Get-DNSDebugLog - Easy parsing of DNS debug logs

Here https://github.com/mskadu/power-shell-scripts/blob/master/Get-DNSDebugLog.ps1

Please feel free to add/improve. Hope you don't mind.

Hi.
I have also started a public github. So Ill try to look through what you have done and try to merge them. I did it so I could do a module of it and write pester test. So I don't break it when working on it.. It's soo easy to break since it is using the local locale :(

https://github.com/virot/DNSLogModule

This works great for my logs generated by Server 2003, but it fails to parse the logs generated by my 2008 R2 DNS servers. I think it may be due to differences in how date/time are formatted.

In server 2003 it is ...
20140915 14:31:55 328 PACKET  01D2BB00 UDP Rcv 192.168.6.11    056e   Q [1001   D   NOERROR] A ...

In server 2008 R2 it is ...
9/16/2014 11:01:02 AM 07E4 PACKET  0000000003BB9E10 UDP Rcv 192.168.6.68    92a6   Q [0001   D   NOERROR] A ...

I might take a stab at fixing that, but I'm decomissioning a 2003 DNS server so it's working for that. Thanks a bunch!

Hi.

Thank you for your information. I need to check this out. I believe might be time related. Since your 2008R2 is running with 12 hour clock. I will need to make sure I have a test case for this in the new version. Hope to update this soon again.

Interestingly, i just encountered the same problem. 

$dnspattern needs to be "^([0-9]{1,2})\/?([0-9]{2})\/?([0-9]{2,4}) ([0-9: ]{7}) (AM|PM) ([0-9A-Z]{3,4} PACKET  [0-9A-Za-z]{8,16}) (UDP|TCP) (Snd|Rcv) ([0-9 .]{7,15})  ([0-9a-z]{4}) (.) (.) \[.*\] (.*) (\(.*)"

Also, since (AM|PM), the atoms of the RegEx shift, so all temp[n] except 1-4 (date, time) need to be n+1

i have the same issue. Edited the DNS pattern for 2008 r2 dns logs. still getting "Row does not match DNS Pattern"


Sample lines from DNS.log 


NS Server log file creation at 4/11/2018 11:18:45 AM
Log file wrap at 4/11/2018 11:18:45 AM

Message logging key (for packets - other items use a subset of these fields):
	Field #  Information         Values
	-------  -----------         ------
	   1     Date
	   2     Time
	   3     Thread ID
	   4     Context
	   5     Internal packet identifier
	   6     UDP/TCP indicator
	   7     Send/Receive indicator
	   8     Remote IP
	   9     Xid (hex)
	  10     Query/Response      R = Response
	                             blank = Query
	  11     Opcode              Q = Standard Query
	                             N = Notify
	                             U = Update
	                             ? = Unknown
	  12     [ Flags (hex)
	  13     Flags (char codes)  A = Authoritative Answer
	                             T = Truncated Response
	                             D = Recursion Desired
	                             R = Recursion Available
	  14     ResponseCode ]
	  15     Question Type
	  16     Question Name

    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(17)_sipfederationtls(4)_tcp(8)trueitem(11)onmicrosoft(3)com(0)"
      QTYPE   SRV (33)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

4/11/2018 11:18:45 AM 0718 PACKET  0000000016ED1DD0 UDP Snd 10.233.34.11    825d R Q [8081   DR  NOERROR] SRV    (17)_sipfederationtls(4)_tcp(8)trueitem(11)onmicrosoft(3)com(0)
UDP response info at 0000000016ED1DD0
  Socket = 21104
  Remote addr 10.233.34.11, port 61045
  Time Query=1509021, Queued=0, Expire=0
  Buf length = 0x0200 (512)
  Msg length = 0x007b (123)
  Message:
    XID       0x825d
    Flags     0x8180
      QR        1 (RESPONSE)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        1
 

can you please check the above sample log??

There is actually a small bug in the script, that line:

@{label="QR";expression={switch($match.Groups['QR'].value.trim()) { " " {'Query'};"R" {'Response'}}}},

has to be replaced by

@{label="QR";expression={switch($match.Groups['QR'].value.trim()) { "" {'Query'};"R" {'Response'}}}},

.trim() will remove all blanks, so it will never match to " " ... that's why $_.QR -eq "Query" is never working ...

BR,

Martin

This script gives me no output.
I have tried running it on Server 2012 R2 and Windows 10 machines
I have copied a 90MB DNS.log file to the same folder as the script
I have tried the following commands:
     .\Get-DNSDebugLog.ps1 -Path .\dns.log -Verbose | ? {$_.QR -eq "Query"-and $_.Way -eq 'RCV'}
| group-Object "Client IP" | Sort-Object -Descending Count | Select -First 10 Name, Count
     .\Get-DNSDebugLog.ps1 -Path .\dns.log

But whatever I do I see no output at all

Hi sorry for the late reply
I have been informed that there has been errors depending on localization. The script has gotten updates for that.

Hi, I am running the script but getting no output , No error.
Can you please help me here.

