Samstag, 5. Dezember 2009

Using PowerShell to filter the eventlog

Since I'm using Windows 7 in a domain where we use Microsoft Forefront Client Security I have a little problem. About every 60 minutes my computer becomes unresponsive for about 60 seconds, the hard disk led is on.

In the Application Eventlog I find pairs of Events 21268, 21269. Googling around I seem to be the only one with this special problem.

Some hints say my domain admin has to change some settings, so that my local computer can increase a local buffer. Chances to convince the forefront guys that they do some real nonsence here ( why not just ask me, whether I allow to increase the buffer) or to convince my admin to get some advice from his forefront consultant seem very low.

What the hell fills the buffer. Looking at the Security log, I see that there are lots of audit Failures.

OK, I'm not interessted in audit fails, I don't want to log them. No chance some domain policy doesn't allow me to switch off auditing of rejected packages.

Oh funny thing: I'm allowed to disable the firewall. I'm not going to try this option.

It's time to look deeper into Microsoft Eventlogs.

Seems they are very legacy application, like ipconfig and inifiles. Main information is returned as name:value pairs in plan text.

The Windows Filtering Platform has blocked a connection.

Application Information:
Process ID: 1020
Application Name: \device\harddiskvolume2\windows\system32\svchost.exe

Network Information:
Direction: Inbound
Source Address:
Source Port: 60100
Destination Address:
Destination Port: 443
Protocol: 0

Filter Information:
Filter Run-Time ID: 212121
Layer Name: Receive/Accept
Layer Run-Time ID: 44

It's time to use a little PowerShell, to convert eventlog data to properties of PowerShell objects, which can be grouped etc.

function Convert-PairToProperty2            
$hash = @{}

$_ -split "`r?`n" | % {
if (.{$m = [regex]::Matches($_,'(\w.*?):\s*(.*)');$m[0]})
# Write-Host $m[0].groups[1].value
# Write-Host $m[0].groups[2].value
$hash[ ($m[0].groups[1].value)] = ($m[0].groups[2].value)
New-Object PSObject -Property $hash

if ($False)

if (! $seclog_1000)
Write-host "Collecting last 1000 packets rejected"
(Measure-Command{$seclog_1000 = get-Eventlog security -InstanceId 5152 -newest 1000 | select message }).Milliseconds
'Using $seclog_1000'
$time_property2 = Measure-Command { $property2 = ($seclog_1000 | Convert-PairToProperty2) }

"needed $($time_property2.Milliseconds) for property2"

$property2 |group-object -property 'Source Address' -noelement |Sort-object count -desc

If you are taking a closer look, you see that I used to convert a hash to properties.

I tried different variants, but performance measurements don't show clear preferences for one or the other.

What I got is clear information which ip address causes most rejected packages.

Keine Kommentare:

Kommentar veröffentlichen