeperiod = 30 | |
# set the timeout if no reply comes | |
[string]$DefaultTimeout = "5000" | |
# set log lines to cache before trying to upload | |
[long]$CacheExportSize = 5 | |
# psping binary folder | |
$binpath = "$home\Downloads\PSTools" | |
#create log folder if not exists for the logs | |
$logpath = "$binpath\log" | |
if(!(Test-Path -Path $logpath )){ | |
New-Item -ItemType directory -Path $logpath | |
} | |
#set the shared folder from where logstash reads the data | |
$SharedFolder = $logpath + "\serverside" | |
# Get the current username with domain to synch with globalprotect logs | |
$CurrentDomain = $env:userdomain | |
$CurrentUser = $env:username | |
#date with hours written in the filename | |
$FileTimestamp = (get-date).ToString("yyyy-MM-dd_HH-mm-ss") | |
$ScriptBlock = { | |
param($timeperiod, $DefaultTimeout, $CacheExportSize, $binpath, $logpath, $SharedFolder, $CurrentDomain, $CurrentUser, $FileTimestamp) | |
# command to execute | |
$CmdName = "wifisig" | |
$counter = 0 | |
[array]$ExportCache = $null | |
while($true){ | |
# Get the GlobalProtect allocated IP with ServiceName PanGpd: | |
$gp_ipaddrs = Get-WmiObject Win32_NetworkAdapterConfiguration -Filter IPEnabled=True | where {$_.ServiceName -eq 'PanGpd'} | Select-Object -Property IPAddress | |
# Its an array of 2 IPs in Windows, the 1st one is IPv4 and the 2nd one is IPV6. | |
if ([bool]$gp_ipaddrs.IPAddress) { | |
[string]$GPIPv4Address = $gp_ipaddrs.IPAddress[0] | |
} | |
else { | |
[string]$GPIPv4Address = "0.0.0.0" | |
} | |
# Get the processid for PanGPS | |
$pangps_pid = (Get-Process | Where-Object {$_.ProcessName -match 'PanGPS'}).Id | |
# Get the GlobalProtect Gateway IP from netstat with the processid: | |
$pangps_conns = (netstat -ano | Select-String -Pattern $pangps_pid) | |
Foreach ($item in $pangps_conns) { | |
$item = $item -replace '^\s+', '' | |
$item = $item -split '\s+' | |
$Proto = $item[0] | |
$LocalAddressPort = $item[1] | |
$ForeignAddressPort = $item[2] | |
if ($ForeignAddressPort -notlike "127.0.0.*" -and $ForeignAddressPort -notlike "0.0.0.*" -and $ForeignAddressPort -notlike '`*:`*') { | |
$GPGatewayAddress = ($ForeignAddressPort -split ':')[0] | |
} | |
} | |
if (![bool]$GPGatewayAddress) { | |
$GPGatewayAddress = "0.0.0.0" | |
} | |
#get date for timestamp | |
$TimeStamp = (get-date).ToString("yyyy-MM-dd HH:mm:ss") | |
$value = (netsh wlan show interfaces) -Match '^\s+Signal' -Replace '^\s+Signal\s+:\s+','' -Replace '%','' | Out-String | |
$value = $value.Trim() | |
$jsonBase = @{} | |
$jsonBase.Add("timestamp",$TimeStamp) | |
$jsonBase.Add("currentdomain",$CurrentDomain) | |
$jsonBase.Add("currentuser",$CurrentUser) | |
$jsonBase.Add("gpgatewayaddress",$GPGatewayAddress) | |
$jsonBase.Add("gpipv4address",$GPIPv4Address) | |
$jsonBase.Add("subtype",$CmdName) | |
$jsonBase.Add("sig_level",[long]$value) | |
$jsonBase | ConvertTo-Json -Compress | Out-File -FilePath "$logpath\${CmdName}_${FileTimestamp}_${CurrentUser}.json" -Append -Encoding Utf8 | |
$ExportCache += $jsonBase | ConvertTo-Json -Compress | |
$counter++ | |
if ($counter%$CacheExportSize -eq 0 -and (Test-Path -Path $SharedFolder )){ | |
$ExportCache | Out-File -FilePath "$SharedFolder\${CmdName}_${FileTimestamp}_${CurrentUser}.json" -Append -Encoding utf8 | |
if ($?){ [array]$ExportCache = $null } | |
} | |
sleep $timeperiod | |
} | |
} | |
Start-Job -Name $CmdName -scriptblock $ScriptBlock -ArgumentList($timeperiod, $DefaultTimeout, $CacheExportSize, $binpath, $logpath, $SharedFolder, $CurrentDomain, $CurrentUser, $FileTimestamp) | |
while ((Get-Job).State -contains 'Running') { | |
Start-Sleep 60 | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment