date=2017-11-15 time=11:44:16 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1510775056 srcip=10.1.100.155 srcname="pc1" srcport=40772 srcintf="port12" srcintfrole="undefined" dstip=35.197.51.42 dstname="fortiguard.com" dstport=443 dstintf="port11" dstintfrole="undefined" poluuid="707a0d88-c972-51e7-bbc7-4d421660557b" sessionid=8058 proto=6 action="close" policyid=1 policytype="policy" policymode="learn" service="HTTPS" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=172.16.200.2 transport=40772 appid=40568 app="HTTPS.BROWSER" appcat="Web.Client" apprisk="medium" duration=2 sentbyte=1850 rcvdbyte=39898 sentpkt=25 rcvdpkt=37 utmaction="allow" countapp=1 devtype="Linux PC" osname="Linux" mastersrcmac="a2:e9:00:ec:40:01" srcmac="a2:e9:00:ec:40:01" srcserver=0 utmref=0-220586上記のようなファイヤオールログファイルのデータを加工して、csvファイルを作成するpowshell グログロムです。
# 変数宣言
$username = $env:USERNAME
$hostname = hostname
$datetime = Get-Date -f 'yyyyMMddHHmmss'
$logdir = "$PSScriptRoot/log/"
$logfilename = "Firewall_log-${username}-${hostname}-${datetime}.log"
$firewallFileName = "ファイヤオールログファイル"
# ログ出力開始
Start-Transcript "${logdir}${logfilename}"
Write-Host @"
*********************************************************
*
* 指定したディレクトリの容量取得
* バージョン : 1.0
* 作成者 : user
* 作成日 : 2024/06/28
* 更新日 : 2024/07/11
*
*********************************************************
"@ -ForeGroundColor green
Write-Host "$(Get-Date -Format g) 実行中のユーザ : " $username
# ファイアウォールlogの読み込み
Write-Host "$(Get-Date -Format g) ファイアウォールlogファイルを読み込み : $($PSScriptRoot)/$firewallFileName"
$firewall = (Get-Content "$PSScriptRoot/$firewallFileName" -Encoding UTF8) -as [string[]]
# ファイアウォールログファイルデータの行>=1の場合
if($firewall.Length -ge 1 ){
# ループ処理
$firewall | ForEach-Object {
$firewall_line = $_
# Write-Host $firewall_line
$NO = $firewall_line -match '<[0-9]*>'
if($NO){
$NO = $Matches[0]
} else {
$NO = $null
}
$date = $firewall_line -match 'date=\d{4}-\d{2}-\d{2}\s'
if($date){
$date = ($Matches[0] -split '=')[1]
} else {
$date = $null
}
$time = $firewall_line -match ' time=\d{2}:\d{2}:\d{2}\s'
if ($time){
$time = ($Matches[0] -split '=')[1]
} else {
$time = $null
}
$eventtime = $firewall_line -match ' eventtime=[0-9]*'
if($eventtime){
$eventtime = ($Matches[0] -split '=')[1]
} else {
$eventtime = $null
}
$tz = $firewall_line -match ' tz=".[0-9]*"'
if($tz){
$tz = [string]::Format(($Matches[0] -split '=')[1].Trim('"'))
} else {
$tz = $null
}
$devname= $firewall_line -match ' devname="[a-zA-Z_0-9]*-[a-zA-Z_0-9]*-[a-zA-Z_0-9]*"'
if ($devname){
$devname = ($Matches[0] -split '=')[1].Trim('"')
} else {
$devname = $null
}
$devid = $firewall_line -match ' devid="[a-zA-Z_0-9]*"'
if ($devid) {
$devid = ($Matches[0] -split '=')[1].Trim('"')
} else {
$devid = $null
}
$logid = $firewall_line -match ' logid="[0-9]*"'
if($logid){
$logid = ($Matches[0] -split '=')[1].Trim('"')
} else {
$logid = $null
}
$type = $firewall_line -match ' type="[a-zA-Z]*"'
if($type){
$type = ($Matches[0] -split '=')[1].Trim('"')
} else {
$type = $null
}
$subtype = $firewall_line -match ' subtype="[a-zA-Z]*"'
if($subtype){
$subtype = ($Matches[0] -split '=')[1].Trim('"')
} else {
$subtype = $null
}
$level = $firewall_line -match ' level="[a-zA-Z]*"'
