How can i log all dns request by powershell and task scheduler?
Question
I want to log dns request history. So i made up powershell script below.
$PROC_ID = Get-WinEvent microsoft-windows-dns-client/operational -MaxEvents 1 -FilterXPath "*[System/EventID=3006]" | Select-Object -ExpandProperty processid
$TIMESTAMP = Get-WinEvent microsoft-windows-dns-client/operational -MaxEvents 1 -FilterXPath "*[System/EventID=3006]" | Select-Object -ExpandProperty timecreated
$LOG_MSG = Get-WinEvent microsoft-windows-dns-client/operational -MaxEvents 1 -FilterXPath "*[System/EventID=3006]" | Select-Object -ExpandProperty message
$PROC_NAME = Get-Process -id $PROC_ID | Select-Object -ExpandProperty processname
$TIMESTAMP_SPLIT = $TIMESTAMP -split " "
$LOG_DATE = $TIMESTAMP_SPLIT[0]
$LOG_TIME = $TIMESTAMP_SPLIT[1]
$LOG_URL = $LOG_MSG -replace '^\S{2}\s([^,]+).+','$1'
$LOG = "$LOG_DATE`t$LOG_TIME`t$PROC_ID`t$PROC_NAME`t$LOG_URL"
$LOG >> C:\dns.csv
And i made up task schedule that run script when occur 3006 event.
C:\>schtasks /query /tn dns_history /fo list /v
Folder: \
HostName: LG
TaskName: \dns_history
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 2017-05-14 오후 4:39:07
Last Result: 0
Author: lg\Administrator
Task To Run: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -file C:\Test\Powershell\dns.ps1
Start In: N/A
Comment: N/A
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode, No Start On Batteries
Run As User: LG\administrator
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: When an event occurs
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
This is result.
But there are not log all dns request.
My script log last dns request only among dns request that occurred at the same time. Is it the limit of the task scheduler? How can i log all dns request?
And when run code of restless1987, it is occured error below.
Register-WMIEvent : Wrong Class.
Location D:\test.ps1:9 Character:1
+ Register-WMIEvent -query "Select * From __InstanceCreationEvent within 3 $filter ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Register-WmiEvent], ManagementException
+ FullyQualifiedErrorId : System.Management.ManagementException,Microsoft.PowerShell.Commands.RegisterWmiEventCommand
1 answers
solution1
1 2017-05-15 12:58:32
Taskscheduler can be quite unreliable in certain circumstances.
If this happens to be in your case, maybe you can go along with registering a powershell wmi event watcher, to log every instance that gets created there.
There is still something to do, but it should be a place to start. You have to adapt the filter, that it gets the events from the correct logfile.
$class = 'Win32_NtEventLog'
$EventCode = 3006
$filter = "Where TargetInstance ISA '$class' and eventcode = '$EventCode'"
$codeblock = {
$eventargs.newevent.targetinstance #<- should have all info you need
}
Register-WMIEvent -query "Select * From __InstanceCreationEvent within 3 $filter" `
-messageData "DNS event " -sourceIdentifier "New DNS query" -Action $codeblock
While ($true){
Start-Sleep 5
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.