Running the below
.\Get-DNSDebugLog.ps1 -Path "$($env:SystemRoot)\system32\dns\dns.log" -Verbose |? {$_.QR -eq "Query"-and $_.Way -eq 'RCV'} |group-Object "Client IP"| Sort-Object -Descending Count| Select -First 10 Name, Count

Thanks
Vijay

Somehow it got work now but it is showing  below errors on each row of the logs

VERBOSE: Row: 
VERBOSE: Row does not match DNS Pattern

I have tried both the below pattern

##$dnspattern = "^(?<date>([0-9]{1,2}.[0-9]{1,2}.[0-9]{2,4}|[0-9]{2,4}-[0-9]{2}-[0-9]{2})\s*[0-9: ]{7,8}\s*(PM|AM)?) ([0-9A-Z]{3,4} PACKET\s*[0-9A-Za-z]{8,16}) (UDP|TCP) (?<way>Snd|Rcv) (?<ip>[0-9.]{7,15}|[0-9a-f:]{3,50})\s*([0-9a-z]{4}) (?<QR>.) (?<OpCode>.) \[.*\] (?<QueryType>.*) (?<query>\(.*)"

$dnspattern = "^([0-3]?[0-9].[0-3]?[0-9].(?:[0-9]{2})?[0-9]{2}) ([0-9: ]{7,8}\s?P?A?M?) ([0-9A-Z]{3,4} PACKET\s*[0-9A-Za-z]{8,16}) (UDP|TCP) (Snd|Rcv) ([0-9 .]{7,15}) ([0-9a-z]{4}) (.) (.) \[.*\] (.*) (\(.*)"

Please help.

Thanks
Vijay

Can you provide me with a few rows of the file so I can see the differing syntax.

May be use ps workflow for processing large files?

This code is awesome.  However, I found that even with the updated Regex for date matching it's missing a valid regex to parse dates that do not have leading zeros.  I.e. 4/5/2017 is not matched,  but 4/05/2017 is  (month didn't seem to matter, but the day sure did).   I modified the code using some examples i found online and after doing so,  it does not return blank output when our dns log contains dates like 4/5/2017

        $dnspattern = "^([0-3]?[0-9].[0-3]?[0-9].(?:[0-9]{2})?[0-9]{2}) ([0-9: ]{7,8}\s?P?A?M?) ([0-9A-Z]{3,4} PACKET\s*[0-9A-Za-z]{8,16}) (UDP|TCP) (Snd|Rcv) ([0-9 .]{7,15}) ([0-9a-z]{4}) (.) (.) \[.*\] (.*) (\(.*)"


Hope this helps anyone else.  Basically, I changed everything in the first set of parentheses.

([0-3]?[0-9].[0-3]?[0-9].(?:[0-9]{2})?[0-9]{2})

I took that string from an answer on StackOverflow, 5th answer by "Simple-Solution"
http://stackoverflow.com/questions/15491894/regex-to-validate-date-format-dd-mm-yyyy

Brian

Hi.

Do you have the possibility to share a row of log that gives that issue?

Hi
I have updated the script but unfortunately your change broke ISO8601 formated dates.
If you are able to share a few lines of code I can add them to the pester tests I use.
I made a github project of it to easily share the pestertests too.

Hi, thank you for that great function.

The format for a Windows 2008R2 Server DNS Log (Location Austria) is:

30/09/2015 12:04:28 0DAC PACKET  00000000027404B0 UDP Rcv 192.168.xxx.xxx  ed3d   Q [0001   D   NOERROR] A      (6)teredo(4)ipv6(9)microsoft(3)com(0)

So the regex for the date&time must be:
^([0-9]{2})\/?([0-9]{2})\/?([0-9]{2,4})

$dnspattern = "^([0-9]{2})\/?([0-9]{2})\/?([0-9]{2,4}) ([0-9: ]{8}) ([0-9A-Z]{3,4} PACKET  [0-9A-Za-z]{8,16}) (UDP|TCP) (Snd|Rcv) ([0-9 .]{7,15}) ([0-9a-z]{4}) (.) (.) \[.*\] (.*) (\(.*)"

This RegEx Editor just helped to validate the regex:
http://www.regexr.com/

regards
Peter

Hi.
Sorry for the late response. I have updated the regex to work with:
ISO 8601 (yyyy-mm-dd)
US format (mm/dd/year)

Aslong as the localization on the computer running the script is the same as on the server.

Oscar, I am curious since time has passed since you last used this if you have made any improvements on the last half of your pattern.  I am trying to identify the sections of your regular expression so I can include them in a Parser definition for MS Message Analyzer.

As with D Han, I'm not getting any output.  I had to rewrite the script a bit.  In the begin block, you define $dnspattern for matching, but then you never use it.  If you change the process block's (get-content $path) -match to get rid of that whole regex and use the $dnspattern variable, it works fine.

Hi.

Well, what you say makes sense, why have two different regexp patterns even if they should be the same. But I have always used the $dnspattern for doing the regex::split, so it has always been there. But due to this change we now need to specify that we are looking for incoming packets. $_.way -eq 'RCV'.

I have updated the script with some small debug and verbose logging too.

I have debug logging enabled but get an error that 'Get-DNSDebugLog' is not recognized...

This is on Server 2008 R2 Enterprise. How do I get this cmdlet?

Hi.

If you download the function that I have written and run that before. Either you can ". .\file.ps1" that will load the function.. or you can copy the entire contents and paste it into the powershell windows, this will create the function then.