2019-11-01 08:20:21 +00:00
|
|
|
function Get-PSFirewallLog {
|
2020-01-06 15:07:44 +00:00
|
|
|
<#
|
|
|
|
.SYNOPSIS
|
|
|
|
|
|
|
|
Retrieves Windows Firewall log events and returns them as a table.
|
|
|
|
|
|
|
|
.DESCRIPTION
|
|
|
|
|
|
|
|
Retrieves Windows Firewall log events and returns them as a table. Log path can be directly specified or automatically determined based on local or remote registry settings.
|
|
|
|
|
|
|
|
.EXAMPLE
|
|
|
|
|
|
|
|
Get-PSFirewallLog -Path C:\Windows\system32\logfiles\firewall\pfirewall.log -Tail 1000
|
|
|
|
|
|
|
|
Get last 1000 Windows Firewall log lines at a specific path.
|
|
|
|
|
|
|
|
.EXAMPLE
|
|
|
|
|
|
|
|
Get-PSFirewallLog -LogDirectory C:\Windows\system32\logfiles\firewall\ -LogFileName domainfw.log
|
|
|
|
|
|
|
|
Get Windows Firewall log by specifying the log directory and filename separately.
|
|
|
|
|
|
|
|
.EXAMPLE
|
|
|
|
|
|
|
|
Get-PSFirewallLog -LogProfile Domain
|
|
|
|
|
|
|
|
Get Windows Firewall log by retrieving the path automatically from the registry on the local machine.
|
|
|
|
|
|
|
|
.EXAMPLE
|
|
|
|
|
|
|
|
Get-PSFirewallLog -LogProfile Public -ComputerName MyRemoteComputer -Verbose
|
|
|
|
|
|
|
|
Get Windows Firewall log on a remote computer using the Remote Registry service to get the log path.
|
|
|
|
|
|
|
|
.EXAMPLE
|
|
|
|
|
|
|
|
Get-PSFirewallLog -LogProfile Public -ComputerName MyRemoteComputer -InferPath
|
|
|
|
|
|
|
|
Get Windows Firewall log on a remote computer using the path configured in the local machine's registry (converted to a UNC path).
|
|
|
|
|
|
|
|
#>
|
|
|
|
|
2019-11-01 08:20:21 +00:00
|
|
|
[CmdletBinding(DefaultParameterSetName = 'direct')]
|
|
|
|
param (
|
|
|
|
# Path to firewall log. Defaults to $ENV:SystemRoot\system32\LogFiles\Firewall\pfirewall.log if parameter not supplied.
|
|
|
|
[Parameter(Mandatory = $false, Position = 0, ValueFromPipeline, ParameterSetName = 'direct')]
|
|
|
|
[string]
|
|
|
|
$Path = "$ENV:SystemRoot\system32\LogFiles\Firewall\pfirewall.log",
|
|
|
|
|
|
|
|
# Path to firewall log directory. Defaults to $ENV:SystemRoot\system32\LogFiles\Firewall\ if parameter not supplied.
|
|
|
|
[Parameter(Mandatory = $false, ParameterSetName = 'indirect')]
|
|
|
|
[string]
|
|
|
|
$LogDirectory = "$ENV:SystemRoot\system32\LogFiles\Firewall\",
|
|
|
|
|
|
|
|
# Log file name.
|
|
|
|
[Parameter(Mandatory = $true, ParameterSetName = 'indirect')]
|
|
|
|
[string]
|
|
|
|
$LogFileName,
|
|
|
|
|
2019-11-09 14:38:30 +00:00
|
|
|
# Retrieve a profile's log using registry settings of the local or remote machine
|
2019-11-01 08:20:21 +00:00
|
|
|
[Parameter(Mandatory = $true, ParameterSetName = 'auto')]
|
2019-11-09 14:38:30 +00:00
|
|
|
[Parameter(Mandatory = $true, ParameterSetName = 'remote')]
|
2019-11-01 08:20:21 +00:00
|
|
|
[ValidateSet('Public','Private','Domain')]
|
|
|
|
[string]
