scriptingstudio/dhcplog.ps1

## dhcplog.ps1
<#
Event ID Meaning
00	The log was started.
01	The log was stopped.
02	The log was temporarily paused due to low disk space.
10	A new IP address was leased to a client.
11	A lease was renewed by a client.
12	A lease was released by a client.
13	An IP address was found to be in use on the network.
14	A lease request could not be satisfied because the scope's address pool was exhausted.
15	A lease was denied.
16	A lease was deleted.
17	A lease was expired and DNS records for an expired leases have not been deleted.
18	A lease was expired and DNS records were deleted.
20	A BOOTP address was leased to a client.
21	A dynamic BOOTP address was leased to a client.
22	A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted.
23	A BOOTP IP address was deleted after checking to see it was not in use.
24	IP address cleanup operation has began.
25	IP address cleanup statistics.
30	DNS update request to the named DNS server.
31	DNS update failed.
32	DNS update successful.
33	Packet dropped due to NAP policy.
34	DNS update request failed.as the DNS update request queue limit exceeded.
35	DNS update request failed.
36	Packet dropped because the server is in failover standby role or the hash of the client ID does not match.
50+	Codes above 50 are used for Rogue Server Detection information.

QResult: 0: NoQuarantine, 1:Quarantine, 2:Drop Packet, 3:Probation,6:No Quarantine Information ProbationTime:Year-Month-Day Hour:Minute:Second:MilliSecond.
#>

param (
	[int]$span, # -n - n days ago; n - for n days
	[alias('day')][string[]]$dow, # day(s) of week
	[alias('evt')][string]$eventId = '\d\d',

	[switch]$rawlog,
	[alias('save')][string]$export,
	[alias('copy')][string]$download,
	[alias('computername')][string]$server
)

if (-not $env:userdnsdomain -or -not $server) {
	Write-Warning 'You are out of domain environment.'
	return
}
Write-Host "DHCP Logs Viewer. v1.1"
Write-Host "USAGE: dhcplog [-span <day_span[]>] [-dow <day_of_week[]>] [-eventId <Id_mask>] [-rawlog] [-download <target_folder>|%] [-export <filename>] [-server <DHCP_server>]`n"

$colNames = 'ID,Date,Time,Description,IPAddress,HostName,MACAddress,UserName,TransactionID,QResult,Probationtime,CorrelationID,Dhcid,VendorClassHex,VendorClassId,UserClassHex,UserClassId,RelayAgentInformation,DnsRegError'.split(',')
$logschema =
@{n='Date'; e={[datetime]::parse("$($_.Date) $($_.Time)")}},
@{n='EventID'; e={[int]$_.id.split(':')[-1]}} +
'Description,IPAddress,HostName,MACAddress,VendorClassId,UserName,RelayAgentInformation'.split(',')
#@{n='MacAddress'; e={$_.MacAddress.toupper() -replace '(..(?!$))', '$1-'}}
if ($rawlog) {$logschema = $colNames}

$logfiles = "\\$server\c$\Windows\System32\dhcp\DhcpSrvLog-???.log"
$dowen = 'mon','tue','wed','thu','fri','sat','sun'

if ($eventId -eq '%renew') {$eventId = '1[01]'}
elseif ($eventId -eq '%dns') {$eventId = '3[012]'}

