Here https://github.com/mskadu/powe r-shell-scripts /blob/master/Ge t-DNSDebugLog.p s1 Please feel free to add/improve. Hope you don't mind.
Hi. I have also started a public github. So Ill try to look through what you have done and try to merge them. I did it so I could do a module of it and write pester test. So I don't break it when working on it.. It's soo easy to break since it is using the local locale :( https://github.com/virot/DNSLo gModule
This works great for my logs generated by Server 2003, but it fails to parse the logs generated by my 2008 R2 DNS servers. I think it may be due to differences in how date/time are formatted. In server 2003 it is ... 20140915 14:31:55 328 PACKET 01D2BB00 UDP Rcv 192.168.6.11 056e Q [1001 D NOERROR] A ... In server 2008 R2 it is ... 9/16/2014 11:01:02 AM 07E4 PACKET 0000000003BB9E10 UDP Rcv 192.168.6.68 92a6 Q [0001 D NOERROR] A ... I might take a stab at fixing that, but I'm decomissioning a 2003 DNS server so it's working for that. Thanks a bunch!
Hi. Thank you for your information. I need to check this out. I believe might be time related. Since your 2008R2 is running with 12 hour clock. I will need to make sure I have a test case for this in the new version. Hope to update this soon again.
Interestingly, i just encountered the same problem. $dnspattern needs to be "^([0-9]{1,2})\/?([0-9]{2})\/? ([0-9]{2,4}) ([0-9: ]{7}) (AM|PM) ([0-9A-Z]{3,4} PACKET [0-9A-Za-z]{8,1 6}) (UDP|TCP) (Snd|Rcv) ([0-9 .]{7,15}) ([0-9a-z]{4}) (.) (.) \[.*\] (.*) (\(.*)" Also, since (AM|PM), the atoms of the RegEx shift, so all temp[n] except 1-4 (date, time) need to be n+1
i have the same issue. Edited the DNS pattern for 2008 r2 dns logs. still getting "Row does not match DNS Pattern" Sample lines from DNS.log NS Server log file creation at 4/11/2018 11:18:45 AM Log file wrap at 4/11/2018 11:18:45 AM Message logging key (for packets - other items use a subset of these fields): Field # Information Values ------- ----------- ------ 1 Date 2 Time 3 Thread ID 4 Context 5 Internal packet identifier 6 UDP/TCP indicator 7 Send/Receive indicator 8 Remote IP 9 Xid (hex) 10 Query/Response R = Response blank = Query 11 Opcode Q = Standard Query N = Notify U = Update ? = Unknown 12 [ Flags (hex) 13 Flags (char codes) A = Authoritative Answer T = Truncated Response D = Recursion Desired R = Recursion Available 14 ResponseCode ] 15 Question Type 16 Question Name QUESTION SECTION: Offset = 0x000c, RR count = 0 Name "(17)_sipfederationtls(4)_tcp( 8)trueitem(11)o nmicrosoft(3)co m(0)" QTYPE SRV (33) QCLASS 1 ANSWER SECTION: empty AUTHORITY SECTION: empty ADDITIONAL SECTION: empty 4/11/2018 11:18:45 AM 0718 PACKET 0000000016ED1DD 0 UDP Snd 10.233.34.11 825d R Q [8081 DR NOERROR] SRV (17)_sipfederat iontls(4)_tcp(8 )trueitem(11)on microsoft(3)com (0) UDP response info at 0000000016ED1DD 0 Socket = 21104 Remote addr 10.233.34.11, port 61045 Time Query=1509021, Queued=0, Expire=0 Buf length = 0x0200 (512) Msg length = 0x007b (123) Message: XID 0x825d Flags 0x8180 QR 1 (RESPONSE) OPCODE 0 (QUERY) AA 0 TC 0 RD 1 RA 1
There is actually a small bug in the script, that line: @{label="QR";expression={switc h($match.Groups ['QR'].value.tr im()) { " " {'Query'};"R" {'Response'}}}} , has to be replaced by @{label="QR";ex pression={switc h($match.Groups ['QR'].value.tr im()) { "" {'Query'};"R" {'Response'}}}} , .trim() will remove all blanks, so it will never match to " " ... that's why $_.QR -eq "Query" is never working ... BR, Martin
This script gives me no output. I have tried running it on Server 2012 R2 and Windows 10 machines I have copied a 90MB DNS.log file to the same folder as the script I have tried the following commands: .\Get-DNSDebugLog.ps1 -Path .\dns.log -Verbose | ? {$_.QR -eq "Query"-and $_.Way -eq 'RCV'} | group-Object "Client IP" | Sort-Object -Descending Count | Select -First 10 Name, Count .\Get-DNSDebugL og.ps1 -Path .\dns.log But whatever I do I see no output at all
Hi sorry for the late reply I have been informed that there has been errors depending on localization. The script has gotten updates for that.