|
|
|
|
$LogProfile,
|
|
|
|
|
2019-11-29 10:36:44 +00:00
|
|
|
# Number of firewall events to retrieve. Defaults to -1 (All events).
|
2019-11-01 08:20:21 +00:00
|
|
|
[Parameter(Mandatory = $false)]
|
|
|
|
[int]
|
2019-11-29 10:36:44 +00:00
|
|
|
$Tail = -1,
|
2019-11-01 08:20:21 +00:00
|
|
|
|
|
|
|
# ComputerName to retrieve log from
|
2019-11-09 14:38:30 +00:00
|
|
|
[Parameter(Mandatory = $true, ParameterSetName = 'remote')]
|
2019-11-01 08:20:21 +00:00
|
|
|
[string]
|
2019-11-29 10:36:44 +00:00
|
|
|
$ComputerName,
|
|
|
|
|
|
|
|
# Follow the log
|
|
|
|
[Parameter(Mandatory = $false)]
|
|
|
|
[switch]
|
2020-01-03 11:23:25 +00:00
|
|
|
$Wait,
|
|
|
|
|
|
|
|
# Use local machine's registry setting to infer remote machine's log path
|
|
|
|
[Parameter(Mandatory = $false, ParameterSetName = 'remote')]
|
|
|
|
[switch]
|
|
|
|
$InferPath
|
2019-11-01 08:20:21 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
begin {
|
|
|
|
if($PSCmdlet.ParameterSetName -eq 'auto') {
|
|
|
|
$Path = Get-PSFirewallLogPath -LogProfile $LogProfile -Verbose:$VerbosePreference
|
|
|
|
}
|
|
|
|
elseif($PSCmdlet.ParameterSetName -eq 'remote') {
|
2020-01-03 11:23:25 +00:00
|
|
|
$lpc = "Get-PSFirewallLogPath -LogProfile $LogProfile -ComputerName $ComputerName"
|
|
|
|
|
|
|
|
if($InferPath) {
|
|
|
|
$lpc += " -InferPath"
|
|
|
|
}
|
|
|
|
|
|
|
|
$Path = Invoke-Expression $lpc -Verbose:$VerbosePreference
|
2019-11-01 08:20:21 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
process {
|
|
|
|
|
|
|
|
if($PSCmdlet.ParameterSetName -eq 'indirect') {
|
|
|
|
# Check for trailing slash and add if necessary
|
|
|
|
if(!$LogDirectory.EndsWith('\')) {
|
|
|
|
$LogDirectory += '\'
|
|
|
|
}
|
|
|
|
|
|
|
|
$logPath = $LogDirectory + $LogFileName
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
$logPath = $Path
|
|
|
|
}
|
|
|
|
|
|
|
|
if(Test-Path $logPath) {
|
|
|
|
|
2019-11-29 10:36:44 +00:00
|
|
|
$members = @{
|
|
|
|
"Date" = 0
|
|
|
|
"Time" = 1
|
|
|
|
"Action" = 2
|
|
|
|
"Protocol" = 3
|
|
|
|
"SourceIP" = 4
|
|
|
|
"DestinationIP" = 5
|
|
|
|
"SourcePort" = 6
|
|
|
|
"DestinationPort" = 7
|
|
|
|
"Size" = 8
|
|
|
|
"TcpFlags" = 9
|
|
|
|
"TcpSyn" = 10
|
|
|
|
"TcpAck" = 11
|
|
|
|
"TcpWin" = 12
|
|
|
|
"IcmpType" = 13
|
|
|
|
"IcmpCode" = 14
|
|
|
|
"Info" = 15
|
|
|
|
"Path" = 16
|
|
|
|
}
|
2019-11-01 08:20:21 +00:00
|
|
|
|
2019-11-29 10:36:44 +00:00
|
|
|
$count = (Get-Content -Path $logPath).Count
|
2019-11-01 08:20:21 +00:00
|
|
|
|
2019-11-29 10:36:44 +00:00
|
|
|
# Check if outputting all events from the log and cut the first 5 lines that aren't events.
|
|
|
|
if(($Tail -lt 0) -or ($Tail -gt $count)) {
|
|
|
|
$Tail = $count - 5
|
|
|
|
}
|
2019-11-01 08:20:21 +00:00
|
|
|
|
2019-11-29 10:36:44 +00:00
|
|
|
Write-Verbose "Log has $count lines. Retrieving $Tail lines."
|
2019-11-01 08:20:21 +00:00
|
|
|
|
2019-11-29 10:36:44 +00:00
|
|
|
$c = "Get-Content -Path $logPath -Tail $Tail"
|
2019-11-01 08:20:21 +00:00
|
|
|
|
2019-11-29 10:36:44 +00:00
|
|
|
if($Wait) {
|
|
|
|
$c = "$c -Wait"
|
|
|
|
}
|
|
|
|
|
|
|
|
Invoke-Expression $c | ForEach-Object {
|
|
|
|
$line = $_
|
|
|
|
|
|
|
|
$split = $line -split ('\s')
|
2019-11-01 08:20:21 +00:00
|
|
|
|
2019-11-29 10:36:44 +00:00
|
|
|
$fwEvent = New-Object PSCustomObject
|
2019-11-05 20:36:08 +00:00
|
|
|
|
2019-11-29 10:36:44 +00:00
|
|
|
foreach($member in $members.GetEnumerator() | Sort-Object Value) {
|
|
|
|
$fwEvent | Add-Member NoteProperty -Name $member.Name -Value $split[$member.Value]
|
2019-11-01 08:20:21 +00:00
|
|
|
}
|
2019-11-29 10:36:44 +00:00
|
|
|
|
|
|
|
$fwEvent.pstypenames.insert(0, 'PSWinFW.Log.Event')
|
|
|
|
|
|
|
|
$fwEvent
|
2019-11-01 08:20:21 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
Write-Error "Failed to retrieve log at $logPath."
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|