# today
$today = [datetime]::now.DayOfWeek.ToString().substring(0,3)
$timespan = $today

if ($dow) {
	if ($dow -eq '*') {$timespan = $dow -join '|'}
	else {
		$dow = $dow | Where-Object {$_ -in $dowen}
		if ($dow) {$timespan = $dow -join '|'}
		else {
			Write-Warning "Incorrect day of week specified. Correct values are $($dowen -join ',')."
			return
		}
	}
}
elseif ($PSBoundParameters.ContainsKey('span')) { # -8 < $span < 8
	$index = [datetime]::now.DayOfWeek.value__
	if ($span -eq 0) {$timespan = $dowen -join '|'} # all logs
	elseif ($span -eq 1) {$timespan = $today}
	elseif ($span -lt 0 -and $span -gt -8) { # $span days ago
		$index = $index + $span
		if ($index -lt 0) {$index = $index + 7} #elseif (index -eq 0) {}
		$timespan = $dowen[($index-1)]
	}
	elseif ($span -lt 8) { # for $span days
		$span++
		$dayindex = for ($i=1; $i -lt $span; $i++) {
			$t = $index - $i
			if ($t -lt 0) {$t + 7} else {$t}
		}
		$timespan = $dowen[$dayindex] -join '|'
	}
	else {
		Write-Warning 'Incorrect timespan specified. Correct values are (-8 < $span < 8).'
		return
	}
} # end dayspan

$loglist = Get-ChildItem -path $logfiles | Where-Object name -match "DhcpSrvLog-${timespan}\.log"
if (-not $loglist) {
	Write-Warning "Could not find DHCP logs by the query."
	return
}

if ($download) {
	if ($download -eq '%') {$download = "$env:userprofile\downloads"}
	elseif (-not (Test-Path $download)) {
		New-Item $download -ItemType Directory -ErrorAction Stop
		Write-Host 'New folder created.'
	}
	Copy-Item $loglist.FullName -Destination $download
	Write-Host 'Files downloaded.'
	return
}

if ($eventId[-1] -ne ',') {$eventId = "${eventId},"}
if ($eventId[0] -ne '^') {$eventId = "^$eventId"}
$logfilter = if ($rawlog) {{$_}} else {{$_.ipaddress}}
$result =
$loglist | Select-String -Pattern $eventId -Encoding default -ErrorAction 4 |
ConvertFrom-Csv -Header $colNames |
Where-Object $logfilter | Select-Object $logschema |
Out-GridView -Title "Time span - $($timespan.replace('|',','))"

if ($export) {
	$result | Export-Csv $PSScriptRoot\$export -Delimiter ';' -Encoding UTF8 -NoTypeInformation
}
	<#
	Event ID Meaning
	00 The log was started.
	01 The log was stopped.
	02 The log was temporarily paused due to low disk space.
	10 A new IP address was leased to a client.
	11 A lease was renewed by a client.
	12 A lease was released by a client.
	13 An IP address was found to be in use on the network.
	14 A lease request could not be satisfied because the scope's address pool was exhausted.
	15 A lease was denied.
	16 A lease was deleted.
	17 A lease was expired and DNS records for an expired leases have not been deleted.
	18 A lease was expired and DNS records were deleted.
	20 A BOOTP address was leased to a client.
	21 A dynamic BOOTP address was leased to a client.
	22 A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted.
	23 A BOOTP IP address was deleted after checking to see it was not in use.
	24 IP address cleanup operation has began.
	25 IP address cleanup statistics.
	30 DNS update request to the named DNS server.
	31 DNS update failed.
	32 DNS update successful.
	33 Packet dropped due to NAP policy.
	34 DNS update request failed.as the DNS update request queue limit exceeded.
	35 DNS update request failed.
	36 Packet dropped because the server is in failover standby role or the hash of the client ID does not match.
	50+ Codes above 50 are used for Rogue Server Detection information.

	QResult: 0: NoQuarantine, 1:Quarantine, 2:Drop Packet, 3:Probation,6:No Quarantine Information ProbationTime:Year-Month-Day Hour:Minute:Second:MilliSecond.
	#>

	param (
	[int]$span, # -n - n days ago; n - for n days
	[alias('day')][string[]]$dow, # day(s) of week
	[alias('evt')][string]$eventId = '\d\d',

	[switch]$rawlog,
	[alias('save')][string]$export,
	[alias('copy')][string]$download,
	[alias('computername')][string]$server
	)

	if (-not $env:userdnsdomain -or -not $server) {
	Write-Warning 'You are out of domain environment.'
	return
	}
	Write-Host "DHCP Logs Viewer. v1.1"
	Write-Host "USAGE: dhcplog [-span <day_span[]>] [-dow <day_of_week[]>] [-eventId <Id_mask>] [-rawlog] [-download <target_folder>\|%] [-export <filename>] [-server <DHCP_server>]`n"