Hi, I am running the script but getting no output , No error. Can you please help me here. Running the below .\Get-DNSDebugLog.ps1 -Path "$($env:SystemR oot)\system32\d ns\dns.log" -Verbose |? {$_.QR -eq "Query"-and $_.Way -eq 'RCV'} |group-Object "Client IP"| Sort-Object -Descending Count| Select -First 10 Name, Count Thanks Vijay
Somehow it got work now but it is showing below errors on each row of the logs VERBOSE: Row: VERBOSE: Row does not match DNS Pattern I have tried both the below pattern ##$dnspattern = "^(?<date>([0-9]{1,2}.[0-9]{1, 2}.[0-9]{2,4}|[ 0-9]{2,4}-[0-9] {2}-[0-9]{2})\s *[0-9: ]{7,8}\s*(PM|AM )?) ([0-9A-Z]{3,4} PACKET\s*[0-9A- Za-z]{8,16}) (UDP|TCP) (?<way>Snd|Rcv) (?<ip>[0-9.]{7, 15}|[0-9a-f:]{3 ,50})\s*([0-9a- z]{4}) (?<QR>.) (?<OpCode>.) \[.*\] (?<QueryType>.* ) (?<query>\(.*)" $dnspattern = "^([0-3]?[0-9]. [0-3]?[0-9].(?: [0-9]{2})?[0-9] {2}) ([0-9: ]{7,8}\s?P?A?M? ) ([0-9A-Z]{3,4} PACKET\s*[0-9A- Za-z]{8,16}) (UDP|TCP) (Snd|Rcv) ([0-9 .]{7,15}) ([0-9a-z]{4}) (.) (.) \[.*\] (.*) (\(.*)" Please help. Thanks Vijay
Can you provide me with a few rows of the file so I can see the differing syntax.
This code is awesome. However, I found that even with the updated Regex for date matching it's missing a valid regex to parse dates that do not have leading zeros. I.e. 4/5/2017 is not matched, but 4/05/2017 is (month didn't seem to matter, but the day sure did). I modified the code using some examples i found online and after doing so, it does not return blank output when our dns log contains dates like 4/5/2017 $dnspattern = "^([0-3]?[0-9].[0-3]?[0-9].(?: [0-9]{2})?[0-9] {2}) ([0-9: ]{7,8}\s?P?A?M? ) ([0-9A-Z]{3,4} PACKET\s*[0-9A- Za-z]{8,16}) (UDP|TCP) (Snd|Rcv) ([0-9 .]{7,15}) ([0-9a-z]{4}) (.) (.) \[.*\] (.*) (\(.*)" Hope this helps anyone else. Basically, I changed everything in the first set of parentheses. ([0-3]?[0-9].[0 -3]?[0-9].(?:[0 -9]{2})?[0-9]{2 }) I took that string from an answer on StackOverflow, 5th answer by "Simple-Solutio n" http://stackove rflow.com/quest ions/15491894/r egex-to-validat e-date-format-d d-mm-yyyy Brian
Hi. Do you have the possibility to share a row of log that gives that issue?
Hi I have updated the script but unfortunately your change broke ISO8601 formated dates. If you are able to share a few lines of code I can add them to the pester tests I use. I made a github project of it to easily share the pestertests too.
Hi, thank you for that great function. The format for a Windows 2008R2 Server DNS Log (Location Austria) is: 30/09/2015 12:04:28 0DAC PACKET 00000000027404B0 UDP Rcv 192.168.xxx.xxx ed3d Q [0001 D NOERROR] A (6)teredo(4)ipv 6(9)microsoft(3 )com(0) So the regex for the date&time must be: ^([0-9]{2})\/?( [0-9]{2})\/?([0 -9]{2,4}) $dnspattern = "^([0-9]{2})\/? ([0-9]{2})\/?([ 0-9]{2,4}) ([0-9: ]{8}) ([0-9A-Z]{3,4} PACKET [0-9A-Za-z]{8,1 6}) (UDP|TCP) (Snd|Rcv) ([0-9 .]{7,15}) ([0-9a-z]{4}) (.) (.) \[.*\] (.*) (\(.*)" This RegEx Editor just helped to validate the regex: http://www.rege xr.com/ regards Peter
Hi. Sorry for the late response. I have updated the regex to work with: ISO 8601 (yyyy-mm-dd) US format (mm/dd/year) Aslong as the localization on the computer running the script is the same as on the server.
Oscar, I am curious since time has passed since you last used this if you have made any improvements on the last half of your pattern. I am trying to identify the sections of your regular expression so I can include them in a Parser definition for MS Message Analyzer.
As with D Han, I'm not getting any output. I had to rewrite the script a bit. In the begin block, you define $dnspattern for matching, but then you never use it. If you change the process block's (get-content $path) -match to get rid of that whole regex and use the $dnspattern variable, it works fine.
Hi. Well, what you say makes sense, why have two different regexp patterns even if they should be the same. But I have always used the $dnspattern for doing the regex::split, so it has always been there. But due to this change we now need to specify that we are looking for incoming packets. $_.way -eq 'RCV'. I have updated the script with some small debug and verbose logging too.
I have debug logging enabled but get an error that 'Get-DNSDebugLog' is not recognized... This is on Server 2008 R2 Enterprise. How do I get this cmdlet?
Hi. If you download the function that I have written and run that before. Either you can ". .\file.ps1" that will load the function.. or you can copy the entire contents and paste it into the powershell windows, this will create the function then.