From 88c1c2b18578ee0426b13fa49c197c2109899164 Mon Sep 17 00:00:00 2001
From: Andrii Bilousko <arestarh@ukr.net>
Date: Tue, 6 Jun 2017 21:19:49 +0300
Subject: [PATCH] Update Convert-IISLogsToObject.ps1

Support for additional IIS log file formats - IIS, NCSA:
https://www.iis.net/learn/manage/provisioning-and-managing-iis/configure-logging-in-iis
---
 Scripts/IIS/Convert-IISLogsToObject.ps1 | 67 +++++++++++++++++++++----
 1 file changed, 57 insertions(+), 10 deletions(-)

diff --git a/Scripts/IIS/Convert-IISLogsToObject.ps1 b/Scripts/IIS/Convert-IISLogsToObject.ps1
index 841e738..a9691cb 100644
--- a/Scripts/IIS/Convert-IISLogsToObject.ps1
+++ b/Scripts/IIS/Convert-IISLogsToObject.ps1
@@ -1,31 +1,78 @@
+function Convert-IISLogsToObject {
 <#
     .Synopsis
-        Converts plain text IIS logs into a ps Object
+        Converts plain text IIS logs into a PS Object
     .DESCRIPTION
-        Converts plain text IIS logs into a ps Object
+        Converts plain text IIS logs into a PS Object
+    .NOTES
+        More info about logging in IIS you can find there:
+        https://www.iis.net/learn/manage/provisioning-and-managing-iis/configure-logging-in-iis
+    .PARAMETER path
+        Specifies path to IIS log files. 
+    .PARAMETER logformat
+        Specifies IIS log file format. The acceptable values for this parameter are: 
+        "W3C", "IIS","NCSA"
     .EXAMPLE
-        Get-ChildItem '<path to logs>\*.log' | Convert-IISLogsToObject | Sort-Object c-ip -Unique
+        Get-ChildItem '<path to logs>\*.log' | Convert-IISLogsToObject -logformat IIS| Sort-Object c-ip -Unique
     .EXAMPLE
-        Convert-IISLogsToObject -path (Get-ChildItem '<path to logs>\*log') | Where-Object { $_.'cs-username' -eq '<userName>' } | Sort-Object c-ip -Unique
+        Convert-IISLogsToObject -path (Get-ChildItem '<path to logs>\*log') -logformat W3C| Where-Object { $_.'cs-username' -eq '<userName>' } | Sort-Object c-ip -Unique
     .NOTES
         General notes
     .AUTHOR
         Ben Taylor - 09/07/2016
+    .LINK
+        http://bentaylor.work/2016/09/parsing-iis-logs-to-powershell-objects/
 #>
-function Convert-IISLogsToObject {
+
     [CmdletBinding()]
     [OutputType([System.Management.Automation.PSCustomObject])]
     Param(
+
         [Parameter(Mandatory = $true, ValueFromPipeline = $true)]
         [ValidateScript({ Test-Path -Path $_ })]
-        [string[]]
-        $path
+        [string[]]$path,
+
+        [Parameter(Mandatory = $true)]
+        [ValidateNotNullOrEmpty()]
+	    [ValidateSet("NCSA", "W3C", "IIS")]
+        [string]$logformat
     )
 
     Process {
-        forEach($filePath in $path) {
-            $headers = (Get-Content -Path $filePath -TotalCount 4 | Select -First 1 -Skip 3) -replace '#Fields: ' -split ' '
-            Get-Content $filePath | Select-String -Pattern '^#' -NotMatch | ConvertFrom-Csv -Delimiter ' ' -Header $headers
+
+    <#
+    Define headers for IIS, NCSA log formats
+    Headers are fixed for IIS and NCSA log formats
+    #>
+    #IIS
+    ##Client IP address, User name, Date, Time, Service and instance, Server name, Server IP address, Time taken, Client bytes sent, Server bytes sent, Service status code, Windows status code, Request type, Target of operation, Parameters
+    $IISheaders='c-ip', 'username', 'date', 'time', 'service', 'server', 's-ip', 'timetaken', 'c-bsent', 's-bsent', 'service-sc', 'windows-sc', 'request-type', 'target', 'parameters'
+    #NCSA
+    ##Remote host address, Remote log name (This value is always a hyphen), user name, Date, time, Greenwich mean time (GMT) offset, Request and protocol version, Service status code, Bytes sent
+    $NCSAheaders='remote-hostaddr', 'remote-logname', 'username', 'date', 'time', 'GMToffset', 'request-method', 'request', 'protocol-version', 'service-sc', 'bytes-sent'
+
+        switch ($logformat) { 
+            "W3C"
+                {
+                  forEach($filePath in $path) {
+                      $W3Cheaders = (Get-Content -Path $filePath -TotalCount 4 | Select-Object -First 1 -Skip 3) -replace '#Fields: ' -split ' '
+                      Get-Content -Path $filePath | Select-String -Pattern '^#' -NotMatch | ConvertFrom-Csv -Delimiter ' ' -Header $W3Cheaders
+                  }
+                } 
+            "IIS"
+                {
+                  forEach($filePath in $path) {
+                      Get-Content -Path $filePath | ConvertFrom-Csv -Delimiter ',' -Header $IISheaders
+                  }
+                }
+            "NCSA"
+                {
+                  forEach($filePath in $path) {
+                      #Character set (in each log string) that represents Date, time and Greenwich mean time (GMT) offset, are modified to fit in defined Headers, e.g. [03/Feb/2017:09:44:14 +0200] replaced by 03/Feb/2017 09:44:14 +0200
+                      #Character set (in each log string) that represents Request and protocol version, are modified to fit in defined Headers, e.g. "GET /2016-08-22-php7.html HTTP/1.1" replaced by GET /2016-08-22-php7.html HTTP/1.1
+                      Get-Content -Path $filePath | ForEach-Object -Process {($_ -replace '\[(.*):(\d{2}:\d{2}:\d{2})\s([-+]\d+)\]','$1 $2 $3') -replace '\"(.*)\"','$1'}| ConvertFrom-Csv -Delimiter ' ' -Header $NCSAheaders
+                  }
+                } 
         }
     }
 }