Input line:
Thu 2017-03-30 00:00:07: user@domain.com (John Doe) checked mail from 127.0.0.1 using IMAP, 0 msgs collected, 21 remaining
Powershell script:
$rxp = "([a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?)|(d{1,3}.d{1,3}.d{1,3}.d{1,3})|(POP|IMAP)|(^[A-Z][a-z]+sd{4}-d{2}-d{2}sd{2}:d{2}:d{2})"
gc ".*.log" | select-string -pattern $rxp -allmatches | foreach {
if ($_.Matches.count -ne 4) {
return
}
[pscustomobject]@{
'date'=$_.Matches[0]
'email'=$_.Matches[1]
'ipaddr'=$_.Matches[2]
'proto'=$_.Matches[3]
}
} | export-csv -notype analysis.csv