Extract IP address from log lines using PowerShell

Log lines

Recently I had to extract IP Addresses from log file and check their hostnames. The easiest way to get this was using regex pattern in Select-String command.

Extract IP Address

Lets says that we have a log file which contains lines like:

AUDIT “2018-06-19 00:14:16.481 GMT+0200” Server01:1812 0 0 “text=Access GRANTED cloudId=pawel.janowicz

To extract IP Address from it we can use Select-String command with the following regex pattern "\d{1,3}(\.\d{1,3}){3}">:

$Line = 'AUDIT "2018-06-19 00:14:16.481 GMT+0200" Server01:1812 0 0 "text=Access GRANTED cloudId=pawel.janowicz'
($Line  |  Select-String -Pattern "\d{1,3}(\.\d{1,3}){3}" -AllMatches).Matches.Value
Extract IP example
Extract IP example

In addition the same results we can get using this nice ExtractValidIPAddress function:

        Function ExtractValidIPAddress($String){
            If ($String -Match $IPregex) {$Matches.Address}
        #Log line
        $Line = 'AUDIT "2018-06-19 00:14:16.481 GMT+0200" Server01:1812 0 0 "text=Access GRANTED cloudId=pawel.janowicz'
        #Run function
        ExtractValidIPAddress $Line

To check hostname for some specific IP address we can use nslookup or Resolve-DnsName commands:


#Resolve-DnsName command
(Resolve-DnsName -ErrorAction SilentlyContinue).NAMEHOST

Below you can find script which will scan for log lines started with word AUDIT. It will skip all “” IP addresses. Results will be added to $Results array and finally they will be filtered to have only unique values:

$IPUnique = $Results | Select-Object IPAddress -Unique

Each IP address will be checked using Resolve-DnsName command and added to $Hosts array. As a results we will get hostname and IP address columns.

Final script

        $Results = @()
        $Hosts = @()    
        $Server = "Server01"
        $LogPath = "C:\logs\$Server\logs\server.log"    
        #Checking log file
        $Lines =  Get-Content $LogPath | Where-Object {$_ -match "AUDIT "}
        #$Lines =  icm -cn $Server {param($LogPath)Get-Content $LogPath | Where-Object {$_ -match "AUDIT "}} -ArgumentList $LogPath

        #Getting IP Addresses
        Foreach ($Line in $Lines) {
            $IP = $Object1 = $null
            $IP = ($Line  |  Select-String -Pattern "\d{1,3}(\.\d{1,3}){3}" -AllMatches).Matches.Value
            IF($IP -notmatch ""){
                $Object1 = New-Object PSObject -Property @{ 
                    IPAddress = $IP
                $Results += $Object1    
        #Selecting unique IPs
        $IPUnique = $Results | Select-Object IPAddress -Unique
        #Checking hostname
        Foreach ($Item in $IPUnique) {
            $HostName = $Object2 = $null
            $HostName = (Resolve-DnsName $Item.IPAddress -ErrorAction SilentlyContinue).NAMEHOST
            If(!$HostName){$Hostname = "None"}
            $Object2 = New-Object PSObject -Property @{ 
                IPAddress = $item.ipaddress
                NameHost  = $HostName
            $Hosts += $Object2    
        $Hosts | Out-GridView -Title "Hostnames"

In one of the previous articles you can check also how to get IP address easily using PowerShell.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.