Monitor Microsoft DNS Server log file

This simple Perl script analyzes the Microsoft DNS server log file and output the following informations :

date

time

remote ip

fqdn

Microsoft DNS log field description

The Microsoft DNS log file contains fields described below :

1 Date

2 Time

3 Thread ID

4 Context

5 Internal packet identifier

6 UDP/TCP indicator

7 Send/Receive indicator

8 Remote IP

9 Xid (hex)

10 Query/Response R = Response blank = Query

11 Opcode Q = Standard Query N = Notify U = Update ? = Unknown

12 [ Flags (hex)

13 Flags (char codes) A = Authoritative Answer T = Truncated Response D = Recursion Desired R = Recursion Available

14 ResponseCode ]

15 Question Type

16 Question Name

Perl requirement

To run this script, the Perl library File::Tail is required. You can install it by executing the command : cpan install File::Tail

Enable Microsoft DNS server debug logging

By default, log is disabled. To enable it, follow these steps :

launch the DNS Server Management console : mmc dnsmgmt.msc

right click on the DNS server name then click on Properties

go to the “Debug Logging” tab

set as described below



Mount the log folder

In this script, the log file is located in the folder “/mount/log”. The mount point is defined like this in my fstab:

//dnsserver/dns /mount/log cifs credentials=/root/.smbpasswddns,noatime,ro,noserverino,nounix 0 0



The script

use File::Tail; my $name="/mount/log/dns.log"; $file=File::Tail->new(name=>$name, maxinterval=>1, tail=>0); while (defined($line=$file->read)) { $line =~ s/ +/ /g; my @array = split / /, $line; my $date = $array[0]; my $time = $array[1]; my $remoteip = $array[7]; my $questionname = $array[-1]; $questionname =~ s/\((\w+)\)/\./g; print "$date

"; print "$time

"; print "$remoteip

"; print "$questionname

"; }