Get-DNSDebugLog - Easy parsing of DNS debug logs

This is a small and helpful script when you are removing dns servers.A simple sample to load the ActiveDirectory Module, get the IPs of all Domain Controllers and then read the dns debug log ignoring DCs IPs.Another Sample this time giving a more easy output as it just returns th

 
 
 
 
 
4.3 Star
(6)
2,814 times
Add to favorites
Networking
6/20/2017
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question


  • I do not see any output
    5 Posts | Last post November 24, 2017
    • This script gives me no output.
      I have tried running it on Server 2012 R2 and Windows 10 machines
      I have copied a 90MB DNS.log file to the same folder as the script
      I have tried the following commands:
           .\Get-DNSDebugLog.ps1 -Path .\dns.log -Verbose | ? {$_.QR -eq "Query"-and $_.Way -eq 'RCV'}
      | group-Object "Client IP" | Sort-Object -Descending Count | Select -First 10 Name, Count
           .\Get-DNSDebugLog.ps1 -Path .\dns.log
      
      But whatever I do I see no output at all
    • Hi sorry for the late reply
      I have been informed that there has been errors depending on localization. The script has gotten updates for that.
    • Hi, I am running the script but getting no output , No error.
      Can you please help me here.
      
      Running the below
      .\Get-DNSDebugLog.ps1 -Path "$($env:SystemRoot)\system32\dns\dns.log" -Verbose |? {$_.QR -eq "Query"-and $_.Way -eq 'RCV'} |group-Object "Client IP"| Sort-Object -Descending Count| Select -First 10 Name, Count
      
      Thanks
      Vijay
    • Somehow it got work now but it is showing  below errors on each row of the logs
      
      VERBOSE: Row: 
      VERBOSE: Row does not match DNS Pattern
      
      I have tried both the below pattern
      
      ##$dnspattern = "^(?<date>([0-9]{1,2}.[0-9]{1,2}.[0-9]{2,4}|[0-9]{2,4}-[0-9]{2}-[0-9]{2})\s*[0-9: ]{7,8}\s*(PM|AM)?) ([0-9A-Z]{3,4} PACKET\s*[0-9A-Za-z]{8,16}) (UDP|TCP) (?<way>Snd|Rcv) (?<ip>[0-9.]{7,15}|[0-9a-f:]{3,50})\s*([0-9a-z]{4}) (?<QR>.) (?<OpCode>.) \[.*\] (?<QueryType>.*) (?<query>\(.*)"
      
      $dnspattern = "^([0-3]?[0-9].[0-3]?[0-9].(?:[0-9]{2})?[0-9]{2}) ([0-9: ]{7,8}\s?P?A?M?) ([0-9A-Z]{3,4} PACKET\s*[0-9A-Za-z]{8,16}) (UDP|TCP) (Snd|Rcv) ([0-9 .]{7,15}) ([0-9a-z]{4}) (.) (.) \[.*\] (.*) (\(.*)"
      
      Please help.
      
      Thanks
      Vijay
    • Can you provide me with a few rows of the file so I can see the differing syntax.
  • Using workflow
    1 Posts | Last post August 24, 2017
    • May be use ps workflow for processing large files?
  • Regex for date matching
    3 Posts | Last post June 20, 2017
    • This code is awesome.  However, I found that even with the updated Regex for date matching it's missing a valid regex to parse dates that do not have leading zeros.  I.e. 4/5/2017 is not matched,  but 4/05/2017 is  (month didn't seem to matter, but the day sure did).   I modified the code using some examples i found online and after doing so,  it does not return blank output when our dns log contains dates like 4/5/2017
      
              $dnspattern = "^([0-3]?[0-9].[0-3]?[0-9].(?:[0-9]{2})?[0-9]{2}) ([0-9: ]{7,8}\s?P?A?M?) ([0-9A-Z]{3,4} PACKET\s*[0-9A-Za-z]{8,16}) (UDP|TCP) (Snd|Rcv) ([0-9 .]{7,15}) ([0-9a-z]{4}) (.) (.) \[.*\] (.*) (\(.*)"
      
      
      Hope this helps anyone else.  Basically, I changed everything in the first set of parentheses.
      
      ([0-3]?[0-9].[0-3]?[0-9].(?:[0-9]{2})?[0-9]{2})
      
      I took that string from an answer on StackOverflow, 5th answer by "Simple-Solution"
      http://stackoverflow.com/questions/15491894/regex-to-validate-date-format-dd-mm-yyyy
      
      Brian
      
      
    • Hi.
      
