Parse-O-Matic
Home Sitemap
 

About the PSKB / Terms of Use


Installing and running a script

;=============================================================================== ; ; Filtering script for the Windows firewall log file pfirewall.log ; ; The same technique shown here can also be used to process the data in a ; server log from Apache or IIS (Microsoft Internet Information Server); ; you will simply extract fields with different names. The similar style ; of the W3C log file format and pfirewall.log is hardly a coincidence! ; ; This script was designed for use with the Parse-O-Matic Power Tool ; ;=============================================================================== ; ; Obviously this script can be greatly enhanced to allow for selective ; filtering of various kinds. You could make this capability convenient ; to use by setting up the option boxes in the Config section, but this ; technique is not shown in this basic demo script. ; ; During a test here at Pinnacle, using a 2.5 GHz computer, the ; unaltered script took about 45 seconds to churn through a 4-megabyte ; log file, outputting 2105 lines it considered "interesting". ; ;=============================================================================== ; Main Step ;=============================================================================== ; Ignore null lines and comments ;------------------------------------------------------------------------------- If $Data = '' Done If $Data[1] = '#' Done ;------------------------------------------------------------------------------- ; Parse out the fields ;------------------------------------------------------------------------------- Date = Parse $Data '' ' ' 'Cut' Time = Parse $Data '' ' ' 'Cut' Action = Parse $Data '' ' ' 'Cut' Protocol = Parse $Data '' ' ' 'Cut' SrcIP = Parse $Data '' ' ' 'Cut' DstIP = Parse $Data '' ' ' 'Cut' SrcPort = Parse $Data '' ' ' 'Cut' DstPort = Parse $Data '' ' ' 'Cut' Size = Parse $Data '' ' ' 'Cut' TCPFlags = Parse $Data '' ' ' 'Cut' TCPSyn = Parse $Data '' ' ' 'Cut' TCPAck = Parse $Data '' ' ' 'Cut' TCPWin = Parse $Data '' ' ' 'Cut' ICMPType = Parse $Data '' ' ' 'Cut' ICMPCode = Parse $Data '' ' ' 'Cut' Info = Parse $Data '' ' ' 'Cut' Path = $Data ;------------------------------------------------------------------------------- ; Ignore anything on Port 80 (http) ;------------------------------------------------------------------------------- If SrcPort = 80 Done If DstPort = 80 Done ;------------------------------------------------------------------------------- ; Look for signs that something interesting is happening ;------------------------------------------------------------------------------- Test = Size TCPFlags TCPSyn TCPAck TCPWin ICMPType ICMPCode Info Path If Test = '---------' Done ;------------------------------------------------------------------------------- ; Output ;------------------------------------------------------------------------------- OutCSV '' 'Init' OutCSV Date OutCSV Time OutCSV Action OutCSV Protocol OutCSV SrcIP OutCSV DstIP OutCSV SrcPort OutCSV DstPort Call MaybeNull Size Call MaybeNull TCPFlags Call MaybeNull TCPSyn Call MaybeNull TCPAck Call MaybeNull TCPWin Call MaybeNull ICMPType Call MaybeNull ICMPCode Call MaybeNull Info Call MaybeNull Path OutCSV '' 'Done' Done ;=============================================================================== ; Procedures ;=============================================================================== Procedure MaybeNull If MaybeNull = '-' OutCSV '' Otherwise OutCSV MaybeNull End




 

Parse-O-Matic Free, Basic, Business and Enterprise are data conversion tools that allow you to parse, convert, mine, import and export data files, reports, web capture, logs, legacy databases, text, CSV (comma separated; comma delimited), ASCII, EBCDIC, and almost any data format that you may have.

Copyright © 1986-2011 National Data Parsing Canada Corporation All rights reserved. Legal