Forked from cameronkerrnz/tail-windows-firewall-defender-log.ps1
Created
May 8, 2024 16:32
-
-
Save kyouheicf/59543ff7f9e06ba2e7ecc337006625a6 to your computer and use it in GitHub Desktop.
Tail and Filter Windows Firewall Log (like tail -f ... | awk)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Get-Content -Head 5 C:\Windows\System32\LogFiles\Filrewall\pfirewall.log | |
| Get-Content -Wait -Tail 5 C:\Windows\System32\LogFiles\Filrewall\pfirewall.log | % { | |
| do { | |
| $a=$_.split(' ') | |
| # DROP or ACCEPT (the only values AFAIK) | |
| # | |
| if ($a[2] -ne 'DROP') {continue} | |
| # Aims to drop common multicast addresses (no CIDR easily available) | |
| # | |
| # if ($a[4] -like '^(239|224)\.') {continue} | |
| # Direction | |
| # | |
| # if ($a[16] -eq 'SEND') {continue} | |
| # Port number | |
| # | |
| if ($a[7] -in @(137, 135, 1900, 5353, 7680)) {continue} | |
| #Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path | |
| # 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | |
| # | |
| # Unfortunately you don't seem to be able to pass $a (an array) to -f, nor can you splat it. | |
| # | |
| # You could just use write-host $a but I'm just wanting to align a subset of records. | |
| # | |
| write-host ("{0} {1} {2,-5} {3,-4} {4,-15} {5,-15} {6,5} {7,5} {8} {9} {10} {11}" -f ` | |
| $a[0], $a[1], # date time | |
| $a[2], $a[3], # action protocol | |
| $a[4], $a[5], # src-ip dst-ip | |
| $a[6], $a[7], # src-port dst-port | |
| $a[9], # tcpflags | |
| $a[13], $a[14], # icmptype icmpcode | |
| $a[16] # path | |
| ) | |
| } while($false) | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment