Extract IP address from log lines using PowerShell

Log lines

Recently I had to extract IP Addresses from log file and check their hostnames. The easiest way to get this was using regex pattern in Select-String command.

Extract IP Address

Lets says that we have a log file which contains lines like:

AUDIT “2018-06-19 00:14:16.481 GMT+0200” 10.13.11.7 Server01:1812 0 0 “text=Access GRANTED cloudId=pawel.janowicz

To extract IP Address from it we can use Select-String command with the following regex pattern "\d{1,3}(\.\d{1,3}){3}">:

$Line = 'AUDIT "2018-06-19 00:14:16.481 GMT+0200"  10.13.11.7 Server01:1812 0 0 "text=Access GRANTED cloudId=pawel.janowicz'
($Line  |  Select-String -Pattern "\d{1,3}(\.\d{1,3}){3}" -AllMatches).Matches.Value
Extract IP example
Extract IP example

In addition the same results we can get using this nice ExtractValidIPAddress function:

        #Function
        Function ExtractValidIPAddress($String){
            $IPregex=‘(?<Address>((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))’
            If ($String -Match $IPregex) {$Matches.Address}
        }
        
        #Log line
        $Line = 'AUDIT "2018-06-19 00:14:16.481 GMT+0200"  10.13.11.7 Server01:1812 0 0 "text=Access GRANTED cloudId=pawel.janowicz'
        
        #Run function
        ExtractValidIPAddress $Line

To check hostname for some specific IP address we can use nslookup or Resolve-DnsName commands:

#nslookup
nslookup 10.13.11.7

#Resolve-DnsName command
(Resolve-DnsName 10.13.11.7 -ErrorAction SilentlyContinue).NAMEHOST

Below you can find script which will scan for log lines started with word AUDIT. It will skip all “0.0.0.0” IP addresses. Results will be added to $Results array and finally they will be filtered to have only unique values:

$IPUnique = $Results | Select-Object IPAddress -Unique

Each IP address will be checked using Resolve-DnsName command and added to $Hosts array. As a results we will get hostname and IP address columns.

Final script

        $Results = @()
        $Hosts = @()    
        $Server = "Server01"
        $LogPath = "C:\logs\$Server\logs\server.log"    
        
        #Checking log file
        $Lines =  Get-Content $LogPath | Where-Object {$_ -match "AUDIT "}
        
        #Remotely
        #$Lines =  icm -cn $Server {param($LogPath)Get-Content $LogPath | Where-Object {$_ -match "AUDIT "}} -ArgumentList $LogPath

        #Getting IP Addresses
        Foreach ($Line in $Lines) {
            $IP = $Object1 = $null
            $IP = ($Line  |  Select-String -Pattern "\d{1,3}(\.\d{1,3}){3}" -AllMatches).Matches.Value
            IF($IP -notmatch "0.0.0.0"){
                $Object1 = New-Object PSObject -Property @{ 
    
                    IPAddress = $IP
                }
                $Results += $Object1    
            }
        }
        #Selecting unique IPs
        $IPUnique = $Results | Select-Object IPAddress -Unique
        
        #Checking hostname
        Foreach ($Item in $IPUnique) {
            $HostName = $Object2 = $null
            $HostName = (Resolve-DnsName $Item.IPAddress -ErrorAction SilentlyContinue).NAMEHOST
            If(!$HostName){$Hostname = "None"}
            $Object2 = New-Object PSObject -Property @{ 
    
                IPAddress = $item.ipaddress
                NameHost  = $HostName
     
            }
            $Hosts += $Object2    
        }
        $Hosts | Out-GridView -Title "Hostnames"

In one of the previous articles you can check also how to get IP address easily using PowerShell.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.