Parsing Sophos Web Filtering logs

By YellowOnline on Monday 25 July 2016 22:36
Category: Powershell, Views: 1.816

Yes, Sophos appliances are unix based and unix admins just love grep. At least, that seems to be Sophos' idea when looking at the logs a UTM produces.

The Powershell equivalent would be Find-String, but what if I want a readable overview instead of looking for a specific string? I need exactly that tonight, because I had to find something but didn't know what I was looking for. Hence this quick and dirty script to turn a Sophos Web Filtering Log into an object and subsequently into a CSV.





PowerShell:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
#Parse-SophosWebFilterLog.ps1
#Quick & dirty by YellowOnline, 2016-07-26
#Syntax: Parse-SophosWebFilter <log file>
#
$arrData = Get-Content $args[0]
$Array = @()
ForEach ($objData in $arrData)
    {
    $objData = $objData -Replace 'app-id','appID' 
    $objData = $objData -Replace 'content-type','contenttype'
    $PropertiesA = $objData -Split '" '
    $PropertiesA_Joined = $PropertiesA[1..$($PropertiesA.Count)] -join '";'
    $PropertiesB = $PropertiesA[0] -split ' '
    #'$Properties = [ordered]@{' + 'timedate="' + $PropertiesB[0] + '"; utm="' + $PropertiesB[1] + '"; proxy="' + $PropertiesB[2].Replace(':','') + '";' + $PropertiesA_Joined + '}')
    Invoke-Expression $('$Properties = [ordered]@{' + 'timedate="' + $PropertiesB[0] + '";utm="' + $PropertiesB[1] + '";proxy="' + $PropertiesB[2] + '";' + $PropertiesA_Joined + '}')
    $Object = New-Object -TypeName PSObject -Prop $Properties
    $Array += $Object
    }
$Array | Export-CSV $($args[0] + '.csv') -Delimiter ';' -Encoding 'UTF8' -NoTypeInformation



If you're a regex wizard and you want to make it less scraping and more efficient: feel free to contribute.

Volgende: A first glance at Teamviewer Quicksupport for W10 Mobile 08-'16 A first glance at Teamviewer Quicksupport for W10 Mobile
Volgende: Voetbaltaal in BelgiŽ 06-'16 Voetbaltaal in BelgiŽ

Comments

Comments are closed