Log Files Sanitizer

    From time to time you might have a need to send the log files to the supplier support team, and you don't always want to give them away as they are. I have prepared a script, that is parsing the log files and detecting any IP addresses present, from the subnets starting with the first octets defined by you. You might put there any IP address range that is used in your organization and sanitize the log files this way. It is also possible to hide other information such as domain name or FQDNs just with a small modification to the script.

Usage:

    Put all your log files in one directory and save the code of the log parser as a .sp1 file in the same directory. Run the log parser from Administrator PowerShell and it will create new files for any log files, that had some IP addresses detected

Log Sanitizer output

Additional Notes:

    Be careful with *.evtx files, as they store IP addresses in a way, that there are spaces stored between each character (i.e. 1 0 . 1 . 1 2 2 . 1 3). This would not be detected by the log parser, so if you are exporting Windows Event Viewer logs for parsing ensure they are exported in the .csv format

Code:

$logfiles = Get-ChildItem ".\."
Write-Host
forEach ($log in $logfiles){
    Write-Host -f green "Parsing $log"
    $IPsMatched = 0
    Get-Content $log | ?{$_ -match '(?<IP>(10|172|255|192|)\.\d{1,3}\.\d{1,3} \.\d{1,3})'} | ForEach-Object {$IPsMatched++}
    if ($IPsMatched -gt 0){
        Write-Host "Found $IPsMatched IP addresses"
        $parsedLog
        $parsedLogName = $log.Name.Split('.')[0] + "parsed." + $log.Name.Split('.')[-1]
        (Get-Content $log) -replace '(10|172|255|192)\.\d{1,3}\.\d{1,3}\.\d{1,3}','X.X.X.X' | Set-Content $parsedLogName
        Write-Host "Sanitized log file written into " -nonewline; Write-Host -f yellow $parsedLogName
    }
    else {
        Write-Host "No IP addresses found"
    }
    Write-Host
}