3

I'm attempting to query a DNS log to see which local computer requested a website address that contains 38.93.53.202-in-addr.arpa-nettlinx.com. I don't know what form this will take in the logs, and filtering using the event log is getting me nowhere (too slow).

I figure powershell can help me with this! I've exported the log so that I can leave a spare system parsing this while I do my day to day.

So far, I've found a script that almost does what I want. I've picked my test using one of the top entries in the log: 

<EventData>
  <Data Name="TCP">0</Data> 
  <Data Name="InterfaceIP">192.168.1.1</Data> 
  <Data Name="Destination">192.168.1.2</Data>
  <Data Name="QNAME">rss.weather.com.</Data>

The Code I've found that almost works is:

Get-WinEvent -Path 'C:\users\user\desktop\evtlog.evtx' -FilterXPath "*[EventData[ Data[@Name='qname']='rss.weather.com.']]"

Now, instead of 'rss.weather.com.', I'd like to be able to use a wildcard. For example, 'weather'. However, as far as I can tell, the filterxpath flag does not allow for this.

I've tried adding the most common entry I see on the internet:

contains(.,'weather')

As well as

contains(text(),'weather')

I've tried this in nearly every part of the code, with brackets, without brackets, with the equals sign, without, inside of data[]... I've literally exhausted every possibility I can think of or find reference to in the XML parsing language.

Is there any way to perform the type of query that I'm attempting? I'm trying to find a way to do this pre-pipe as the log is of a rather intimidating size.

EDIT: Here are most of the iterations I can think of that I've tried: 

# Try 1
# "*[EventData[Data[@Name='qname' and contains(text(), 'weather')]]]"

# Try 2
# "*[EventData[ Data[@Name='qname'] contains(.,'weather')]]"

# Try 3
# "*[EventData[ Data[contains(.,'weather')]]]"

# Try 4
# "*[EventData[ Data[@Name='qname']=*[contains(.,'weather')]]]"

# Try 5
# "*[EventData[ Data[@Name='qname']=*contains(.,'weather')]]"

# Try 6
# "*[EventData[ Data[@Name='qname']=contains(.,'weather')]]"

# Try 7
# "*[EventData[ Data[@Name='qname']=[contains(.,'weather')]]]"

# Try 8
# "*[EventData[ contains(.,'weather') ]]"

# Try 9
# "*[EventData[ Data[@Name='qname'] like 'rss.weather.com.']]"

# Try 10
# "*[EventData[Data[@Name='QNAME']=*[contains(.,'rss.weather.com.')]]]"

# Try 11
# "*[EventData[ Data[@Name='qname']=*'weather.com.']]"

# Try 12
# "*[EventData[ Data[@Name='qname']=*['weather.com.']]]"

# Try 13
# "*[EventData[ Data[@Name='qname'] contains(.,'weather')]]"

# Try 14
# "*[EventData[ Data[@Name='qname'] [contains(.,'weather')]]]"
Finch
  • 75
  • 8
  • Did you try `EventData[Data[@Name='qname' and contains(text(), 'weather')]]`? Share your attempts – Andersson May 16 '17 at 05:06
  • I've edited my primary post to show the various iterations that I have attempted. Each results in the same error: The specified Query is invalid. – Finch May 16 '17 at 18:49
  • Does adding double slash (`//*`) change something? – Andersson May 16 '17 at 19:21
  • I've added `//` in several iterations and that only caused the good query to fail. I've tried `"//*[EventData`, `//"*[EventData`, `"*[//EventData`, and `"*//[EventData` - all returned the same issue. – Finch May 17 '17 at 18:03

1 Answers1

0

I happen to have recently taken a course on Powershell and was able to e-mail my instructor with this same question. He responded with the unfortunate answer that the reason my script isn't working is because xpath will not accept a wildcard for a non-tagged value.

For example, if the line of XML is: 

<Data Name="InterfaceIP">192.168.1.1</Data>

then I can do a wildcard search for data name = *face* but I can't do a wildcard search for content outside of the <>.

Thank you all for your help!

Finch
  • 75
  • 8