Get-DNSDebugLog - Easy parsing of DNS debug logs

This is a small and helpful script when you are removing dns servers.A simple sample to load the ActiveDirectory Module, get the IPs of all Domain Controllers and then read the dns debug log ignoring DCs IPs.Another Sample this time giving a more easy output as it just returns th

4.3 Star
5,115 times
Add to favorites
E-mail Twitter Digg Facebook
  • Used your script to adapt the original by ASabale
    2 Posts | Last post December 01, 2019
    • Here
      Please feel free to add/improve. Hope you don't mind.
    • Hi.
      I have also started a public github. So Ill try to look through what you have done and try to merge them. I did it so I could do a module of it and write pester test. So I don't break it when working on it.. It's soo easy to break since it is using the local locale :(
  • Works on Server 2003 logs, not 2008 R2
    5 Posts | Last post April 12, 2018
    • This works great for my logs generated by Server 2003, but it fails to parse the logs generated by my 2008 R2 DNS servers. I think it may be due to differences in how date/time are formatted.
      In server 2003 it is ...
      20140915 14:31:55 328 PACKET  01D2BB00 UDP Rcv    056e   Q [1001   D   NOERROR] A ...
      In server 2008 R2 it is ...
      9/16/2014 11:01:02 AM 07E4 PACKET  0000000003BB9E10 UDP Rcv    92a6   Q [0001   D   NOERROR] A ...
      I might take a stab at fixing that, but I'm decomissioning a 2003 DNS server so it's working for that. Thanks a bunch!
    • Hi.
      Thank you for your information. I need to check this out. I believe might be time related. Since your 2008R2 is running with 12 hour clock. I will need to make sure I have a test case for this in the new version. Hope to update this soon again.
    • Interestingly, i just encountered the same problem. 
      $dnspattern needs to be "^([0-9]{1,2})\/?([0-9]{2})\/?([0-9]{2,4}) ([0-9: ]{7}) (AM|PM) ([0-9A-Z]{3,4} PACKET  [0-9A-Za-z]{8,16}) (UDP|TCP) (Snd|Rcv) ([0-9 .]{7,15})  ([0-9a-z]{4}) (.) (.) \[.*\] (.*) (\(.*)"
      Also, since (AM|PM), the atoms of the RegEx shift, so all temp[n] except 1-4 (date, time) need to be n+1
    • i have the same issue. Edited the DNS pattern for 2008 r2 dns logs. still getting "Row does not match DNS Pattern"
      Sample lines from DNS.log 
      NS Server log file creation at 4/11/2018 11:18:45 AM
      Log file wrap at 4/11/2018 11:18:45 AM
      Message logging key (for packets - other items use a subset of these fields):
      	Field #  Information         Values
      	-------  -----------         ------
      	   1     Date
      	   2     Time
      	   3     Thread ID
      	   4     Context
      	   5     Internal packet identifier
      	   6     UDP/TCP indicator
      	   7     Send/Receive indicator
      	   8     Remote IP
      	   9     Xid (hex)
      	  10     Query/Response      R = Response
      	                             blank = Query
      	  11     Opcode              Q = Standard Query
      	                             N = Notify
      	                             U = Update
      	                             ? = Unknown
      	  12     [ Flags (hex)
      	  13     Flags (char codes)  A = Authoritative Answer
      	                             T = Truncated Response
      	                             D = Recursion Desired
      	                             R = Recursion Available
      	  14     ResponseCode ]
      	  15     Question Type
      	  16     Question Name
          Offset = 0x000c, RR count = 0
          Name      "(17)_sipfederationtls(4)_tcp(8)trueitem(11)onmicrosoft(3)com(0)"
            QTYPE   SRV (33)
            QCLASS  1
      4/11/2018 11:18:45 AM 0718 PACKET  0000000016ED1DD0 UDP Snd    825d R Q [8081   DR  NOERROR] SRV    (17)_sipfederationtls(4)_tcp(8)trueitem(11)onmicrosoft(3)com(0)
      UDP response info at 0000000016ED1DD0
        Socket = 21104
        Remote addr, port 61045
        Time Query=1509021, Queued=0, Expire=0
        Buf length = 0x0200 (512)
        Msg length = 0x007b (123)
          XID       0x825d
          Flags     0x8180
            QR        1 (RESPONSE)
            OPCODE    0 (QUERY)
            AA        0
            TC        0
            RD        1
            RA        1
    • can you please check the above sample log??
  • Small bug in the script
    1 Posts | Last post March 02, 2018
    • There is actually a small bug in the script, that line:
      @{label="QR";expression={switch($match.Groups['QR'].value.trim()) { " " {'Query'};"R" {'Response'}}}},
      has to be replaced by
      @{label="QR";expression={switch($match.Groups['QR'].value.trim()) { "" {'Query'};"R" {'Response'}}}},
      .trim() will remove all blanks, so it will never match to " " ... that's why $_.QR -eq "Query" is never working ...
  • I do not see any output
    5 Posts | Last post November 24, 2017
    • This script gives me no output.
      I have tried running it on Server 2012 R2 and Windows 10 machines
      I have copied a 90MB DNS.log file to the same folder as the script
      I have tried the following commands:
           .\Get-DNSDebugLog.ps1 -Path .\dns.log -Verbose | ? {$_.QR -eq "Query"-and $_.Way -eq 'RCV'}
      | group-Object "Client IP" | Sort-Object -Descending Count | Select -First 10 Name, Count
           .\Get-DNSDebugLog.ps1 -Path .\dns.log
      But whatever I do I see no output at all
    • Hi sorry for the late reply
      I have been informed that there has been errors depending on localization. The script has gotten updates for that.
    • Hi, I am running the script but getting no output , No error.
