Created
March 23, 2017 02:11
-
-
Save B0fH/0af3a6834aafd835f3ae87dffee39320 to your computer and use it in GitHub Desktop.
Yet another Microsoft Windows DNS server debug log to Splunk HTTP Event Collector(HEC) parser
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# ------------------------------------------------------------------------------------------------------------------------ | |
# | |
# ya-msdnslog-to-hec.ps1: Yet another Microsoft Windows DNS server debug log to Splunk HTTP Event Collector(HEC) parser | |
# Written by Elazar Broad | |
# | |
# ------------------------------------------------------------------------------------------------------------------------ | |
Param ( | |
# Splunk HEC Token | |
[Parameter(Mandatory=$true)][string]$HECToken, | |
# Full URL to the Splunk HEC endpoint, typically http://my.splunk.server:8088/services/collector/event" | |
[Parameter(Mandatory=$true)][string]$HECEndpoint, | |
[Parameter()][string]$HECEventHost, | |
[Parameter()][string]$HECEventSource, | |
[Parameter()][string]$HECEventSourceType, | |
[Parameter()][string]$HECEventIndex, | |
# Path to Windows DNS server debug log, defaults to %WINDIR\System32\dns\dns.log | |
[Parameter()][ValidateScript({Test-Path $_})][string]$DnsLogPath = (Join-Path $Env:WinDir "System32\dns\dns.log"), | |
[Parameter()][switch]$Continuous, | |
[Parameter()][switch]$NewEventsOnly | |
) | |
# Nasty regex to parse Windows DNS debug log entries | |
# group names *should be* CIM compliant | |
[regex]$event_regex = '(?i)^(?<date>[\d\/]{8,10})\s(?<time>[\d\:]{7,8}\s[APM]{2})\s(?<thread_id>[\dA-F]{4})\s(?<context>.{7})\s(?<packet_id>[\dA-F]{16})\s(?<transport>(?:TC|UD)P)\s(?<direction>.{3})\s(?<src_ip>(?(?:\d{1,3}\.)[\d\.\s]{15}|[\dA-F\:]{1,45}))\s(?<transaction_id>[\dA-F\s]{4})\s(?<message_type>[R\s]{1})\s(?<query_type>[QNU?]{1})\s\[(?<flags_hex>[\dA-F]{4})\s(?<flags_charcode>[ATDR\s]{4})\s(?<reply_code>[^\]]+)\]\s(?<record_type>.{6})\s(?<query>.+?\(0\))$' | |
# Build HEC JSON payload and post it to the server | |
# Returns true/false depending on whether the post was successful | |
function BuildAndPostHECEvent($event) { | |
$json = @{} | |
if ($HECEventHost) { $json.Add("host", $HECEventHost) } | |
if ($HECEventSource) { $json.Add("source", $HECEventSource) } | |
if ($HECEventSourceType) { $json.Add("sourcetype", $HECEventSourceType) } | |
if ($HECEventIndex) { $json.Add("index", $HECEventIndex) } | |
$json.Add("event", $event) | |
$ret = (Invoke-WebRequest -Uri $HECEndpoint ` | |
-Method Post ` | |
-ContentType "application/json" ` | |
-Body ($json | ConvertTo-Json) ` | |
-Headers @{"Authorization"="Splunk {0}" -f $HECToken}) | |
return ($ret.StatusCode -eq 200 -and (($ret.Content | ConvertFrom-Json).code -eq 0)) | |
} | |
# Process events in the DNS log and post them to Splunk HEC | |
function ReadEvents([int]$TailCount, [bool]$LiveTail) { | |
$gc_command = "Get-Content $DnsLogPath" | |
if ($TailCount -gt 0) { $gc_command = "{0} {1} {2}" -f $gc_command, "-Tail", $TailCount } | |
if ($LiveTail) { $gc_command = "{0} {1}" -f $gc_command, "-Wait" } | |
Invoke-Expression $gc_command | where {$_ -match $event_regex} | foreach { | |
# Remove the full regex match | |
$Matches.Remove(0) | |
$event = @{} | |
$Matches.Keys | foreach { | |
$event.Add($_, $Matches.Item($_).Trim()) | |
} | |
# Validate each field of the query against it length, then rebuild it with . | |
$query_array = @() | |
([regex]'\((\d+)\)([^\(]+)').Matches($event.Query) | foreach { | |
if ($_.Groups[2].Value.Length -eq $_.Groups[1].Value) { | |
$query_array += $_.Groups[2].Value | |
} | |
} | |
$event.Query = ($query_array -join ".") | |
if (BuildAndPostHECEvent($event)) { | |
"Event with query/transaction ID {0} successfully posted to Splunk!" -f $event.transaction_id | |
} | |
} | |
} | |
# Main | |
if ($Continuous.IsPresent) { | |
"Running in continuous mode, press Ctrl+C to exit..." | |
} | |
ReadEvents -TailCount ($NewEventsOnly.IsPresent) -LiveTail $Continuous.IsPresent | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
i am trying to send some dns debug logs, but its not reaching the splunk server, no error
i tried the curl method
curl -k http://ip:8088/services/collector/event -H "Authorization: Splunk BBD50988-968F-48B7-B64C-27496DAB7042" -d '{"event": "hello world"}'
it reached the server and i was able to see hello world