Grokking grokking, and well… Grokking DHCP Server Logs

Some people didn’t exactly grok my previous post, thus I would like to repost it again, this time prefaced with a bit of an explanation of what I meant by “grok.”

One of the problems of effective automation and scripting the double-edged sword of (a) achieving a solid enough understanding of what you really want to do, and (b) codifying it’s expression so that your computer also understands the problem. In computer vernacular, the verb grok, or grokking, as coined by Robert A. Heinlein in Stranger in a Strange Land, (see <http://en.wikipedia.org/wiki/Grok/>) means to assimilate a technical concept to the degree to which you become one with the topic at hand. In essence, grokking means achieving a state of fluency and mastery with processing particular concepts or data.

Recently, I wrote a note about how to extract the DHCP activity log table out of a DHCP Server log file on Windows Server using PowerShell. That example used static file names and expected that you were running the commands or script at the proper location, assumed to be within the DHCP folder (typically C:WindowsSystem32DHCP). Now let’s take a look at how to grab one or more of the many log files there. Consider the following PowerShell function:

function Get-DHCPLogFile( [string]$Day = “”, [int]$IPVersion = 4, [string]$LogName = “” ){
$LogFolder = “$env:SystemRootSystem32DHCP”
if( $LogName -eq “” ){
if( $Day -eq “” ){
$Day = [string](get-date).dayOfWeek.toString()[0..2] -replace ” “,””
}
switch( $IPVersion ){
4 { $base = “” }
6 { $base = “V6” }
default { $base = $IPVersion }
}
$LogName = “Dhcp{0}SrvLog-{1}.log” -f $base,$Day
}
# $LogName could be ‘*’ or ‘*.log’ for wildcard, or $Day could be ‘*’
Get-ChildItem $LogFolder$LogName
}

Simply invoking this function with no parameters would determine the current day, such as “Thu” for Thursday, and fetch today’s log. The above function doesn’t perform any log parsing or processing, but merely obtains references to the desired file or files. That’s one part of the equation. Combine with that the extraction of the DHCP activity log from a file described in my previous article, and we can start to actually process the log information.

function Extract-DHCPLogActivity( $file ){
$log = Get-Content $file
$x = ($log | Select-String “ID,Date,Time”).LineNumber-1
$y = $log.count-1
$dhcpLog = ($log[$x..$y] | ConvertFrom-CSV) # or via file for PowerShell v1.0
return $dhcpLog
}

Connecting both pieces, we have:

function Get-DHCPActivity( [string]$Day = “”, [int]$IPVersion = 4, [string]$LogName = “” ){
Get-DHCPLogFile $Day $IPVersion $LogName | %{Extract-DHCPLogActivity $_}
}

If we just want to see all of the activity from the current log file, we could invoke the Get-DHCPActivity function with no parameters. Based on the column headings defined in the CSV activity log part of the DHCP log files, the activity information from each line in the file has the following properties (attributes, fields), shown here with example values.

ID : 30
Date : 07/15/10
Time : 11:25:00
Description : DNS Update Request
IP Address : 10.10.0.65
Host Name : NYC-CL1.WoodgroveBank.com
MAC Address :
User Name :
TransactionID : 0
QResult : 6
ProbationTime :
CorrelationID. :

Now that we have the data in object form in PowerShell, we can use any of several lovely cmdlets for searching, selecting, and sorting that data to build a report, generate some statistics, create a history for a particular network or machine, which hopefully helps meet some DHCP troubleshooting or analysis goal. For example, if we want to find activity for a particular machine and a useful subset of that information, we could use the Where-Object (aliased as ‘?’) and Format-Table (aliased as ‘FT’) as follows:

get-dhcpactivity | ?{ _.’host name’ -match “NYC-CL1” } | FT id,time,’IP Address’,Description -auto

Naturally, if this is the sort of thing you would often do, you could write another little function such as:

function Get-DHCPClientActivity( $machine = $(hostname) ){
get-dhcpactivity | ?{ _.’host name’ -match $machine } | FT id,time,’IP Address’,Description -auto
}

Well, technically, using the hostname as a default for the machine name on a function which fetches files locally from a server wouldn’t be incredibly useful, however the main point is that you can easily customize such DHCP functions to meet your actual needs. If those actual needs include being able to run these tools remotely from a workstation against several servers and look for activity related to a collection of machines or about a certain subnet or scope, these functions could be augmented or extended to handle such needs.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.