Monday, 23 June 2014

Collect Symantec Processlog.log and Parse

Hi All,

I wrote this script because I was finding that symantec was not logging all of my exceptions to the exception list in System Lockdown.  This script will import a list of computer names from a CSV file, collect all of the proccesslog files, store them centrally, then create a CSV with only the MD5, Caller Process and Called process.  Happy to provide help if need be.


#Cleanup after script run
$cleanup = $true
#Computer List
$csv = Import-Csv D:\Scripts\Symantec\complete.csv | where {$_.name -like "*.domain.*" -or $_.name -like "*.domain.*"}

#Folder to gather all processlog files.
$exportfolder = "D:\Scripts\Symantec\ProcessLog\"

#Remove All Files from Exportfolder
Remove-Item $exportfolder\*.*

#Parse list of Computernames
foreach($a in $csv){
#Header of CSV file
$name = $a.name
#Build Export file
$exportfile = $exportfolder + "\" + $name + "_processlog.log"

#Copy processlog.log from SRV2008/7
copy "\\$name\C$\Programdata\symantec\Symantec Endpoint Protection\12*\Data\logs\processlog.log" $exportfile -ErrorAction SilentlyContinue
#Copy processlog.log from SRV2003/XP
copy  "\\$name\C$\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12*\Data\Logs\processlog.log" $exportfile -ErrorAction SilentlyContinue
}

#Get the filenames of the process log folder.
$gci = gci $exportfolder

#Parse All Collected processlog.log
foreach ($b in $gci){
#Gather All Fullnames
$file = $b.fullname
#Regex Expression
$regex = "(System)(.*)(.SCSI)"
#Select only the string that is required.
$select = Select-String -Path $file -Pattern $regex -All
$value = $select | select -expandproperty matches
#Export to a Temporary unclean file.
$value | select value | add-content $exportfolder\full.txt
}

#cleanup csv, Put headers on file and export cleaner version
import-csv $exportfolder\full.txt -delimiter `t -header MD5,1,2,3,4,5,6,Path,7,8,CalledFile | select @{Name="MD5";Expression={($_.md5).replace("@{Value=System Lockdown - Target MD5=", "")}},Path,CalledFile | Export-Csv $exportfolder\clean.csv -NoTypeInformation

#Remove all files as a cleanup task if cleanup is set to $true
if($cleanup -eq $true){
rm $exportfolder\*.log
rm $exportfolder\*.txt
}

No comments:

Post a Comment