if($level){
$level = ($Matches[0] -split '=')[1].Trim('"')
} else {
$level = $null
}
$vd = $firewall_line -match ' vd="[a-zA-Z]*"'
if($vd){
$vd = ($Matches[0] -split '=')[1].Trim('"')
} else {
$vd = $null
}
# $srcip = $firewall_line -match "srcip=\d+[0-9](?:\.\d+[0-9]){3}" # "srcip=\d{3}(?:\.\d{3}){3}\s" group 方式があるみたいが上手く出来ず
$srcip = $firewall_line -match ' srcip=[0-9]*.[0-9]*.[0-9]*.[0-9]*'
if($srcip){
$srcip = ($Matches[0] -split '=')[1]
} else {
$srcip = $null
}
$srcport = $firewall_line -match ' srcport=[0-9]*'
if($srcport){
$srcport = ($Matches[0] -split '=')[1]
} else {
$srcport = $null
}
$srcintfrole = $firewall_line -match ' srcintfrole="[a-zA-Z_0-9]*"'
if($srcintfrole){
$srcintfrole = ($Matches[0] -split '=')[1].Trim('"')
} else {
$srcintfrole = $null
}
$identifier = $firewall_line -match ' identifier=[0-9]*'
if($identifier){
$identifier = ($Matches[0] -split '=')[1]
} else {
$identifier = $null
}
$srcintf = ($firewall_line -match ' srcintf="[a-zA-Z_0-9]*"') -or ($firewall_line -match ' srcintf="[a-zA-Z_0-9]*.[a-zA-Z_0-9]*"')
if($srcintf){
$srcintf = ($Matches[0] -split '=')[1].Trim('"')
} else {
$srcintf = $null
}
$dstip = $firewall_line -match ' dstip=[0-9]*.[0-9]*.[0-9]*.[0-9]*'
if($dstip){
$dstip = ($Matches[0] -split '=')[1]
} else {
$dstip = $null
}
$dstport = $firewall_line -match ' dstport=[0-9]*'
if($dstport){
$dstport = ($Matches[0] -split '=')[1]
} else {
$dstport = $null
}
$dstintf = $firewall_line -match ' dstintf="[a-zA-Z_0-9]*"'
if($dstintf){
$dstintf = ($Matches[0] -split '=')[1].Trim('"')
} else {
$dstintf = $null
}
$dstintfrole = $firewall_line -match ' dstintfrole="[a-zA-Z]*"'
if($dstintfrole){
$dstintfrole = ($Matches[0] -split '=')[1].Trim('"')
} else {
$dstintfrole = $null
}
$srccountry = $firewall_line -match ' srccountry="[a-zA-Z]*"'
if($srccountry){
$srccountry = ($Matches[0] -split '=')[1].Trim('"')
} else {
$srccountry = $null
}
$dstcountry = $firewall_line -match ' dstcountry="[^0-9]*"'
if($dstcountry){
$dstcountry = ($Matches[0] -split '=')[1].Trim('"')
} else {
$dstcountry = $null
}
$sessionid = $firewall_line -match ' sessionid=[0-9]*'
if($sessionid){
$sessionid = ($Matches[0] -split '=')[1]
} else {
$sessionid = $null
}
$proto = $firewall_line -match ' proto=[0-9]*'
if($proto){
$proto = ($Matches[0] -split '=')[1]
} else {
$proto = $null
}
$action = ($firewall_line -match ' action="[a-zA-Z]*"') -or ($firewall_line -match ' action="[a-zA-Z]*-[a-zA-Z]*"') -or ($firewall_line -match ' action="[a-zA-Z]*-[a-zA-Z]*-[a-zA-Z]*"')
if($action){
$action = ($Matches[0] -split '=')[1].Trim('"')
} else {
$action = $null
}
$status = $firewall_line -match ' status="[a-zA-Z]*"'
if($status){
$status = ($Matches[0] -split '=')[1].Trim('"')
} else {
$status = $null
}
$policyid = $firewall_line -match ' policyid=[0-9]*'
if($policyid){
$policyid = ($Matches[0] -split '=')[1]
} else {
$policyid = $null
}
$policytype = $firewall_line -match ' policytype="[a-zA-Z]*"'
if($policytype){
$policytype = ($Matches[0] -split '=')[1].Trim('"')
} else {
$policytype = $null
}
$poluuid = $firewall_line -match ' poluuid="[a-zA-Z_0-9]*-[a-zA-Z_0-9]*-[a-zA-Z_0-9]*-[a-zA-Z_0-9]*-[a-zA-Z_0-9]*"'
if($poluuid){
$poluuid = ($Matches[0] -split '=')[1].Trim('"')
