Parsing Sophos Web Filtering logs

By YellowOnline on Monday 25 July 2016 22:36 - Comments (0)
Category: Powershell, Views: 2.349

Yes, Sophos appliances are unix based and unix admins just love grep. At least, that seems to be Sophos' idea when looking at the logs a UTM produces.

The Powershell equivalent would be Find-String, but what if I want a readable overview instead of looking for a specific string? I need exactly that tonight, because I had to find something but didn't know what I was looking for. Hence this quick and dirty script to turn a Sophos Web Filtering Log into an object and subsequently into a CSV.





PowerShell:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
#Parse-SophosWebFilterLog.ps1
#Quick & dirty by YellowOnline, 2016-07-26
#Syntax: Parse-SophosWebFilter <log file>
#
$arrData = Get-Content $args[0]
$Array = @()
ForEach ($objData in $arrData)
    {
    $objData = $objData -Replace 'app-id','appID' 
    $objData = $objData -Replace 'content-type','contenttype'
    $PropertiesA = $objData -Split '" '
    $PropertiesA_Joined = $PropertiesA[1..$($PropertiesA.Count)] -join '";'
    $PropertiesB = $PropertiesA[0] -split ' '
    #'$Properties = [ordered]@{' + 'timedate="' + $PropertiesB[0] + '"; utm="' + $PropertiesB[1] + '"; proxy="' + $PropertiesB[2].Replace(':','') + '";' + $PropertiesA_Joined + '}')
    Invoke-Expression $('$Properties = [ordered]@{' + 'timedate="' + $PropertiesB[0] + '";utm="' + $PropertiesB[1] + '";proxy="' + $PropertiesB[2] + '";' + $PropertiesA_Joined + '}')
    $Object = New-Object -TypeName PSObject -Prop $Properties
    $Array += $Object
    }
$Array | Export-CSV $($args[0] + '.csv') -Delimiter ';' -Encoding 'UTF8' -NoTypeInformation



If you're a regex wizard and you want to make it less scraping and more efficient: feel free to contribute.

Volgende: A first glance at Teamviewer Quicksupport for W10 Mobile 08-'16 A first glance at Teamviewer Quicksupport for W10 Mobile
Volgende: Voetbaltaal in België 06-'16 Voetbaltaal in België

Comments

There are no comments for this post


In order to comment on this post you need to be logged in. Use this link to log in when you are already a registered user. If you don't have an account you can create one here.