Powershell - DNS Log Analysis
Problem:
We were experiencing alerts in one of our security tools related to suspicious DNS requests being relayed by the DNS server, however our alerting tool was sitting between the DNS server and the Internet. That meant, we had no idea which workstation was the originator of the DNS requests. Seeing as our DNS server logs would roll over every 15 minutes, I devised this Powershell script to monitor the logs in real-time and record anything that matched the specific domains and IP addresses that our alerts were being generated for.
#Date 03/17/2015 #search terms go in this array. make sure to surround the term with wildcard characters $searchTerms = @("*couchness*","*174.37.204.91*", "*178.63.65.11*") $logFile = "D:\DNS.log" $outputFile = "D:\matches.txt" function SearchFunc { for ($i=0; $i -lt $searchTerms.length; $i++) Write-Host $searchTerms.l { $result = $args[0] -like $searchTerms[$i] $result | out-file -Append -NoClobber $outputFile } } gc $logFile -ReadCount 1000 -wait | ForEach-Object { SearchFunc $_ }