      Can you please help me here.
      Running the below
      .\Get-DNSDebugLog.ps1 -Path "$($env:SystemRoot)\system32\dns\dns.log" -Verbose |? {$_.QR -eq "Query"-and $_.Way -eq 'RCV'} |group-Object "Client IP"| Sort-Object -Descending Count| Select -First 10 Name, Count
    • Somehow it got work now but it is showing  below errors on each row of the logs
      VERBOSE: Row: 
      VERBOSE: Row does not match DNS Pattern
      I have tried both the below pattern
      ##$dnspattern = "^(?<date>([0-9]{1,2}.[0-9]{1,2}.[0-9]{2,4}|[0-9]{2,4}-[0-9]{2}-[0-9]{2})\s*[0-9: ]{7,8}\s*(PM|AM)?) ([0-9A-Z]{3,4} PACKET\s*[0-9A-Za-z]{8,16}) (UDP|TCP) (?<way>Snd|Rcv) (?<ip>[0-9.]{7,15}|[0-9a-f:]{3,50})\s*([0-9a-z]{4}) (?<QR>.) (?<OpCode>.) \[.*\] (?<QueryType>.*) (?<query>\(.*)"
      $dnspattern = "^([0-3]?[0-9].[0-3]?[0-9].(?:[0-9]{2})?[0-9]{2}) ([0-9: ]{7,8}\s?P?A?M?) ([0-9A-Z]{3,4} PACKET\s*[0-9A-Za-z]{8,16}) (UDP|TCP) (Snd|Rcv) ([0-9 .]{7,15}) ([0-9a-z]{4}) (.) (.) \[.*\] (.*) (\(.*)"
      Please help.
    • Can you provide me with a few rows of the file so I can see the differing syntax.
  • Using workflow
    1 Posts | Last post August 24, 2017
    • May be use ps workflow for processing large files?
  • Regex for date matching
    3 Posts | Last post June 20, 2017
    • This code is awesome.  However, I found that even with the updated Regex for date matching it's missing a valid regex to parse dates that do not have leading zeros.  I.e. 4/5/2017 is not matched,  but 4/05/2017 is  (month didn't seem to matter, but the day sure did).   I modified the code using some examples i found online and after doing so,  it does not return blank output when our dns log contains dates like 4/5/2017
              $dnspattern = "^([0-3]?[0-9].[0-3]?[0-9].(?:[0-9]{2})?[0-9]{2}) ([0-9: ]{7,8}\s?P?A?M?) ([0-9A-Z]{3,4} PACKET\s*[0-9A-Za-z]{8,16}) (UDP|TCP) (Snd|Rcv) ([0-9 .]{7,15}) ([0-9a-z]{4}) (.) (.) \[.*\] (.*) (\(.*)"
      Hope this helps anyone else.  Basically, I changed everything in the first set of parentheses.
      I took that string from an answer on StackOverflow, 5th answer by "Simple-Solution"
    • Hi.
      Do you have the possibility to share a row of log that gives that issue?
    • Hi
      I have updated the script but unfortunately your change broke ISO8601 formated dates.
      If you are able to share a few lines of code I can add them to the pester tests I use.
      I made a github project of it to easily share the pestertests too.
  • Tweak for 2008R2
    2 Posts | Last post July 26, 2016
    • Hi, thank you for that great function.
      The format for a Windows 2008R2 Server DNS Log (Location Austria) is:
      30/09/2015 12:04:28 0DAC PACKET  00000000027404B0 UDP Rcv  ed3d   Q [0001   D   NOERROR] A      (6)teredo(4)ipv6(9)microsoft(3)com(0)
      So the regex for the date&time must be:
      $dnspattern = "^([0-9]{2})\/?([0-9]{2})\/?([0-9]{2,4}) ([0-9: ]{8}) ([0-9A-Z]{3,4} PACKET  [0-9A-Za-z]{8,16}) (UDP|TCP) (Snd|Rcv) ([0-9 .]{7,15}) ([0-9a-z]{4}) (.) (.) \[.*\] (.*) (\(.*)"
      This RegEx Editor just helped to validate the regex:
    • Hi.
      Sorry for the late response. I have updated the regex to work with:
      ISO 8601 (yyyy-mm-dd)
      US format (mm/dd/year)
      Aslong as the localization on the computer running the script is the same as on the server.
  • Regular Expression and Microsoft Message Analyzer
    1 Posts | Last post March 16, 2015
    • Oscar, I am curious since time has passed since you last used this if you have made any improvements on the last half of your pattern.  I am trying to identify the sections of your regular expression so I can include them in a Parser definition for MS Message Analyzer.
  • Does it work
    2 Posts | Last post March 03, 2014
    • As with D Han, I'm not getting any output.  I had to rewrite the script a bit.  In the begin block, you define $dnspattern for matching, but then you never use it.  If you change the process block's (get-content $path) -match to get rid of that whole regex and use the $dnspattern variable, it works fine.
    • Hi.
      Well, what you say makes sense, why have two different regexp patterns even if they should be the same. But I have always used the $dnspattern for doing the regex::split, so it has always been there. But due to this change we now need to specify that we are looking for incoming packets. $_.way -eq 'RCV'.
      I have updated the script with some small debug and verbose logging too.
  • Dumb Question
    2 Posts | Last post February 25, 2014
    • I have debug logging enabled but get an error that 'Get-DNSDebugLog' is not recognized...
      This is on Server 2008 R2 Enterprise. How do I get this cmdlet?
    • Hi.
      If you download the function that I have written and run that before. Either you can ". .\file.ps1" that will load the function.. or you can copy the entire contents and paste it into the powershell windows, this will create the function then.
1 - 10 of 11 Items