	$colNames = 'ID,Date,Time,Description,IPAddress,HostName,MACAddress,UserName,TransactionID,QResult,Probationtime,CorrelationID,Dhcid,VendorClassHex,VendorClassId,UserClassHex,UserClassId,RelayAgentInformation,DnsRegError'.split(',')
	$logschema =
	@{n='Date'; e={[datetime]::parse("$($_.Date) $($_.Time)")}},
	@{n='EventID'; e={[int]$_.id.split(':')[-1]}} +
	'Description,IPAddress,HostName,MACAddress,VendorClassId,UserName,RelayAgentInformation'.split(',')
	#@{n='MacAddress'; e={$_.MacAddress.toupper() -replace '(..(?!$))', '$1-'}}
	if ($rawlog) {$logschema = $colNames}

	$logfiles = "\\$server\c$\Windows\System32\dhcp\DhcpSrvLog-???.log"
	$dowen = 'mon','tue','wed','thu','fri','sat','sun'

	if ($eventId -eq '%renew') {$eventId = '1[01]'}
	elseif ($eventId -eq '%dns') {$eventId = '3[012]'}

	# today
	$today = [datetime]::now.DayOfWeek.ToString().substring(0,3)
	$timespan = $today

	if ($dow) {
	if ($dow -eq '*') {$timespan = $dow -join '\|'}
	else {
	$dow = $dow \| Where-Object {$_ -in $dowen}
	if ($dow) {$timespan = $dow -join '\|'}
	else {
	Write-Warning "Incorrect day of week specified. Correct values are $($dowen -join ',')."
	return
	}
	}
	}
	elseif ($PSBoundParameters.ContainsKey('span')) { # -8 < $span < 8
	$index = [datetime]::now.DayOfWeek.value__
	if ($span -eq 0) {$timespan = $dowen -join '\|'} # all logs
	elseif ($span -eq 1) {$timespan = $today}
	elseif ($span -lt 0 -and $span -gt -8) { # $span days ago
	$index = $index + $span
	if ($index -lt 0) {$index = $index + 7} #elseif (index -eq 0) {}
	$timespan = $dowen[($index-1)]
	}
	elseif ($span -lt 8) { # for $span days
	$span++
	$dayindex = for ($i=1; $i -lt $span; $i++) {
	$t = $index - $i
	if ($t -lt 0) {$t + 7} else {$t}
	}
	$timespan = $dowen[$dayindex] -join '\|'
	}
	else {
	Write-Warning 'Incorrect timespan specified. Correct values are (-8 < $span < 8).'
	return
	}
	} # end dayspan

	$loglist = Get-ChildItem -path $logfiles \| Where-Object name -match "DhcpSrvLog-${timespan}\.log"
	if (-not $loglist) {
	Write-Warning "Could not find DHCP logs by the query."
	return
	}

	if ($download) {
	if ($download -eq '%') {$download = "$env:userprofile\downloads"}
	elseif (-not (Test-Path $download)) {
	New-Item $download -ItemType Directory -ErrorAction Stop
	Write-Host 'New folder created.'
	}
	Copy-Item $loglist.FullName -Destination $download
	Write-Host 'Files downloaded.'
	return
	}

	if ($eventId[-1] -ne ',') {$eventId = "${eventId},"}
	if ($eventId[0] -ne '^') {$eventId = "^$eventId"}
	$logfilter = if ($rawlog) {{$_}} else {{$_.ipaddress}}
	$result =
	$loglist \| Select-String -Pattern $eventId -Encoding default -ErrorAction 4 \|
	ConvertFrom-Csv -Header $colNames \|
	Where-Object $logfilter \| Select-Object $logschema \|
	Out-GridView -Title "Time span - $($timespan.replace('\|',','))"

	if ($export) {
	$result \| Export-Csv $PSScriptRoot\$export -Delimiter ';' -Encoding UTF8 -NoTypeInformation
	}