我幾乎已經完成了這個Powershell腳本,但我堅持在最後一部分,可以真正使用一些幫助的最後一步。下面是我寫到目前爲止Powershell IIS日誌analasys
$t1 =(get-date).AddMinutes(-10)
$t2 =$t1.ToUniversalTime().ToString("HH:mm:ss")
$IISLogPath = "C:\inetpub\logs\LogFiles\W3SVC1\"+"u_ex"+(get-date).ToString("yyMMdd")+".log"
$IISLogFileRaw = [System.IO.File]::ReadAllLines($IISLogPath)
$headers = $IISLogFileRaw[3].split(" ")
$headers = $headers | where {$_ -ne "#Fields:"}
$IISLogFileCSV = Import-Csv -Delimiter " " -Header $headers -Path $IISLogPath
$IISLogFileCSV = $IISLogFileCSV | where {$_.date -notlike "#*"}
$timeTaken = $IISLogFileCSV | where {$_.("cs-uri-stem") -eq '/Login.aspx' -AND $_.("time") -gt '$t2' } | Format-Table time,s-ip
所以基本上是着眼於當前天IIS日誌和過濾器,當用戶獲取到登錄頁面,在過去10分鐘我的PS腳本。我堅持的部分是我想通過電子郵件發送當IP在10分鐘內擊中它10次以上(基本上是在發生暴力攻擊時發出警報)。我寫的代碼中的電子郵件部分只需要說明s-ip命中/login.aspx的時間大於10次的部分。此外,在我的「測試箱」我已經改變$t2
和$IISLogPath
爲以下
$t2 = 20:00:00
$IISLogPath = C:\test\log.log
下面是我的示例日誌文件:
#Software: Microsoft Internet Information Services 7.5
#Version: 1.0
#Date: 2012-06-27 15:05:24
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken
2012-06-27 20:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 20:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 20:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 20:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
2012-06-27 21:32:35 ::1 GET /Login.aspx - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:13.0)+Gecko/20100101+Firefox/13.0.1 500 0 0 24240
是的,但我認爲微軟並不支持它在Server 2008平臺上。另外,因爲我不會坐着每10分鐘運行一次這個腳本(但是任務調度器),那麼嚴格使用powershell而不是將其他程序導入它會更有意義?另一方面,如果我坐在服務器上,我會選擇LP :) – jladd
@jladd - 僅供參考,我在Windows Server 2012上使用[LogParser 2.2 + Log Parser Studio](http://blogs.technet .com/b/karywa/archive/tags/log + parser + studio/default.aspx)解析IIS日誌。它具有「導出到PowerShell」功能。 – anon