} else {
$poluuid = $null
}
$service = ($firewall_line -match ' service="[a-zA-Z]*/[0-9]*"') -Or ($firewall_line -match ' service="[a-zA-Z]*')
if ($service) {
$service = ($Matches[0] -split '=')[1].Trim('"')
} else {
$service = $null
}
$trandisp = $firewall_line -match ' trandisp="[a-zA-Z]*"'
if($trandisp){
$trandisp = ($Matches[0] -split '=')[1].Trim('"')
} else {
$trandisp = $null
}
$transip = $firewall_line -match ' transip=[0-9]*.[0-9]*.[0-9]*.[0-9]*'
if($transip){
$transip = ($Matches[0] -split '=')[1]
} else {
$transip = $null
}
$transport = $firewall_line -match ' transport=[0-9]*'
if($transport){
$transport = ($Matches[0] -split '=')[1]
} else {
$transport = $null
}
$nextstat = $firewall_line -match ' nextstat=[0-9]*'
if($nextstat){
$nextstat = ($Matches[0] -split '=')[1]
} else {
$nextstat = $null
}
$duration = $firewall_line -match ' duration=[0-9]*'
if($duration){
$duration = ($Matches[0] -split '=')[1]
} else {
$duration = $null
}
$sentbyte = $firewall_line -match ' sentbyte=[0-9]*'
if($sentbyte){
$sentbyte = ($Matches[0] -split '=')[1]
} else {
$sentbyte = $null
}
$rcvdbyte = $firewall_line -match ' rcvdbyte=[0-9]*'
if($rcvdbyte){
$rcvdbyte = ($Matches[0] -split '=')[1]
} else {
$rcvdbyte = $null
}
$sentpkt = $firewall_line -match ' sentpkt=[0-9]*'
if($sentpkt){
$sentpkt = ($Matches[0] -split '=')[1]
} else {
$sentpkt = $null
}
$rcvdpkt = $firewall_line -match ' rcvdpkt=[0-9]*'
if($rcvdpkt){
$rcvdpkt = ($Matches[0] -split '=')[1]
} else {
$rcvdpkt = $null
}
$appcat = $firewall_line -match ' appcat="[a-zA-Z]*"'
if($appcat){
$appcat = ($Matches[0] -split '=')[1].Trim('"')
} else {
$appcat = $null
}
$sentdelta = $firewall_line -match ' sentdelta=[0-9]*'
if($sentdelta){
$sentdelta = ($Matches[0] -split '=')[1]
} else {
$sentdelta = $null
}
$rcvddelta = $firewall_line -match ' rcvddelta=[0-9]*'
if($rcvddelta){
$rcvddelta = ($Matches[0] -split '=')[1]
} else {
$rcvddelta = $null
}
$logdesc = ($firewall_line -match ' logdesc=".*"')
if($logdesc){
$logdesc = ($Matches[0] -split '=')[1].Trim('"')
$logdesc = ($logdesc -split '"')[0]
} else {
$logdesc = $null
}
$policyname = $firewall_line -match ' policyname="[a-zA-Z_0-9]*"'
if($policyname){
$policyname = ($Matches[0] -split '=')[1].Trim('"')
} else {
$policyname = $null
}
$tunnelid = $firewall_line -match ' tunnelid=[0-9]*'
if($tunnelid){
$tunnelid = ($Matches[0] -split '=')[1]
} else {
$tunnelid = $null
}
$tunneltype = ($firewall_line -match ' tunneltype="[a-zA-Z_0-9]*"') -or ($firewall_line -match ' tunneltype="[a-zA-Z_0-9]*-[a-zA-Z_0-9]*"')
if($tunneltype){
$tunneltype = ($Matches[0] -split '=')[1].Trim('"')
} else {
$tunneltype = $null
}
$remip = $firewall_line -match ' remip=[0-9]*.[0-9]*.[0-9]*.[0-9]*'
if($remip){
$remip = ($Matches[0] -split '=')[1]
} else {
$remip = $null
}
$locip = $firewall_line -match ' locip=[0-9]*.[0-9]*.[0-9]*.[0-9]*'
if($locip){
$locip = ($Matches[0] -split '=')[1]
} else {
$locip = $null
}
$remport = $firewall_line -match ' remport="[0-9]*"'
if($remport){
$remport = ($Matches[0] -split '=')[1].Trim('"')
} else {
$remport = $null
}
$locport = $firewall_line -match ' locport="[0-9]*"'
if($locport){
$locport = ($Matches[0] -split '=')[1].Trim('"')
