I am trying to find a simple way to script information from an event log message which is a membertype of NoteProperty. The data I’m after is just the IP address inside the message. It looks like this:

Message : SMB1 access

          Client Address: 10.40.0.55

          Guidance:

          This event indicates that a client attempted to access the server using SMB1. To stop auditing SMB1 access,
          use the Windows PowerShell cmdlet Set-SmbServerConfiguration.

I’m trying to find servers that have clients accessing SMB shares using version 1 of the protocol. I have hundreds of servers to audit. I’m only interested in getting the IP address of any connection to a server using the protocol. Getting the audit log is easy enough. Getting the IP address from the NoteProperty is what’s tripping me up. What’s the best way to retrieve this from the NoteProperty?

I would use a regular expression. At its most basic, you can match an IP address with:

'\d+\.\d+\.\d+\.\d+'

That simply matches any four numbers separated by dots so it would match invalid IP addresses or things that aren’t IP addresses as well. If a more accurate pattern is required, you can search for examples.

$FilterHashTable = @{
    LogName = 'Application'
    ID      = 1001
}

$messageList = Get-WinEvent -FilterHashtable $FilterHashTable | Select-Object -ExpandProperty Message

foreach ($message in $messageList) {
    if ($message -match '\d+\.\d+\.\d+\.\d+') {
        [PSCustomObject] @{
            'IP Address' = $($matches.Values)
        }
    }
}

I ended up retrieving the data and saving into a csv file. From there I was able to get-content and create a pscustomobject where I cleaned up the IP address and stored what I needed in a global variable.

Thanks.