Parsing Windows DNS Debug log…

Every now and then I need to be able to parse a DNS debug log, it’s useful in many different scenarios. I wrote an advanced function to help me with this, specify a file name or pipe log lines (or file names) to it and it will return a properly formatted object.

Be aware that I only added some of the different date formats I could find, so verify that it works for your server.

Some dumps (with IP and hostnames masked):
dnslogparser_masked1

dnslogparser_masked2

Code is available here. (updated 2016-01-11)

8 thoughts on “Parsing Windows DNS Debug log…

  1. Fender

    Get-DNSDebugLog -DNSLog “\\server\c$\dns.log” | Format-Table

    Returns nothing

    Get-DNSDebugLog -DNSLog “\\server\c$\dns.log” | Export-Csv c:\dns.csv

    Outputs a blank CSV file.

    Any suggestions? Thanks.

    Reply
    1. Anders Post author

      hmm, odd… Does it work if you try to read the file locally?

      If you use something like this instead:
      Get-Content “\\server\c$\dns.log” | Get-DNSDebugLog | Format-Table

      Does that work? If not, I might need to add a different format for the function to handle.

      I’ll drop you an e-mail and we’ll take it from there 🙂

      Reply
    2. Anders Post author

      So, after some debugging, I found the problem in the code for this function.

      Big thanks to Fender for reporting that!

      I’ve updated the link in the post to the correct version of the code.

      Reply
  2. Yasmeen

    Hi Anders,
    Thanks for the script.
    I ran the script and I got some data out to the CSV. Yet I have received the following error/warning message multiple times when the script was running:

    You cannot call a method on a null-valued expression.
    At C:\Users\Administrator\Desktop\dns_log_exp\Reading DNS Debug logs.ps1:61 char:25
    + $Result=(((($_ -split “\[“)[1]).ToString().Substring(9))

    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

    This error was displayed to the console, yet not included in the CSV.
    I ran the script using the following commands:
    PS C:\Users\Administrator\Desktop\dns_log_exp> . ‘.\Reading DNS Debug logs.ps1’
    PS C:\Users\Administrator\Desktop\dns_log_exp> Get-DNSDebugLog -DNSLog .\dns.log | Export-csv .\dns_csv.csv

    Any thoughts how to solve the issue?
    Note: I still had some data out to the CSV file and I am using Windows 2012 R2.

    Besides, the 1st row in the CSV file was “#TYPE System.Object”. How to remove this row and make the first row to be the header of the CSV table ?

    Thanks in advance !

    Reply
    1. Anders Post author

      Hi Yasmeen, thanks for reading and commenting!

      It kind of looks like a parsing error that causes the string to become empty. Is the logfile huge? If I could take a look at the logs format it would be simpler to troubleshoot. I’ll drop you an e-mail and we’ll take it from there 🙂

      To remove that first row in the csv file you can use the -NoTypeInformation switch on Export-Csv.

      Reply
    2. Anders Post author

      This was another bug in the code (unhandled event type in the log). I’ve updated the link in the post to the updated version of the code.

      Thank you Yasmeen for reporting that!

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.