How to Extract IP Addresses from a Log File in Batch Script

Network logs, firewall reports, and web server access logs are often cluttered with thousands of lines of metadata. If you are investigating a security breach or looking for a rogue device, the most important piece of information is the IP Address. Extracting a clean list of IPs allows you to quickly cross-reference them with blacklists or resolve them to hostnames.

In this guide, we will demonstrate how to extract IP addresses using pattern matching in Batch and PowerShell.

Method 1: The "Dotted Decimal" Filter (FINDSTR)

The findstr command can use regular expressions to look for the classic IP pattern (groups of numbers separated by periods).

note

This method extracts entire lines that contain an IP address, not just the IP itself. It is the fastest approach for a quick scan of small log files.

Implementation Script

@echo off
setlocal

set "LogFile=firewall.log"
set "Target=IP_Summary.txt"

if not exist "%LogFile%" (
    echo [ERROR] Log file "%LogFile%" not found.
    pause
    exit /b 1
)

echo Extracting IP addresses from %LogFile%...

:: /R uses Regex
:: [0-9][0-9]* matches one or more digits
:: \. matches a literal period
findstr /R "[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*" "%LogFile%" > "%Target%"

echo [DONE] Found lines saved to %Target%.

endlocal
pause

Method 2: The Precision Extraction (PowerShell Bridge)

Standard findstr extracts the whole line containing the IP. If you want a list of just the IP addresses (one per line) without the log timestamps and messages, the PowerShell bridge is the professional choice.

tip

This method outputs only the matched IP addresses, one per line, sorted and deduplicated. It is ideal for feeding results into blocklists or inventory databases.

Implementation Script

@echo off
setlocal

set "LogFile=access.log"
set "Target=ip_addresses.txt"

if not exist "%LogFile%" (
    echo [ERROR] Log file "%LogFile%" not found.
    pause
    exit /b 1
)

echo Performing high-precision IP extraction...

:: This regex strictly matches the digits and periods of an IPv4 address
:: -Raw reads the entire file content as a single string for global matching
powershell -NoProfile -Command ^
    "$content = Get-Content -Raw '%LogFile%';" ^
    "$regex = '\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b';" ^
    "[regex]::Matches($content, $regex) | ForEach-Object { $_.Value } | Sort-Object -Unique | Set-Content '%Target%'"

echo [DONE] Unique IPs saved to %Target%.

endlocal
pause

Why Extract IP Addresses?

1. Security Auditing: Identifying unknown external IPs that are attempting to SSH into your server.
2. Traffic Analysis: Finding which IP addresses are generating the most requests (and potential DDoS attacks).
3. Inventory Management: Extracting IPs from a scan report to update your internal hardware database.

Best Practices

warning

A regex like \d{1,3} can technically match 999.999.999.999, which is not a valid IP address. For critical security tasks, always add a validation step that checks each octet is between 0 and 255.

1. Validate Ranges: For strict validation, extend the PowerShell method with a Where-Object filter that splits on . and checks [int]$octet -le 255 for each segment.
2. Handle IPv6: If your network uses IPv6, the dotted-decimal regex will fail. You will need a more complex pattern involving colons and hexadecimal characters.
3. Unique Lists: Always use Sort-Object -Unique (PowerShell) or a deduplication loop (Batch) to avoid having the same "Home" IP appear 10,000 times in your final report.

Conclusion

Extracting IP addresses turns a mountain of raw log data into a sharp, actionable list of network endpoints. While native Batch commands provide a quick "Find" capability, the PowerShell regex bridge offers the surgical precision needed for high-quality forensics and automated device inventory. By incorporating these scripts into your routine, you significantly reduce the time required to identify and respond to network events.