Parse Event Log text (Security Essentials)

by ab1000 at 2012-10-27 10:36:02

Hi,

From the following command,
Get-EventLog -LogName system -Source “Microsoft Antimalware” -Newest 2 | Format-Table -Property timewritten, message -Wrap -auto

I would really like to take just the ‘Current Signature Version’ and ‘Current Engine Version’ entries and export them neatly into a csv, but have struggled for hours with proper parsing. Any help would be greatly appreciated.

The ideal .csv output (assuming it were run against multiple systems) would look like this…

hostname CurrentSignatureVersion CurrentEngineVersion
pc-1 1.139.712 1.1.8904
pc-2 1.1.000 1.0.001


Adam
by DonJ at 2012-10-27 10:53:08
Let me offer a possible alternative. On your computer, run:


Get-WmiObject -namespace root\SecurityCenter -list


On newer machines, it’ll be SecurityCenter2 or SecurityCenterv2 instead of SecurityCenter. That should list classes like AntiMalwareProduct. Once you know the class names, try to query them:


Get-WmiObject -namespace root\SecurityCenter -class AntiMalwareproduct


That object ought to contain the properties you’re after, without having to parse them from the log. I think it supports AntiMalwareProduct, AntiSpywareProduct, and AntiVirusProduct. Or some combination - look and see what’s in there.

Alternately, if you need to parse from the log, you’re probably looking at either base System.String manipulation or a regular expression. Doable, but harder.
by ab1000 at 2012-10-27 15:11:17
Thanks Don,

That works a treat, the only problem being that it only brings back a ‘product state’ attribute which is decoded a bit here: http://neophob.com/2010/03/wmi-query-wi … tycenter2/

How would one go about crafting a regex or System.String to grab the Current Signature Version and Current Engine Version from the event log? Those are not individual objects and I am struggling verily trying to snag them. Thanks again!

Adam
by DonJ at 2012-10-27 21:25:51
One would experiment a lot. Seriously, I’m not a regex guru. I’d probably rely on methods of the string to locate keyword positions and extract. Look up System.String on google - that’ll get you the MSDN page for the class. Probably the best starting point. It’s cumbersome. Regex would be more elegant but I wouldn’t know where to start.