} else {
$locport = $null
}
$outintf = $firewall_line -match ' outintf="[a-zA-Z_0-9]*"'
if($outintf){
$outintf = ($Matches[0] -split '=')[1].Trim('"')
} else {
$outintf = $null
}
$cookies = $firewall_line -match ' cookies="[a-zA-Z_0-9]*/[0-9]*"'
if ($cookies) {
$cookies = ($Matches[0] -split '=')[1].Trim('"')
} else {
$cookies = $null
}
$useralt = ($firewall_line -match ' useralt="[a-zA-Z_0-9]*"') -Or ($firewall_line -match ' useralt="[a-zA-Z_0-9]*/[a-zA-Z_0-9]*"')
if($useralt){
$useralt = ($Matches[0] -split '=')[1].Trim('"')
} else {
$useralt = $null
}
$xauthuser = ($firewall_line -match ' xauthuser="[a-zA-Z_0-9]*"') -Or ($firewall_line -match ' xauthuser="[a-zA-Z_0-9]*/[a-zA-Z_0-9]*"')
if($xauthuser){
$xauthuser = ($Matches[0] -split '=')[1].Trim('"')
} else {
$xauthuser = $null
}
$xauthgroup = ($firewall_line -match ' xauthgroup="[a-zA-Z_0-9]*"') -Or ($firewall_line -match ' xauthgroup="[a-zA-Z_0-9]*/[a-zA-Z_0-9]*"')
if($xauthgroup){
$xauthgroup = ($Matches[0] -split '=')[1].Trim('"')
} else {
$xauthgroup = $null
}
$vpntunnel = $firewall_line -match ' vpntunnel="[a-zA-Z_0-9]*-[a-zA-Z_0-9]*"'
if($vpntunnel){
$vpntunnel = ($Matches[0] -split '=')[1].Trim('"')
} else {
$vpntunnel = $null
}
$init = $firewall_line -match ' init="[a-zA-Z]*"'
if($init){
$init = ($Matches[0] -split '=')[1].Trim('"')
} else {
$init = $null
}
$exch = $firewall_line -match ' exch="[a-zA-Z_0-9]*"'
if($exch){
$exch = ($Matches[0] -split '=')[1].Trim('"')
} else {
$exch = $null
}
$dir = $firewall_line -match ' dir="[^0-9]*"'
if($dir){
$dir = ($Matches[0] -split '=')[1].Trim('"')
$dir = ($msg -split '"')[0]
} else {
$dir = $null
}
$role = $firewall_line -match ' role="[^0-9]*"'
if($role){
$role = ($Matches[0] -split '=')[1].Trim('"')
$role = ($msg -split '"')[0]
} else {
$role = $null
}
$result = $firewall_line -match ' result="[^0-9]*"'
if($result){
$result = ($Matches[0] -split '=')[1].Trim('"')
$result = ($msg -split '"')[0]
} else {
$result = $null
}
$version = $firewall_line -match ' version="[a-zA-Z_0-9]*"'
if($version){
$version = ($Matches[0] -split '=')[1].Trim('"')
} else {
$version = $null
}
$tunnelip = $firewall_line -match ' tunnelip=[0-9]*.[0-9]*.[0-9]*.[0-9]*'
if($tunnelip){
$tunnelip = ($Matches[0] -split '=')[1]
} else {
$tunnelip = $null
}
$user = ($firewall_line -match ' user="[a-zA-Z_0-9]*"') -Or ($firewall_line -match ' user="[a-zA-Z_0-9]*/[a-zA-Z_0-9]*"')
if($user){
$user = ($Matches[0] -split '=')[1].Trim('"')
} else {
$user = $null
}
$group = ($firewall_line -match ' group="[a-zA-Z_0-9]*-[a-zA-Z_0-9]*-[a-zA-Z_0-9]*-[a-zA-Z_0-9]*"') -Or ($firewall_line -match ' group="[a-zA-Z_0-9]*/[a-zA-Z_0-9]*"')
if($group){
$group = ($Matches[0] -split '=')[1].Trim('"')
} else {
$group = $null
}
$authserver = $firewall_line -match ' authserver="[a-zA-Z_0-9]*-[a-zA-Z_0-9]*"'
if($authserver){
$authserver = ($Matches[0] -split '=')[1].Trim('"')
} else {
$authserver = $null
}
$dst_host = ($firewall_line -match ' dst_host="[a-zA-Z_0-9]*/[a-zA-Z_0-9]*"')
if($dst_host){
$dst_host = ($Matches[0] -split '=')[1].Trim('"')
} else {
$dst_host = $null
}
$reason = ($firewall_line -match 'reason="[a-zA-Z_0-9]*-[a-zA-Z_0-9]*-[a-zA-Z_0-9]*-[a-zA-Z_0-9]*"') -Or ($firewall_line -match ' reason="[a-zA-Z_0-9]*"')
