I'm attempting to query a DNS log to see which local computer requested a website address that contains 38.93.53.202-in-addr.arpa-nettlinx.com. I don't know what form this will take in the logs, and filtering using the event log is getting me nowhere (too slow).
I figure powershell can help me with this! I've exported the log so that I can leave a spare system parsing this while I do my day to day.
So far, I've found a script that almost does what I want. I've picked my test using one of the top entries in the log:
<EventData>
<Data Name="TCP">0</Data>
<Data Name="InterfaceIP">192.168.1.1</Data>
<Data Name="Destination">192.168.1.2</Data>
<Data Name="QNAME">rss.weather.com.</Data>
The Code I've found that almost works is:
Get-WinEvent -Path 'C:\users\user\desktop\evtlog.evtx' -FilterXPath "*[EventData[ Data[@Name='qname']='rss.weather.com.']]"
Now, instead of 'rss.weather.com.', I'd like to be able to use a wildcard. For example, 'weather'. However, as far as I can tell, the filterxpath flag does not allow for this.
I've tried adding the most common entry I see on the internet:
contains(.,'weather')
As well as
contains(text(),'weather')
I've tried this in nearly every part of the code, with brackets, without brackets, with the equals sign, without, inside of data[]... I've literally exhausted every possibility I can think of or find reference to in the XML parsing language.
Is there any way to perform the type of query that I'm attempting? I'm trying to find a way to do this pre-pipe as the log is of a rather intimidating size.
EDIT: Here are most of the iterations I can think of that I've tried:
# Try 1
# "*[EventData[Data[@Name='qname' and contains(text(), 'weather')]]]"
# Try 2
# "*[EventData[ Data[@Name='qname'] contains(.,'weather')]]"
# Try 3
# "*[EventData[ Data[contains(.,'weather')]]]"
# Try 4
# "*[EventData[ Data[@Name='qname']=*[contains(.,'weather')]]]"
# Try 5
# "*[EventData[ Data[@Name='qname']=*contains(.,'weather')]]"
# Try 6
# "*[EventData[ Data[@Name='qname']=contains(.,'weather')]]"
# Try 7
# "*[EventData[ Data[@Name='qname']=[contains(.,'weather')]]]"
# Try 8
# "*[EventData[ contains(.,'weather') ]]"
# Try 9
# "*[EventData[ Data[@Name='qname'] like 'rss.weather.com.']]"
# Try 10
# "*[EventData[Data[@Name='QNAME']=*[contains(.,'rss.weather.com.')]]]"
# Try 11
# "*[EventData[ Data[@Name='qname']=*'weather.com.']]"
# Try 12
# "*[EventData[ Data[@Name='qname']=*['weather.com.']]]"
# Try 13
# "*[EventData[ Data[@Name='qname'] contains(.,'weather')]]"
# Try 14
# "*[EventData[ Data[@Name='qname'] [contains(.,'weather')]]]"
I happen to have recently taken a course on Powershell and was able to e-mail my instructor with this same question. He responded with the unfortunate answer that the reason my script isn't working is because xpath will not accept a wildcard for a non-tagged value.
For example, if the line of XML is:
then I can do a wildcard search for
data name = *face*but I can't do a wildcard search for content outside of the <>.Thank you all for your help!