Created
February 17, 2021 19:08
-
-
Save jasonadsit/f26cdf37c1d424f3e0a2794ef88d9131 to your computer and use it in GitHub Desktop.
Get-DhcpServerAuditLog.ps1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-DhcpServerAuditLog { | |
| <# | |
| .SYNOPSIS | |
| Parses DHCP server audit logs and outputs PowerShell objects. | |
| .DESCRIPTION | |
| Parses DHCP server audit logs and outputs PowerShell objects. | |
| .PARAMETER ComputerName | |
| The hostname(s) of the DHCP server(s) to retrieve logs from. | |
| .PARAMETER ThreeLetterDayofWeek | |
| First three letters of the weekday to retrieve logs from. | |
| Defaults to The DayOfWeek for yesterday. (Sun,Mon,Tue,Thu,Fri,Sat) or * | |
| .EXAMPLE | |
| Get-DhcpServerAuditLog -ComputerName 'server1','server2','server3' | |
| Retrieves and parses DHCP server audit logs from server1, server2, | |
| and server3 from yesterday. | |
| #> | |
| [CmdletBinding()] | |
| param ( | |
| [parameter(ValueFromPipeline=$true,ValueFromPipelineByPropertyName=$true)] | |
| [alias('PSComputerName','DNSHostName','CN','Hostname')] | |
| [string[]] | |
| $ComputerName, | |
| [parameter()] | |
| [ValidateSet('Sun','Mon','Tue','Wed','Thu','Fri','Sat','*')] | |
| [string] | |
| $ThreeLetterDayofWeek | |
| ) #param | |
| begin { | |
| if (-not $PSBoundParameters.ContainsKey('ComputerName')) { | |
| $ComputerName = Read-Host -Prompt ComputerName | |
| } #if | |
| if (-not $PSBoundParameters.ContainsKey('ThreeLetterDayofWeek')) { | |
| $ThreeLetterDayofWeek = $(((((Get-Date).AddDays(-1)).DayOfWeek).ToString()).Substring(0,3)) | |
| } #if | |
| $DhcpServerAuditLogScriptBlock = [scriptblock]::Create({ | |
| [CmdletBinding()] | |
| param ( | |
| $ThreeLetterDayofWeek | |
| ) #param | |
| $DhcpServer = $env:COMPUTERNAME | |
| $RelativePathToDhcpAuditLogs = 'C:\Windows\System32\dhcp' | |
| # Build the filename filter | |
| $DhcpSrvLogFileFilter = "DhcpSrvLog-$ThreeLetterDayofWeek.log" | |
| # https://gist.github.com/dstreefkerk/87bfb04c2b10c1a8139f | |
| # https://technet.microsoft.com/en-us/library/dd183591(v=ws.10).aspx | |
| $idMeanings = @{ | |
| 00 = "The log was started."; | |
| 01 = "The log was stopped."; | |
| 02 = "The log was temporarily paused due to low disk space."; | |
| 10 = "A new IP address was leased to a client."; | |
| 11 = "A lease was renewed by a client."; | |
| 12 = "A lease was released by a client."; | |
| 13 = "An IP address was found to be in use on the network."; | |
| 14 = "A lease request could not be satisfied because the scope's address pool was exhausted."; | |
| 15 = "A lease was denied."; | |
| 16 = "A lease was deleted."; | |
| 17 = "A lease was expired and DNS records for an expired leases have not been deleted."; | |
| 18 = "A lease was expired and DNS records were deleted."; | |
| 20 = "A BOOTP address was leased to a client."; | |
| 21 = "A dynamic BOOTP address was leased to a client."; | |
| 22 = "A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted."; | |
| 23 = "A BOOTP IP address was deleted after checking to see it was not in use."; | |
| 24 = "IP address cleanup operation has begun."; | |
| 25 = "IP address cleanup statistics."; | |
| 30 = "DNS update request to the named DNS server."; | |
| 31 = "DNS update failed."; | |
| 32 = "DNS update successful."; | |
| 33 = "Packet dropped due to NAP policy."; | |
| 34 = "DNS update request failed as the DNS update request queue limit exceeded."; | |
| 35 = "DNS update request failed."; | |
| 36 = "Packet dropped because the server is in failover standby role or the hash of the client ID does not match."; | |
| # Event descriptions for 50-64 sourced from https://technet.microsoft.com/en-us/library/cc776384(v=ws.10).aspx | |
| 50 = "The DHCP server could not locate the applicable domain for its configured Active Directory installation."; | |
| 51 = "The DHCP server was authorized to start on the network."; | |
| 52 = "The DHCP server was recently upgraded to a Windows Server 2003 operating system, and, therefore, the unauthorized DHCP server detection feature (used to determine whether the server has been authorized in Active Directory) was disabled." | |
| 53 = "The DHCP server was authorized to start using previously cached information. Active Directory was not currently visible at the time the server was started on the network."; | |
| 54 = "The DHCP server was not authorized to start on the network. When this event occurs, it is likely followed by the server being stopped."; | |
| 55 = "The DHCP server was successfully authorized to start on the network."; | |
| 56 = "The DHCP server was not authorized to start on the network and was shut down by the operating system. You must first authorize the server in the directory before starting it again."; | |
| 57 = "Another DHCP server exists and is authorized for service in the same domain."; | |
| 58 = "The DHCP server could not locate the specified domain."; | |
| 59 = "A network-related failure prevented the server from determining if it is authorized."; | |
| 60 = "No Windows Server 2003 domain controller (DC) was located. For detecting whether the server is authorized, a DC that is enabled for Active Directory is needed."; | |
| 61 = "Another DHCP server was found on the network that belongs to the Active Directory domain."; | |
| 62 = "Another DHCP server was found on the network."; | |
| 63 = "The DHCP server is trying once more to determine whether it is authorized to start and provide service on the network."; | |
| 64 = "The DHCP server has its service bindings or network connections configured so that it is not enabled to provide service." | |
| } | |
| $qResultMeanings = @{ | |
| 0 = "No Quarantine"; | |
| 1 = "Quarantine"; | |
| 2 = "Drop Packet"; | |
| 3 = "Probation"; | |
| 6 = "No Quarantine Information" | |
| } | |
| # Enumerate DHCP audit log files | |
| Get-ChildItem $RelativePathToDhcpAuditLogs -Filter $DhcpSrvLogFileFilter | ForEach-Object { | |
| $_ | Get-Content | Select-Object -Skip 33 | ConvertFrom-Csv | |
| } | ForEach-Object { | |
| $DateTime = [datetime] "$($_.Date) $($_.Time)" | |
| [pscustomobject][ordered] @{ TimeStamp = $($DateTime.GetDateTimeFormats('s')) | |
| DateTime = $DateTime | |
| DhcpServer = $DhcpServer | |
| Id = $_.ID | |
| IdDescription = $idMeanings[[int]$_.ID] | |
| IpAddress = $_.'IP Address' | |
| ComputerName = $_.'Host Name' | |
| MacAddress = $_.'MAC Address' | |
| TransactionId = $_.TransactionID | |
| QResult = $_.QResult | |
| QResultDecription = $qResultMeanings[[int]$_.QResult] | |
| DnsRegError = $_.'DnsRegError.' } | |
| } #ForEach | |
| }) #$DhcpServerAuditLogScriptBlock | |
| } #begin | |
| process { | |
| $Params = @{ ComputerName = $ComputerName | |
| ScriptBlock = $DhcpServerAuditLogScriptBlock | |
| ArgumentList = $ThreeLetterDayofWeek } | |
| Invoke-Command @Params | |
| } #process | |
| } #function Get-DhcpServerAuditLog |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment