powershell n00b questions

This topic contains 0 replies, has 1 voice, and was last updated by  Forums Archives 5 years, 11 months ago.

  • Author
    Posts
  • #5256

    by pspecht at 2012-11-02 06:33:49

    I am very new to powershell.

    I am trying to create an emailed (HTML) report of log files from some of my 2008 servers.
    I am trying to learn how to scan text files for specific words, and then place those words in an HTML email so I can have a daily report.
    Example: If I look my virus scan logs I can search for the words “virus detected”, and pull the path and file name that was detected plus the name of the virus.

    This is want I know so far. (Or at least I think I do!)

    To get the log file data: "Get-content then path to the log file".
    Do I then want to use "-match (search word)” to look for the words in the log file I want? Or do I use Select-String, I think I want a regular expression so I can look for the words virus detected, and grab the info after that. Correct?
    I am a bit confused, I think I need to set a variable for the words I find correct? So I can pull that info into the tables? I can use that variable to put the data into the correct table.

    Since I have multiple servers, I would like to pull the data from each server and write to a single report. Do I need to create a text file with the server names, or should I run each script on the server, then pull that data into my report?

    Using a script I found for my exchagne servers, I am able to create andn html report with tables. I am reverse engineering it, and learning what does what as I remove and add commands.

    by nohandle at 2012-11-02 06:46:24

    1) html report by mail: do you have smtp server available? to send html message use Send-MailMessage -BodyAsHtml -Body
    2) text files for specific words: yes use select string to get the whole line (maybe you want to look at context parameter of the cmdlet)

    after you are done with the reverse engineering invent some code and do a bit of practice. 🙂 you can of course post the code after and get comments.

    by pspecht at 2012-11-02 07:23:32

    thanks for the reply!

    I do have an smtp server. with the code I have I am curenlty sending my exchange server reports.

    I am currenlty playing with the select-string command and reading up on it. I am able to pull the whole line. I am now looking to see how pull each section of that line out to place in its table. the line looks like this:

    2012-10-26T16:02:07.186Z DETECTION Virus:DOS/EICAR_Test_File file:D:\eicar.com

    I want to pull detection virus:DOS/Eicar_test_file and put in one table then take d:\eicar.com for another table. I am mesing with out-file, but gettig errors

    by nohandle at 2012-11-02 07:38:29

    you can do it by named matches in regex
    the named match is a submatch
    submatch is marked by ()
    and named by ?

    $line = "2012-10-26T16:02:07.186Z DETECTION Virus:DOS/EICAR_Test_File file:D:\eicar.com"
    if ($line -match "^.*Virus:(?.*) file:(?.*)$")
    {
    #$matches
    $matches.virusname
    $Matches.filename
    }


    DOS/EICAR_Test_File
    D:\eicar.com

    if there is anything you don't understand please ask.

    by pspecht at 2012-11-02 11:05:48

    nohandle,

    Thank you that code helped immensely!

    I am now trying to use that with Get-content (to look through entire log) but I cannot. I thought I could use $d = get-content "path to log" to store log file in the pipe then replace the $line in your code with my variable:

    $SourceFile = "C:\ProgramData\Microsoft\Microsoft Antimalware\Support\MPDetection-10262012-113240.log"
    $d = (Get-Content $SourceFile)
    if ($d -match "^.*Virus:(?.*) file:(?.*)$")
    {
    #$matches
    $matches.virusname
    $matches.filename
    }

    by pspecht at 2012-11-02 11:14:34

    I am able to out-file to a text file. it works and shows name colum and value column.

    by nohandle at 2012-11-02 12:58:53

    i think the if condition just finds the first match. you should go through the log file line by line
    try this approach:
    get-content |
    foreach-object {
    if ($_ -match "^.*Virus:(?.*) file:(?.*)$") {
    $matches.virusname
    $matches.filename
    } }

    not sure if this works right away, no way to test it

    by pspecht at 2012-11-02 13:19:51

    No joy. I did try that already. I get unexpected token in 'matches' error

    I am trying to remember the code I had that outputted the correct info to th etext file. had to step away and tested other code and lost it.

    by pspecht at 2012-11-06 07:28:41

    Okay. Some new things.

    using this I am able to output to a text file with formatting

    $SourceFile = "path_to_file.log"
    $TargetFile = "path_to_file.txt"

    $v = type $SourceFile | where {$_ -match "^.*Virus:(?.*) file:(?.*)$"}
    foreach { $matches}
    $v | Out-File $TargetFile

    Name Value
    —- —–
    virusname DOS/EICAR_Test_File
    filename D:\eicar.com
    0 2012-10-26T16:02:07.186Z DETECTION Virus:DOS/EICAR_Test_File file:D:\eicar.com
    virusname DOS/EICAR_Test_File
    filename C:\Users\pspecht\Desktop\eicar.com
    0 2012-10-28T06:20:20.978Z DETECTION Virus:DOS/EICAR_Test_File file:C:\Users\pspecht\De...
    virusname DOS/EICAR_Test_File
    filename E:\eicar_com.zip->eicar.com
    0 2012-10-28T06:20:20.978Z DETECTION Virus:DOS/EICAR_Test_File file:E:\eicar_com.zip->e...
    virusname DOS/EICAR_Test_File
    filename G:\eicarcom2.zip->eicar_com.zip->eicar.com
    0 2012-10-28T06:20:20.978Z DETECTION Virus:DOS/EICAR_Test_File file:G:\eicarcom2.zip->e...

    I still need to remove the 0 line and clean up the formatting.

    by nohandle at 2012-11-06 10:22:04

    I thought I responded to that post asking what is the error you get.
    because the code worked for me and i retested it. but now I see I didn`t reply.
    I think my snippet does all you need. can you run it again and tell me what is the error you get? sometimes the quotes get messed up when copy pasting from internet so try to replace them.

    by pspecht at 2012-11-06 10:34:54

    Nohandle,

    thank you. your code does work! I am not sure what I was missing when I tried it the first time.

    How can I combine what I got working with the foreach command to create tables?
    I did try

    foreach { new-object PSObject –prop @{
    Virusname=$matches['virusname']
    Filename=$matches['filename']
    }
    }

    but I get an error

    The string starting:
    At C:\virusscan\vs2.ps1:9 char:33
    + foreach { new-object PSObject â? < <<< "prop @{
    is missing the terminator: ".
    At C:\virusscan\vs2.ps1:16 char:1

    From what I have found it has an issue with creating the hash table. only difference with the code that I was testing/learning with is the regex.

You must be logged in to reply to this topic.