Get-DNSDebugLog - Easy parsing of DNS debug logs

This code is awesome.  However, I found that even with the updated Regex for date matching it's missing a valid regex to parse dates that do not have leading zeros.  I.e. 4/5/2017 is not matched,  but 4/05/2017 is  (month didn't seem to matter, but the day sure did).   I modified the code using some examples i found online and after doing so,  it does not return blank output when our dns log contains dates like 4/5/2017

        $dnspattern = "^([0-3]?[0-9].[0-3]?[0-9].(?:[0-9]{2})?[0-9]{2}) ([0-9: ]{7,8}\s?P?A?M?) ([0-9A-Z]{3,4} PACKET\s*[0-9A-Za-z]{8,16}) (UDP|TCP) (Snd|Rcv) ([0-9 .]{7,15}) ([0-9a-z]{4}) (.) (.) \[.*\] (.*) (\(.*)"


Hope this helps anyone else.  Basically, I changed everything in the first set of parentheses.

([0-3]?[0-9].[0-3]?[0-9].(?:[0-9]{2})?[0-9]{2})

I took that string from an answer on StackOverflow, 5th answer by "Simple-Solution"
http://stackoverflow.com/questions/15491894/regex-to-validate-date-format-dd-mm-yyyy

Brian

Hi.

Do you have the possibility to share a row of log that gives that issue?

Hi
I have updated the script but unfortunately your change broke ISO8601 formated dates.
If you are able to share a few lines of code I can add them to the pester tests I use.
I made a github project of it to easily share the pestertests too.

This script gives me no output.
I have tried running it on Server 2012 R2 and Windows 10 machines
I have copied a 90MB DNS.log file to the same folder as the script
I have tried the following commands:
     .\Get-DNSDebugLog.ps1 -Path .\dns.log -Verbose | ? {$_.QR -eq "Query"-and $_.Way -eq 'RCV'}
| group-Object "Client IP" | Sort-Object -Descending Count | Select -First 10 Name, Count
     .\Get-DNSDebugLog.ps1 -Path .\dns.log

But whatever I do I see no output at all

Hi sorry for the late reply
I have been informed that there has been errors depending on localization. The script has gotten updates for that.

Hi, thank you for that great function.

The format for a Windows 2008R2 Server DNS Log (Location Austria) is:

30/09/2015 12:04:28 0DAC PACKET  00000000027404B0 UDP Rcv 192.168.xxx.xxx  ed3d   Q [0001   D   NOERROR] A      (6)teredo(4)ipv6(9)microsoft(3)com(0)

So the regex for the date&time must be:
^([0-9]{2})\/?([0-9]{2})\/?([0-9]{2,4})

$dnspattern = "^([0-9]{2})\/?([0-9]{2})\/?([0-9]{2,4}) ([0-9: ]{8}) ([0-9A-Z]{3,4} PACKET  [0-9A-Za-z]{8,16}) (UDP|TCP) (Snd|Rcv) ([0-9 .]{7,15}) ([0-9a-z]{4}) (.) (.) \[.*\] (.*) (\(.*)"

This RegEx Editor just helped to validate the regex:
http://www.regexr.com/

regards
Peter

Hi.
Sorry for the late response. I have updated the regex to work with:
ISO 8601 (yyyy-mm-dd)
US format (mm/dd/year)

Aslong as the localization on the computer running the script is the same as on the server.

Oscar, I am curious since time has passed since you last used this if you have made any improvements on the last half of your pattern.  I am trying to identify the sections of your regular expression so I can include them in a Parser definition for MS Message Analyzer.

This works great for my logs generated by Server 2003, but it fails to parse the logs generated by my 2008 R2 DNS servers. I think it may be due to differences in how date/time are formatted.

In server 2003 it is ...
20140915 14:31:55 328 PACKET  01D2BB00 UDP Rcv 192.168.6.11    056e   Q [1001   D   NOERROR] A ...

In server 2008 R2 it is ...
9/16/2014 11:01:02 AM 07E4 PACKET  0000000003BB9E10 UDP Rcv 192.168.6.68    92a6   Q [0001   D   NOERROR] A ...

I might take a stab at fixing that, but I'm decomissioning a 2003 DNS server so it's working for that. Thanks a bunch!

Hi.

Thank you for your information. I need to check this out. I believe might be time related. Since your 2008R2 is running with 12 hour clock. I will need to make sure I have a test case for this in the new version. Hope to update this soon again.

Interestingly, i just encountered the same problem. 

$dnspattern needs to be "^([0-9]{1,2})\/?([0-9]{2})\/?([0-9]{2,4}) ([0-9: ]{7}) (AM|PM) ([0-9A-Z]{3,4} PACKET  [0-9A-Za-z]{8,16}) (UDP|TCP) (Snd|Rcv) ([0-9 .]{7,15})  ([0-9a-z]{4}) (.) (.) \[.*\] (.*) (\(.*)"

Also, since (AM|PM), the atoms of the RegEx shift, so all temp[n] except 1-4 (date, time) need to be n+1

As with D Han, I'm not getting any output.  I had to rewrite the script a bit.  In the begin block, you define $dnspattern for matching, but then you never use it.  If you change the process block's (get-content $path) -match to get rid of that whole regex and use the $dnspattern variable, it works fine.

Hi.

Well, what you say makes sense, why have two different regexp patterns even if they should be the same. But I have always used the $dnspattern for doing the regex::split, so it has always been there. But due to this change we now need to specify that we are looking for incoming packets. $_.way -eq 'RCV'.

I have updated the script with some small debug and verbose logging too.

I have debug logging enabled but get an error that 'Get-DNSDebugLog' is not recognized...

This is on Server 2008 R2 Enterprise. How do I get this cmdlet?

Hi.

If you download the function that I have written and run that before. Either you can ". .\file.ps1" that will load the function.. or you can copy the entire contents and paste it into the powershell windows, this will create the function then.

Because it doesn't.

Hi.

I has worked for me and other people. What kind of problem did you have?
Did you enable the debugging logging on the DNS server before trying to use the script?