PoshCode Archive  Artifact [dab60f8dd5]

Artifact dab60f8dd5e4874202001a5675e5b5f9fdeeef3e254ba5994eb50c9b29cfad4b:

  • File Reading-DNS-Debug-logs.ps1 — part of check-in [c508eff852] at 2018-06-10 14:09:38 on branch trunk — I wrote a small function for parsing a Windows DNS Debug log. You can pipe both log-lines and filenames to this cmdlet. I’ve added 3 different types of log formats for it to handle. (user: DollarUnderscore size: 5870)

# encoding: ascii
# api: powershell
# title: Reading DNS Debug logs
# description: I wrote a small function for parsing a Windows DNS Debug log. You can pipe both log-lines and filenames to this cmdlet. I’ve added 3 different types of log formats for it to handle.
# version: 0.1
# type: function
# author: DollarUnderscore
# license: CC0
# function: Get-DNSDebugLog
# x-poshcode-id: 6175
# x-archived: 2016-03-18T21:41:23
# x-published: 2016-01-11T19:12:00
#
# Blogpost about it: http://dollarunderscore.azurewebsites.net/?p=291
# Edit:
# Bugfix regarding certain logformats and/or events.
#
function Get-DNSDebugLog
{
    <#
    .SYNOPSIS
    This cmdlet parses a Windows DNS Debug log.

    .DESCRIPTION
    When a DNS log is converted with this cmdlet it will be turned into objects for further parsing.

    .EXAMPLE
    Get-DNSDebugLog -DNSLog ".\Something.log" | Format-Table

    Outputs the contents of the dns debug file "Something.log" as a table.

    .EXAMPLE
    Get-DNSDebugLog -DNSLog ".\Something.log" | Export-Csv .\ProperlyFormatedLog.csv

    Turns the debug file into a csv-file.

    .PARAMETER DNSLog
    Path to the DNS log or DNS log data. Allows pipelining from for example Get-ChildItem for files, and supports pipelining DNS log data.

    #>

    [CmdletBinding()]
    param(
      [Parameter(Mandatory=$false, ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)]
      [Alias('Fullname')]
      [string] $DNSLog = 'StringMode')


    BEGIN { }

    PROCESS {

        $TheReverseRegExString='\(\d\)in-addr\(\d\)arpa\(\d\)'

        ReturnDNSLogLines -DNSLog $DNSLog | % {
                if ( $_ -match '^\d\d|^\d/\d' -AND $_ -notlike '*EVENT*' -AND $_ -notlike '* Note: *') {
                    $Date=$null
                    $Time=$null
                    $DateTime=$null
                    $Protocol=$null
                    $Client=$null
                    $SendReceive=$null
                    $QueryType=$null
                    $RecordType=$null
                    $Query=$null
                    $Result=$null

                    $Date=($_ -split ' ')[0]

                    # Check log time format and set properties
                    if ($_ -match ':\d\d AM|:\d\d  PM') {
                        $Time=($_ -split ' ')[1,2] -join ' '
                        $Protocol=($_ -split ' ')[7]
                        $Client=($_ -split ' ')[9]
                        $SendReceive=($_ -split ' ')[8]
                        $RecordType=(($_ -split ']')[1] -split ' ')[1]
                        $Query=($_.ToString().Substring(110)) -replace '\s' -replace '\(\d?\d\)','.' -replace '^\.' -replace "\.$"
                        $Result=(((($_ -split '\[')[1]).ToString().Substring(9)) -split ']')[0] -replace ' '
                    }
                    elseif ($_ -match '^\d\d\d\d\d\d\d\d \d\d:') {
                        $Date=$Date.Substring(0,4) + '-' + $Date.Substring(4,2) + '-' + $Date.Substring(6,2)
                        $Time=($_ -split ' ')[1] -join ' '
                        $Protocol=($_ -split ' ')[6]
                        $Client=($_ -split ' ')[8]
                        $SendReceive=($_ -split ' ')[7]
                        $RecordType=(($_ -split ']')[1] -split ' ')[1]
                        $Query=($_.ToString().Substring(110)) -replace '\s' -replace '\(\d?\d\)','.' -replace '^\.' -replace "\.$"
                        $Result=(((($_ -split '\[')[1]).ToString().Substring(9)) -split ']')[0] -replace ' '
                    }
                    else {
                        $Time=($_ -split ' ')[1]
                        $Protocol=($_ -split ' ')[6]
                        $Client=($_ -split ' ')[8]
                        $SendReceive=($_ -split ' ')[7]
                        $RecordType=(($_ -split ']')[1] -split ' ')[1]
                        $Query=($_.ToString().Substring(110)) -replace '\s' -replace '\(\d?\d\)','.' -replace '^\.' -replace "\.$"
                        $Result=(((($_ -split '\[')[1]).ToString().Substring(9)) -split ']')[0] -replace ' '
                    }

                    $DateTime=Get-Date("$Date $Time") -Format 'yyyy-MM-dd HH:mm:ss'


                    if ($_ -match $TheReverseRegExString) {
                        $QueryType='Reverse'
                    }
                    else {
                        $QueryType='Forward'
                    }

                    $returnObj = New-Object System.Object
                    $returnObj | Add-Member -Type NoteProperty -Name Date -Value $DateTime
                    $returnObj | Add-Member -Type NoteProperty -Name QueryType -Value $QueryType
                    $returnObj | Add-Member -Type NoteProperty -Name Client -Value $Client
                    $returnObj | Add-Member -Type NoteProperty -Name SendReceive -Value $SendReceive
                    $returnObj | Add-Member -Type NoteProperty -Name Protocol -Value $Protocol
                    $returnObj | Add-Member -Type NoteProperty -Name RecordType -Value $RecordType
                    $returnObj | Add-Member -Type NoteProperty -Name Query -Value $Query
                    $returnObj | Add-Member -Type NoteProperty -Name Results -Value $Result

                    if ($returnObj.Query -ne $null) {
                        Write-Output $returnObj
                    }
                }
            }

    }

    END { }
}



function ReturnDNSLogLines
{
param(
$DNSLog)

$PathCorrect=try { Test-Path $DNSLog -ErrorAction Stop } catch { $false }

    if ($DNSLog -match '^\d\d|^\d/\d' -AND $DNSLog -notlike '*EVENT*' -AND $PathCorrect -ne $true) {
        $DNSLog
    }
    elseif ($PathCorrect -eq $true) {
        Get-Content $DNSLog | % { $_ }
    }
}