Extract IP address from log lines using PowerShell

Log lines

Recently I had to extract IP Addresses from log file and check their hostnames. The easiest way to get this was using regex pattern in Select-String command.

Extract IP Address

Lets says that we have a log file which contains lines like:

AUDIT “2018-06-19 00:14:16.481 GMT+0200” 10.13.11.7 Server01:1812 0 0 “text=Access GRANTED cloudId=pawel.janowicz

To extract IP Address from it we can use Select-String command with the following regex pattern "\d{1,3}(\.\d{1,3}){3}">:

$Line = 'AUDIT "2018-06-19 00:14:16.481 GMT+0200"  10.13.11.7 Server01:1812 0 0 "text=Access GRANTED cloudId=pawel.janowicz'
($Line  |  Select-String -Pattern "\d{1,3}(\.\d{1,3}){3}" -AllMatches).Matches.Value
Extract IP example
Extract IP example

In addition the same results we can get using this nice ExtractValidIPAddress function:

        #Function
        Function ExtractValidIPAddress($String){
            $IPregex=‘(?<Address>((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))’
            If ($String -Match $IPregex) {$Matches.Address}
        }
        
        #Log line
        $Line = 'AUDIT "2018-06-19 00:14:16.481 GMT+0200"  10.13.11.7 Server01:1812 0 0 "text=Access GRANTED cloudId=pawel.janowicz'
        
        #Run function
        ExtractValidIPAddress $Line

To check hostname for some specific IP address we can use nslookup or Resolve-DnsName commands:

#nslookup
nslookup 10.13.11.7

#Resolve-DnsName command
(Resolve-DnsName 10.13.11.7 -ErrorAction SilentlyContinue).NAMEHOST

Below you can find script which will scan for log lines started with word AUDIT. It will skip all “0.0.0.0” IP addresses. Results will be added to $Results array and finally they will be filtered to have only unique values:

$IPUnique = $Results | Select-Object IPAddress -Unique

Each IP address will be checked using Resolve-DnsName command and added to $Hosts array. As a results we will get hostname and IP address columns.

Final script

        $Results = @()
        $Hosts = @()    
        $Server = "Server01"
        $LogPath = "C:\logs\$Server\logs\server.log"    
        
        #Checking log file
        $Lines =  Get-Content $LogPath | Where-Object {$_ -match "AUDIT "}
        
        #Remotely
        #$Lines =  icm -cn $Server {param($LogPath)Get-Content $LogPath | Where-Object {$_ -match "AUDIT "}} -ArgumentList $LogPath

        #Getting IP Addresses
        Foreach ($Line in $Lines) {
            $IP = $Object1 = $null
            $IP = ($Line  |  Select-String -Pattern "\d{1,3}(\.\d{1,3}){3}" -AllMatches).Matches.Value
            IF($IP -notmatch "0.0.0.0"){
                $Object1 = New-Object PSObject -Property @{ 
    
                    IPAddress = $IP
                }
                $Results += $Object1    
            }
        }
        #Selecting unique IPs
        $IPUnique = $Results | Select-Object IPAddress -Unique
        
        #Checking hostname
        Foreach ($Item in $IPUnique) {
            $HostName = $Object2 = $null
            $HostName = (Resolve-DnsName $Item.IPAddress -ErrorAction SilentlyContinue).NAMEHOST
            If(!$HostName){$Hostname = "None"}
            $Object2 = New-Object PSObject -Property @{ 
    
                IPAddress = $item.ipaddress
                NameHost  = $HostName
     
            }
            $Hosts += $Object2    
        }
        $Hosts | Out-GridView -Title "Hostnames"

In one of the previous articles you can check also how to get IP address easily using PowerShell.

One thought on “Extract IP address from log lines using PowerShell

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.