      Do you have the possibility to share a row of log that gives that issue?
    • Hi
      I have updated the script but unfortunately your change broke ISO8601 formated dates.
      If you are able to share a few lines of code I can add them to the pester tests I use.
      I made a github project of it to easily share the pestertests too.
  • Tweak for 2008R2
    2 Posts | Last post July 26, 2016
    • Hi, thank you for that great function.
      
      The format for a Windows 2008R2 Server DNS Log (Location Austria) is:
      
      30/09/2015 12:04:28 0DAC PACKET  00000000027404B0 UDP Rcv 192.168.xxx.xxx  ed3d   Q [0001   D   NOERROR] A      (6)teredo(4)ipv6(9)microsoft(3)com(0)
      
      So the regex for the date&time must be:
      ^([0-9]{2})\/?([0-9]{2})\/?([0-9]{2,4})
      
      $dnspattern = "^([0-9]{2})\/?([0-9]{2})\/?([0-9]{2,4}) ([0-9: ]{8}) ([0-9A-Z]{3,4} PACKET  [0-9A-Za-z]{8,16}) (UDP|TCP) (Snd|Rcv) ([0-9 .]{7,15}) ([0-9a-z]{4}) (.) (.) \[.*\] (.*) (\(.*)"
      
      This RegEx Editor just helped to validate the regex:
      http://www.regexr.com/
      
      regards
      Peter
      
      
      
    • Hi.
      Sorry for the late response. I have updated the regex to work with:
      ISO 8601 (yyyy-mm-dd)
      US format (mm/dd/year)
      
      Aslong as the localization on the computer running the script is the same as on the server.
  • Regular Expression and Microsoft Message Analyzer
    1 Posts | Last post March 16, 2015
    • Oscar, I am curious since time has passed since you last used this if you have made any improvements on the last half of your pattern.  I am trying to identify the sections of your regular expression so I can include them in a Parser definition for MS Message Analyzer.
      
  • Works on Server 2003 logs, not 2008 R2
    3 Posts | Last post September 30, 2014
    • This works great for my logs generated by Server 2003, but it fails to parse the logs generated by my 2008 R2 DNS servers. I think it may be due to differences in how date/time are formatted.
      
      In server 2003 it is ...
      20140915 14:31:55 328 PACKET  01D2BB00 UDP Rcv 192.168.6.11    056e   Q [1001   D   NOERROR] A ...
      
      In server 2008 R2 it is ...
      9/16/2014 11:01:02 AM 07E4 PACKET  0000000003BB9E10 UDP Rcv 192.168.6.68    92a6   Q [0001   D   NOERROR] A ...
      
      I might take a stab at fixing that, but I'm decomissioning a 2003 DNS server so it's working for that. Thanks a bunch!
      
    • Hi.
      
      Thank you for your information. I need to check this out. I believe might be time related. Since your 2008R2 is running with 12 hour clock. I will need to make sure I have a test case for this in the new version. Hope to update this soon again.
    • Interestingly, i just encountered the same problem. 
      
      $dnspattern needs to be "^([0-9]{1,2})\/?([0-9]{2})\/?([0-9]{2,4}) ([0-9: ]{7}) (AM|PM) ([0-9A-Z]{3,4} PACKET  [0-9A-Za-z]{8,16}) (UDP|TCP) (Snd|Rcv) ([0-9 .]{7,15})  ([0-9a-z]{4}) (.) (.) \[.*\] (.*) (\(.*)"
      
      Also, since (AM|PM), the atoms of the RegEx shift, so all temp[n] except 1-4 (date, time) need to be n+1
  • Does it work
    2 Posts | Last post March 03, 2014
    • As with D Han, I'm not getting any output.  I had to rewrite the script a bit.  In the begin block, you define $dnspattern for matching, but then you never use it.  If you change the process block's (get-content $path) -match to get rid of that whole regex and use the $dnspattern variable, it works fine.
    • Hi.
      
      Well, what you say makes sense, why have two different regexp patterns even if they should be the same. But I have always used the $dnspattern for doing the regex::split, so it has always been there. But due to this change we now need to specify that we are looking for incoming packets. $_.way -eq 'RCV'.
      
      I have updated the script with some small debug and verbose logging too.
  • Dumb Question
    2 Posts | Last post February 25, 2014
    • I have debug logging enabled but get an error that 'Get-DNSDebugLog' is not recognized...
      
      This is on Server 2008 R2 Enterprise. How do I get this cmdlet?
    • Hi.
      
      If you download the function that I have written and run that before. Either you can ". .\file.ps1" that will load the function.. or you can copy the entire contents and paste it into the powershell windows, this will create the function then.
  • Is this supposed to work?
    2 Posts | Last post January 07, 2014
    • Because it doesn't.
    • Hi.
      
      I has worked for me and other people. What kind of problem did you have?
      Did you enable the debugging logging on the DNS server before trying to use the script?