Back
Featured image of post Get the Events from a FritzBox router with PowerShell

Get the Events from a FritzBox router with PowerShell

Plain PowerShell approach to get events, because the FritzBox doesn't support Syslog

A while ago, I found an article of Jan Geisbauer about his idea to get all FritzBox events and export them to Azure Sentinel.

Jan also published his code to GitHub. I liked the idea, but I don’t use Azure Sentinel and I found a few things missing.

Here is my approach for it:

function Get-FritzBoxEvents
{
   <#
      .SYNOPSIS
      Get the Events from a FritzBox router

      .DESCRIPTION
      Get the Events from a FritzBox router

      .PARAMETER FritzBoxUser
      Username to use for the FritzBox login

      .PARAMETER FritzBoxPassword
      FritzBox Password in plain text (might be changed to a secure string soon)

      .PARAMETER FritzBoxHost
      The URI that contains the FQDN or IP of your FritzBox,
      e.g. http://fritz.box or http://192.168.178.1

      .PARAMETER Hours
      Hours to get, e.g. 24

      .EXAMPLE
      PS C:\> Get-FritzBoxEvents -FritzBoxUser 'myFritz' -FritzBoxPassword 'ThePassw0rd' -FritzBoxHost 'http://myfritz.box' -Hours 24 | Where-Object {(($_.ipv4 -ne $null) -or ($_.ipv6 -ne $null))}

      Get only entries with IPv4 or IPv6 values, of the last 24 hours

      .EXAMPLE
      PS C:\> Get-FritzBoxEvents -FritzBoxUser 'myFritz' -FritzBoxPassword 'ThePassw0rd' -FritzBoxHost 'http://myfritz.box' -Hours 48 | Where-Object {($_.ipv6 -ne $null)}

      Get only entries with IPv6 values, of the last 48 hours

      .EXAMPLE
      PS C:\> Get-FritzBoxEvents -FritzBoxUser 'myFritz' -FritzBoxPassword 'ThePassw0rd' -FritzBoxHost 'http://myfritz.box' | Where-Object {($_.Message -like 'Die Systemzeit wurde erfolgreich aktualisiert von Zeitserver*')}

      Get all events where the time was set via a time server, no time limit

      .EXAMPLE
      PS C:\> Get-FritzBoxEvents -FritzBoxUser 'myFritz' -FritzBoxPassword 'ThePassw0rd' -FritzBoxHost 'http://myfritz.box' | Where-Object {($_.Message -like 'Die Systemzeit wurde erfolgreich aktualisiert von Zeitserver*')} | Select-Object -ExpandProperty IPv4

      Get all events where the time was set via a time server, only return the IPv4 addresses, no time limit

      .EXAMPLE
      PS C:\> ((Get-FritzBoxEvents -FritzBoxUser 'myFritz' -FritzBoxPassword 'ThePassw0rd' -FritzBoxHost 'http://myfritz.box' | Where-Object {($_.Message -like 'Die Systemzeit wurde erfolgreich aktualisiert von Zeitserver*')})[0] | Select-Object -ExpandProperty IPv4)

      Get all events where the time was set via a time server, only return the IPv4 address of the latest (youngest) event

      .EXAMPLE
      PS C:\> Get-FritzBoxEvents -FritzBoxUser 'myFritz' -FritzBoxPassword 'ThePassw0rd' -FritzBoxHost 'http://myfritz.box' | Where-Object {($_.Message -like '*main-repeater*')}

      Only return events from a repeater with the name main-repeater, no time limit

      .EXAMPLE
      PS C:\> (Get-FritzBoxEvents -FritzBoxUser 'myFritz' -FritzBoxPassword 'ThePassw0rd' -FritzBoxHost 'http://myfritz.box' | Where-Object {($_.Message -like '*main-repeater*')})[0]

      Only return the latest (youngest) events from a repeater with the name main-repeater, no time limit

