如何搜索多个文本文件的IP地址，并使用PowerShell输出找到文本文件的IP地址？

Question

I am hitting a brick wall with this. I was tasked with searching the IIS logs on a list of Windows servers and creating a report of all of the IP addresses that connect to the server in the log files. If I were using Linux, it would be easy. I could just use grep and cut and be done in a few minutes. However, these are internal servers and I have no way of accessing them from a BASH shell. I am required to create a script and run it on each server locally using powershell.

As close as I've been able to get is to first run a script that searches all of the .log files in C:\\inetpub\\logs\\LogFiles\\ for anything that looks like an IPV4 address and dump that into a CSV file

get-childItem C:\inetpub\logs\logfiles\ -include *.log -rec | select-String -pattern ‘\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b’ | select-Object -Propery 'Line' | export-CSV C:\temp\output.txt -notypeinformation

which creates a csv file containing each log line with an IP address in it. Then I run a second script against that file that looks for IP addresses and outputs them to another file (admittedly 'borrowed' from somewhere online)

$FilesOfInterest = (
    "*.csv"
)

$pattern = ‘\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b’

function FindFilesWithContent($Root, $Include, $Pattern){
    try{
        Get-ChildItem -Path:$Root -Include:$Include `
            -Recurse -Force -ErrorAction:SilentlyContinue |
            ?{!$_.PSIsContainer} |
        ForEach-Object{
            Write-Progress $_.FullName;
            $item = $_;
            Get-Content $_ -ErrorAction SilentlyContinue |
            ForEach-Object {
                if($_ -match $Pattern){
                    "" | select filename,match | %{
                        $_.filename = $item.FullName;
                        $_.match = $matches[0];
                        return $_ 
                    }
                }

            }
        }
    }
    catch{
    }
}


FindFilesWithContent -Root C:\temp -Include $FilesOfInterest -Pattern $pattern |export-csv C:\temp\filtered.csv

the problem I'm having is that as soon as it finds an IP address, it skips to the next line. Each line of the log file begins with a timestamp and the IP address of the server itself, so what I end up with is about 130,000 lines of 192.168.1.X which is completely useless to me.

Answer 1

If I were using Linux, it would be easy. I could just use grep and cut and be done in a few minutes. However, these are internal servers and I have no way of accessing them from a BASH shell.

On Windows, the most viable way of efficiently querying IIS log files is by far using Microsoft's LogParser utility .

LogParser supports SQL-like queries, to get a list of all client IP addresses in the logs:

logparser "SELECT DISTINCT c-ip INTO C:\clientips.txt FROM C:\inetpub\logs\logfiles\*.log"

Answer 2

For analyzing IIS logs, I would highly recommend using Logparser . A easy to use command line tool that uses a SQL dialect to extract information from data sources.

You can use the code below to get the IPs reaching your site. Just chose the logfilename, or if you want to analyze more then one logfile, just use a wildcard like "c:/logs/ex*"

logparser "select c-ip, count(c-ip) as requestcount from [LogFileName] group by c-ip order by count(c-ip) desc"

If you ain't a big fan of SQL, someone wrote This with more then 50 useful examples!