-
Notifications
You must be signed in to change notification settings - Fork 10
/
Format-ExchangeMessageTrace.ps1
77 lines (69 loc) · 3.06 KB
/
Format-ExchangeMessageTrace.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
<#
.SYNOPSIS
Takes an Exchange Extended Message Trace and parses it into usable powershell objects
#>
[CmdletBinding()]
param (
#Path to the extended message trace CSV
[Parameter(Mandatory)][String[]]$CSVPath
)
process {
foreach ($CSVPathItem in $CSVPath) {
$emt = import-csv $CSVPathItem -ErrorAction Stop
foreach ($emtItem in $emt) {
#Convert the report line item into a hashtable to add more properties
$emtProps = $emtItem.psobject.properties |
foreach -begin {$h=[ordered]@{}} -process {$h."$($_.Name)" = $_.Value} -end {$h}
#Blank out Extended Properties. Makes sure all objects have these properties for sort/filter purposes
$emtProps.SpamFilterReport = $null
$emtCustomData = $emtItem.custom_data -split ';'
foreach ($emtCustomDataItem in $emtCustomData) {
$ResultProps = [ordered]@{}
if ($emtCustomDataItem -match '^S:([A-Z]{3,4})=(.*)') {
$ResultProps.Agent = $matches[1]
$emtCustomDataItem = $matches[2]
}
#Parser for the Spam Filter Agent
if ($ResultProps.Agent -match 'SFA') {
$ResultProps.Agent = "SpamFilter"
$SFAData = $emtCustomDataItem.split("|")
#Spam Engine (SUM) means multiple
$ResultProps.Engine = $SFAData[0]
#Ascribe all individual properties
$SFAData |
where {$PSItem -notmatch '^(SUM|SFS|LAT)'} |
foreach {
$SFADataItem = $PSItem -split '='
if ($SFADataItem.count -eq 0) {
write-error "SFA No Value Found"
return;
}
if ($SFADataItem.count -ne 2) {
$SFAValue = $null
} else {
$SFAValue = $SFADataItem[1]
}
$ResultProps.($SFADataItem[0]) = $SFAValue
}
#Convert the matched Spam Rules to an arrayed property
$ResultProps.SFS = @()
$SFAData |
where {$PSItem -match 'SFS'} |
foreach {
$ResultProps.SFS += ($PSItem -split '=')[1]
}
#Convert the matched LAT to an arrayed property
$ResultProps.LAT = @()
$SFAData |
where {$PSItem -match 'LAT'} |
foreach {
$ResultProps.LAT += ($PSItem -split '=')[1]
}
#Construct the final result and output it
$emtProps.SpamFilterReport = [PSCustomObject]$ResultProps
}
}
[PSCustomObject]$emtProps
}
}
}