if($reason){
$reason = ($Matches[0] -split '=')[1].Trim('"')
} else {
$reason = $null
}
$desc = $firewall_line -match ' desc="\w*\s*\w*"'
if($desc){
$desc = ($Matches[0] -split '=')[1].Trim('"')
} else {
$desc = $null
}
$crscore = $firewall_line -match ' crscore=[0-9]*'
if($crscore){
$crscore = ($Matches[0] -split '=')[1]
} else {
$crscore = $null
}
$craction = $firewall_line -match ' craction=[0-9]*'
if($craction){
$craction = ($Matches[0] -split '=')[1]
} else {
$craction = $null
}
$crlevel = $firewall_line -match ' crlevel="[a-zA-Z]*"'
if($crlevel){
$crlevel = ($Matches[0] -split '=')[1].Trim('"')
} else {
$crlevel = $null
}
$ip = $firewall_line -match ' ip=[0-9]*.[0-9]*.[0-9]*.[0-9]*'
if($ip){
$ip = ($Matches[0] -split '=')[1]
} else {
$ip = $null
}
$fctuid = ($firewall_line -match ' fctuid="[a-zA-Z_0-9]*"')
if($fctuid){
$fctuid = ($Matches[0] -split '=')[1].Trim('"')
} else {
$fctuid = $null
}
$sn = ($firewall_line -match ' sn="[a-zA-Z_0-9]*"')
if($sn){
$sn = ($Matches[0] -split '=')[1].Trim('"')
} else {
$sn = $null
}
$intf = ($firewall_line -match ' intf="[a-zA-Z_0-9]*"')
if($intf){
$intf = ($Matches[0] -split '=')[1].Trim('"')
} else {
$intf = $null
}
$msg = ($firewall_line -match ' msg=".*"')
if($msg){
$msg = ($Matches[0] -split '=')[1].Trim('"')
$msg = ($msg -split '"')[0]
} else {
$msg = $null
}
[PSCustomObject]@{
No = $No
date = $date
time = $time
devname = $devname
devid = $devid
eventtime = $eventtime
tz = $tz
logid = $logid
type = $type
subtype = $subtype
level = $level
vd = $vd
srcip = $srcip
srcport = $srcport
identifier = $identifier
srcintf = $srcintf
srcintfrole = $srcintfrole
dstip = $dstip
dstport = $dstport
dstintf = $dstintf
dstintfrole = $dstintfrole
srccountry = $srccountry
dstcountry = $dstcountry
sessionid = $sessionid
proto = $proto
action = $action
policyid = $policyid
policytype = $policytype
poluuid = $poluuid
policyname = $policyname
user = $user
group = $group
authserver = $authserver
service = $service
trandisp = $trandisp
transip = $transip
transport = $transport
duration = $duration
sentbyte = $sentbyte
rcvdbyte = $rcvdbyte
sentpkt = $sentpkt
rcvdpkt = $rcvdpkt
appcat = $appcat
sentdelta = $sentdelta
rcvddelta = $rcvddelta
locip = $locip
remport = $remport
locport = $locport
outintf = $outintf
cookies = $cookies
useralt = $useralt
xauthuser = $xauthuser
assignip = $assignip
vpntunnel = $vpntunnel
status = $status
init = $init
exch = $exch
dir = $dir
role = $role
result = $result
version = $version
ip = $ip
fctuid = $fctuid
sn = $sn
intf = $intf
crscore = $crscore
craction = $craction
crlevel = $crlevel
logdesc = $logdesc
tunneltype = $tunneltype
tunnelid = $tunnelid
remip = $remip
tunnelip = $tunnelip
dst_host = $dst_host
nextstat = $nextstat
msg = $msg
reason = $reason
desc = $desc
}
# } | Format-Table -AutoSize
} | Export-CSV `
"$PSScriptRoot/result/${datetime}_${firewallFileName}.csv" `
-Encoding UTF8 `
-NoTypeInformation
} else {
Write-Host "ファイアウォールログファイルを確認お願いします。"
Write-Host $Error
}
# 実行しているログファイル以外の logファイルを削除
Remove-Item "${logdir}\*" -Exclude ${logfilename} -Recurse
Write-Host "$(Get-Date -Format g) ${logfilename} 以外ファイルを削除"
# ログ出力終了
Stop-Transcript
コメント