      .EXAMPLE
      PS C:\> Get-FritzBoxEvents -FritzBoxUser 'myFritz' -FritzBoxPassword 'ThePassw0rd' -FritzBoxHost 'http://myfritz.box' | Where-Object {($_.Message -like '*Zeitserver * antwortet nicht.')}

      Only return events where the Timeserver does NOT answer, no time limit

      .EXAMPLE
      PS C:\> Get-FritzBoxEvents -FritzBoxUser 'myFritz' -FritzBoxPassword 'ThePassw0rd' -FritzBoxHost 'http://myfritz.box' | Where-Object {($_.Message -like '*verschl├╝sselten DNS-Servern*')}

      All events related to encrypted DNS, no time limit

      .EXAMPLE
      PS C:\> Get-FritzBoxEvents -FritzBoxUser 'myFritz' -FritzBoxPassword 'ThePassw0rd' -FritzBoxHost 'http://myfritz.box' -Hours 24 | Where-Object {($_.Message -like '*Authentifizierungsfehler*')}

      Only events with authentication errors, of the last 24 hours

      .EXAMPLE
      PS C:\> ((Get-FritzBoxEvents -FritzBoxUser 'myFritz' -FritzBoxPassword 'ThePassw0rd' -FritzBoxHost 'http://myfritz.box' | Where-Object {($_.Message -like '*(verf├╝gbare Bitrate)*')})[0] | Select-Object -ExpandProperty Message)

      The latest (youngest) event that has the bitrate info (capacity)

      .EXAMPLE
      PS C:\> ((Get-FritzBoxEvents -FritzBoxUser 'myFritz' -FritzBoxPassword 'ThePassw0rd' -FritzBoxHost 'http://myfritz.box' | Where-Object {($_.Message -like 'Internetverbindung wurde erfolgreich hergestellt.*')})[0] | Select-Object -ExpandProperty IPv4)

      Get the public IPv4 address

      .EXAMPLE
      PS C:\> ((Get-FritzBoxEvents -FritzBoxUser 'myFritz' -FritzBoxPassword 'ThePassw0rd' -FritzBoxHost 'http://myfritz.box' | Where-Object {($_.Message -like 'Internetverbindung IPv6 wurde erfolgreich hergestellt.*')})[0] | Select-Object -ExpandProperty IPv6)

      Get the public IPv6 address

      .EXAMPLE
      PS C:\> ((Get-FritzBoxEvents -FritzBoxUser 'myFritz' -FritzBoxPassword 'ThePassw0rd' -FritzBoxHost 'http://myfritz.box' | Where-Object {(($_.Message -like '*IPv6-Pr├Ąfix wurde erfolgreich bezogen.*') -and ($_.ipv6 -ne $null))})[0] | Select-Object -ExpandProperty IPv6)

      Get the latest public IPv6 prefix (CIDR)

      .EXAMPLE
      PS C:\> ((Get-FritzBoxEvents -FritzBoxUser 'myFritz' -FritzBoxPassword 'ThePassw0rd' -FritzBoxHost 'http://myfritz.box' | Where-Object {(($_.Message -like 'Freigabe als Exposed Host auf * (*) hinzugef├╝gt.') -and ($_.ipv4 -ne $null))})[0] | Select-Object -ExpandProperty IPv4)

      get the exposed host IPv4

      .EXAMPLE
      PS C:\> $IPv6TMP = (Get-FritzBoxEvents -FritzBoxUser 'myFritz' -FritzBoxPassword 'ThePassw0rd' -FritzBoxHost 'http://myfritz.box' | Where-Object {(($_.Message -like 'Freigabe als Exposed Host auf * (*) hinzugef├╝gt.') -and ($_.ipv4 -eq $null))} | Select-Object -ExpandProperty Message)
      PS C:\> $regex = [regex]'(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))'
      PS C:\> $regex.Matches($IPv6TMP) | ForEach-Object{ $_.value }

      Get the exposed host IPv6 address and/or IPv6 CIDR (of exists)

