0

I finished my script, and it does everything I want it to now, but it looks like garbage in the Event Log I am creating from it. Any suggestions on how to clean up output would be appreciated.

The result in the Event Viewer when the script finishes is:

<xmlname> NAME OF AN ALARM </xmlname>
<xmlname> SOME CONTENT I NEED </xmlname>
<xmlname> MORE STUFF I NEED </xmlname>

I need to remove all the <> and replace </> with : tags, but keep the contents.

So it would read

NAME OF ALARM: "some name here"

Here is the code:

#get last time the powershell script was run
$LastRunStamp = (Get-Item C:\test\lastRunStamp.txt).LastWriteTime.DateTime

#write current timestamp to file
Get-Date > C:\test\Active\lastRunStamp.txt

foreach ($file in (Get-ChildItem C:\test\*.xml)) 
{
    #calculate the time difference between file modified time and last time script was run     
    $span = new-timespan -start $file.LastWriteTime.DateTime  -end $LastRunStamp

     #if the file was modified since the last time the  script run value will be less than 0    
    if($span.TotalSeconds -le 0)
    {
        #instantiate XML document object
        $xdoc = new-object System.Xml.XmlDocument

        #load up the XML contents into the object
        $xdoc.load($file)

        #check the value of the priority XML tag if  it contains Major then write to event log
        if ($xdoc.SelectSingleNode("//priorityname").innertext -eq 'Major') 
        {

            #get the content of XML
            $content = [string]([IO.File]::ReadAllText($file.FullName)) 

            #mask the FQDN's
            $content = $content.replace(".abc.com",".sensored").replace(".ad.local",".sensored FQDN")

            #regex pattern to detect IP Addresses
            $pattern = "\b((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.){3}(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\b"

            #use regex to mask IP addresses
            $contentScrubbed = [regex]::replace($content, $pattern, "sensored IP Address")   

            Write-EventLog -LogName Application -Source "Custom Alert" `
                -EntryType Information -EventID 5000 `
                -Message ("MAJOR ALARM TRIGGER: " + $contentScrubbed)
        }
    }
}
Ansgar Wiechers
  • 193,178
  • 25
  • 254
  • 328
Delaney
  • 5
  • 4
  • How do I get rid of details? – Delaney Apr 23 '15 at 17:04
  • You already read the XML data structure into the variable `$xdoc`. Why are you reading the file again as a plaintext file instead of extracting the information from the DOM tree you already have? – Ansgar Wiechers Apr 23 '15 at 17:15

1 Answers1

0

$contentScrubbed = [regex]::replace($contentScrubbed, "</.*>", ":") $contentScrubbed = [regex]::replace($contentScrubbed, "<.*>", "")

Tony Hinkle
  • 4,706
  • 7
  • 23
  • 35
  • Thanks.. forgot the asterisk when I did it last... :) – Delaney Apr 23 '15 at 16:17
  • @Delaney Glad to help. Please mark it as the answer if you have a minute. Thanks! – Tony Hinkle Apr 23 '15 at 17:14
  • Your regular expressions use greedy matches, which could produce undesired results. Not to mention that regular expressions [shouldn't be used in the first place](http://stackoverflow.com/a/1732454/1630171). – Ansgar Wiechers Apr 23 '15 at 17:19
  • greedy matches?... I am a powershell newb... Enlighten me on this – Delaney Apr 23 '15 at 17:26
  • He's saying that the .* might end up matching things you don't want it to match. By replacing all of the closing tags first, though, you should get the results you want. This can be dangerous if you're using it on strings that you don't control. Just be sure to test it well whenever changes are made that will affect $contentScrubbed. Or, you can use the solution he offered. Oh, wait... :) – Tony Hinkle Apr 23 '15 at 17:31
  • A really safe alternative would be to maintain an array of all XML tags that can be in the file, and then loop through that array doing replaces. You could also modify the regex to only include n number of characters between the <>, based on the longest XML tag that will be present. A lot of different ways to go about this. – Tony Hinkle Apr 23 '15 at 17:33
  • Thank you for that update. One last question about your method, I'm trying to get rid of the " – Delaney Apr 23 '15 at 17:35
  • ...and yes, I know there are pitfalls to the last two methods I just mentioned, but without a complete solution design, nobody here can tell you exactly what is best. – Tony Hinkle Apr 23 '15 at 17:35
  • I am just processing one xml that pops up.. every now and again... it shouldnt be too bad... I will revisit if it proves problematic. – Delaney Apr 23 '15 at 17:38
  • `$contentScrubbed = $contentScrubbed.Replace("","")' worked for me. You have to put a backtick (under the ~ key) in front of the double quotes to escape them. Not sure exactly what your string is, though. – Tony Hinkle Apr 23 '15 at 17:43