      .LINK
      https://github.com/jangeisbauer/FritzBox2Sentinel

      .LINK
      https://gist.github.com/joasch/e48738417ec1efcc963a96bbb3f34cba

      .LINK
      https://www.ip-phone-forum.de/threads/ereignisprotokoll-der-fritz-box-auf-linux-server-sichern.280328/page-5

      .NOTES
      All tests in the examples are only valid if your FritzBox has a german UI!
      For other languages, dump all events and search for the matches in your own language

      If you have issues with german umlauts, use the following before stating the command:
      [console]::OutputEncoding = [System.Text.Encoding]::GetEncoding(1252)

      I had issues on macOS and Linux with german umlauts, never happened on Windows!

      Idea is stolen from https://github.com/jangeisbauer/FritzBox2Sentinel (No license was applied)
      So, @jangeisbauer is considered as a contributor
   #>
   [CmdletBinding(ConfirmImpact = 'None')]
   [OutputType([array])]
   param
   (
      [Parameter(ValueFromPipeline,
         ValueFromPipelineByPropertyName)]
      [ValidateNotNull()]
      [ValidateNotNullOrEmpty()]
      [Alias('FBUser', 'user')]
      [string]
      $FritzBoxUser = $null,
      [Parameter(ValueFromPipeline,
         ValueFromPipelineByPropertyName)]
      [ValidateNotNull()]
      [ValidateNotNullOrEmpty()]
      [Alias('Password', 'fbpassword')]
      [string]
      $FritzBoxPassword = $null,
      [Parameter(ValueFromPipeline,
         ValueFromPipelineByPropertyName)]
      [ValidateNotNull()]
      [ValidateNotNullOrEmpty()]
      [Alias('fbhost', 'host', 'fritzbox')]
      [string]
      $FritzBoxHost = 'http://fritz.box',
      [Parameter(ValueFromPipeline,
         ValueFromPipelineByPropertyName)]
      [int]
      $Hours = $null
   )

   begin
   {
      # Garbage Collection
      [GC]::Collect()

      #region Helper
      function Get-MD5Hash
      {
         <#
         .SYNOPSIS
         Return a MD5 hash of a given String

         .DESCRIPTION
         Return a MD5 hash of a given String

         .PARAMETER Text
         String to convert

         .EXAMPLE
         PS C:\> Get-MD5Hash -Text 'Value1'

         .LINK
         https://github.com/jangeisbauer/FritzBox2Sentinel

         .NOTES
         Cheap internal helper

         Stolen from https://github.com/jangeisbauer/FritzBox2Sentinel (No license was applied)
      #>
         [CmdletBinding(ConfirmImpact = 'None')]
         [OutputType([string])]
         param
         (
            [Parameter(Mandatory,
               ValueFromPipeline,
               ValueFromPipelineByPropertyName,
               HelpMessage = 'String to convert')]
            [ValidateNotNull()]
            [ValidateNotNullOrEmpty()]
            [string]
            $Text
         )

         begin
         {
            $md5 = (New-Object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider)
         }

         process
         {
            $md5.ComputeHash([Text.Encoding]::utf8.getbytes($Text)) | ForEach-Object -Process {
               $HC = ''
            } {
               $HC += $_.tostring('x2')
            } {
               $HC
            }
         }
      }
      #endregion Helper
   }

   process
   {
      try
      {
         # Convert the plain text password to a secure string
         $FritzBoxSecurePassword = ($FritzBoxPassword | ConvertTo-SecureString -AsPlainText -Force -ErrorAction Stop)

         # FritzBox Pages to get
         $FritzBoxLoginPage = '/login_sid.lua'
         $FritzBoxEventPage = '/query.lua?mq_log=logger:status/log&sid='

         # Secret handler
         $SecureStringToBSTR = [Runtime.InteropServices.Marshal]::SecureStringToBSTR($FritzBoxSecurePassword)
         $PtrToStringAuto = [Runtime.InteropServices.Marshal]::PtrToStringBSTR($SecureStringToBSTR)

         # Get the challenge from the FritzBox Login Page
         $ChallengeRequest = (Invoke-WebRequest -Uri ($FritzBoxHost + $FritzBoxLoginPage) -UseBasicParsing -ErrorAction Stop)

         # Save the recived challenge
         $Challenge = ([xml]$ChallengeRequest).sessioninfo.challenge

         # Create the input for the HEX code
         $Code1 = ($Challenge + '-' + $PtrToStringAuto)

         # Create the HEX data string
         $Code2 = ([char[]]$Code1 | ForEach-Object -Process {
               $Code2 = ''
            } {
               $Code2 += $_ + [Char]0
            } {
               $Code2
            })

         # Create the body part for the next request (includes the MD5 hash of the HEX from above)
         $SIDRequestBody = ('response=' + $Challenge + '-' + $(Get-MD5Hash -text ($Code2)) + '&username=' + $FritzBoxUser)

         # Do the real Login
         $SIDRequest = (Invoke-WebRequest -Uri ($FritzBoxHost + $FritzBoxLoginPage) -Method Post -Body $SIDRequestBody -ErrorAction Stop)

         # Extract the SID from the Login request
         $SID = ((([xml]($SIDRequest.Content)).ChildNodes).sid)

         # Get the Events

         $FritzBoxEvents = (Invoke-WebRequest -Uri ($FritzBoxHost + $FritzBoxEventPage + $SID) -UseBasicParsing -ErrorAction Stop)

         # Do we have a time limit?
         if ($Hours -ne 0)
         {
            # Create a filter
            $Filterhours = ((Get-Date).AddHours(-$Hours))
         }
         else
         {
            # No filter needed
            $Filterhours = $null
         }

         # Create a new Array
         $FritzEvents = @()

         # loop over the events we have (and extract the JSON return that contains all events)
         foreach ($FritzBoxEvent in ($FritzBoxEvents.Content | ConvertFrom-Json -ErrorAction Stop).mq_log)
         {
            try
            {
               # Cleanup
               $EventDate = $null
               $IPv6 = $null
               $IPv4 = $null
               $EventEntry = $null

               # Transform the Data
               $EventDate = [regex]::Matches($FritzBoxEvent, '\d\d\.\d\d\.\d\d \d\d:\d\d:\d\d')[0].Value

               # This REGEX should match IPv6 and IPv6 CIDR
               $IPv6 = [regex]::Matches($FritzBoxEvent[0], '((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?$')[0].Value

               # Simple IPv4 REGEX
               $IPv4 = [regex]::Matches($FritzBoxEvent[0], '(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)')[0].Value

               # Do we have a DATE in the event?
               if ($EventDate -ne '')
               {
                  # Transform the Event DATE
                  $EventEntry = $FritzBoxEvent[0].replace($EventDate, '')

                  # Ensure we have the correct format, just in case
                  #$EventDate = (Get-Date -Date $EventDate)
               }

               # Apply the Limit, if needed
               if (($Filterhours) -and ($EventDate -ge $Filterhours))
               {
                  # Cleanup the event message (remove leading or trailing whitespaces)
                  $EventEntry = $EventEntry.trim()

                  # Add the Event to the list
                  $FritzEvents += [PSCustomObject]@{
                     Date    = $EventDate
                     Message = $EventEntry
                     IPv4    = $IPv4
                     IPv6    = $IPv6
                  }
               }

               # Cleanup
               $EventDate = $null
               $IPv6 = $null
               $IPv4 = $null
               $EventEntry = $null
            }
            catch
            {
               #region ErrorHandler
               # get error record
               [Management.Automation.ErrorRecord]$e = $_

               # retrieve information about runtime error
               $info = [PSCustomObject]@{
                  Exception = $e.Exception.Message
                  Reason    = $e.CategoryInfo.Reason
                  Target    = $e.CategoryInfo.TargetName
                  Script    = $e.InvocationInfo.ScriptName
                  Line      = $e.InvocationInfo.ScriptLineNumber
                  Column    = $e.InvocationInfo.OffsetInLine
               }

               # output information. Post-process collected info, and log info (optional)
               $info | Out-String | Write-Verbose

               Write-Warning -Message $e.Exception.Message -WarningAction Continue
               #endregion ErrorHandler
            }
         }
      }
      catch
      {
         # Cleanup
         $FritzEvents = $null
         $FritzBoxSecurePassword = $null
         $FritzBoxLoginPage = $null
         $FritzBoxEventPage = $null
         $SecureStringToBSTR = $null
         $PtrToStringAuto = $null
         $ChallengeRequest = $null
         $Challenge = $null
         $Code1 = $null
         $Code2 = $null
         $SIDRequestBody = $null
         $SIDRequest = $null
         $SID = $null
         $FritzBoxEvents = $null
         $Hours = $null
         $Filterhours = $null

         #region ErrorHandler
         # get error record
         [Management.Automation.ErrorRecord]$e = $_

         # retrieve information about runtime error
         $info = [PSCustomObject]@{
            Exception = $e.Exception.Message
            Reason    = $e.CategoryInfo.Reason
            Target    = $e.CategoryInfo.TargetName
            Script    = $e.InvocationInfo.ScriptName
            Line      = $e.InvocationInfo.ScriptLineNumber
            Column    = $e.InvocationInfo.OffsetInLine
         }

         # output information. Post-process collected info, and log info (optional)
         $info | Out-String | Write-Verbose

         $paramWriteError = @{
            Message      = $e.Exception.Message
            ErrorAction  = 'Stop'
            Exception    = $e.Exception
            TargetObject = $e.CategoryInfo.TargetName
         }
         Write-Error @paramWriteError

         # Only here to catch a global ErrorAction overwrite
         exit 1
         #endregion ErrorHandler
      }
      finally
      {
         # Garbage Collection
         [GC]::Collect()
      }
   }

   end
   {
      # Dump to the Terminal
      $FritzEvents

      # Cleanup
      $FritzEvents = $null
      $FritzBoxSecurePassword = $null
      $FritzBoxLoginPage = $null
      $FritzBoxEventPage = $null
      $SecureStringToBSTR = $null
      $PtrToStringAuto = $null
      $ChallengeRequest = $null
      $Challenge = $null
      $Code1 = $null
      $Code2 = $null
      $SIDRequestBody = $null
      $SIDRequest = $null
      $SID = $null
      $FritzBoxEvents = $null
      $Hours = $null
      $Filterhours = $null

      # Garbage Collection
      [GC]::Collect()
   }
}

#region LICENSE
<#
   BSD 3-Clause License
   Copyright (c) 2021, enabling Technology
   All rights reserved.
   Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
   1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
   2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
   3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#>
#endregion LICENSE

#region DISCLAIMER
<#
   DISCLAIMER:
   - Use at your own risk, etc.
   - This is open-source software, if you find an issue try to fix it yourself. There is no support and/or warranty in any kind
   - This is a third-party Software
   - The developer of this Software is NOT sponsored by or affiliated with Microsoft Corp (MSFT) or any of its subsidiaries in any way
   - The Software is not supported by Microsoft Corp (MSFT)
   - By using the Software, you agree to the License, Terms, and any Conditions declared and described above
   - If you disagree with any of the terms, and any conditions declared: Just delete it and build your own solution
#>
#endregion DISCLAIMER

The function still has a few drawbacks:

  • It will work on a FritzBox router with a german UI only
  • The REGEX is a bit crappy, there is much room to improve it I guess
  • The password is handled in plain text! I might change this in a future version
  • I use a complex filtering to keep the function as generic as possible (a typical one-fits-all)
  • Not everything is implemented yet. there is room for much more!

Feel free to contribute!

There is also a Gist available for the code above.