B0fH/ya-msdnslog-to-hec.ps1

## ya-msdnslog-to-hec.ps1
# ------------------------------------------------------------------------------------------------------------------------
#
# ya-msdnslog-to-hec.ps1: Yet another Microsoft Windows DNS server debug log to Splunk HTTP Event Collector(HEC) parser
# Written by Elazar Broad
#
# ------------------------------------------------------------------------------------------------------------------------

Param (
    # Splunk HEC Token
    [Parameter(Mandatory=$true)][string]$HECToken,
    # Full URL to the Splunk HEC endpoint, typically http://my.splunk.server:8088/services/collector/event"
    [Parameter(Mandatory=$true)][string]$HECEndpoint,
    [Parameter()][string]$HECEventHost,
    [Parameter()][string]$HECEventSource,
    [Parameter()][string]$HECEventSourceType,
    [Parameter()][string]$HECEventIndex,
    # Path to Windows DNS server debug log, defaults to %WINDIR\System32\dns\dns.log
    [Parameter()][ValidateScript({Test-Path $_})][string]$DnsLogPath = (Join-Path $Env:WinDir "System32\dns\dns.log"),
    [Parameter()][switch]$Continuous,
    [Parameter()][switch]$NewEventsOnly
)

# Nasty regex to parse Windows DNS debug log entries
# group names *should be* CIM compliant
[regex]$event_regex = '(?i)^(?<date>[\d\/]{8,10})\s(?<time>[\d\:]{7,8}\s[APM]{2})\s(?<thread_id>[\dA-F]{4})\s(?<context>.{7})\s(?<packet_id>[\dA-F]{16})\s(?<transport>(?:TC|UD)P)\s(?<direction>.{3})\s(?<src_ip>(?(?:\d{1,3}\.)[\d\.\s]{15}|[\dA-F\:]{1,45}))\s(?<transaction_id>[\dA-F\s]{4})\s(?<message_type>[R\s]{1})\s(?<query_type>[QNU?]{1})\s\[(?<flags_hex>[\dA-F]{4})\s(?<flags_charcode>[ATDR\s]{4})\s(?<reply_code>[^\]]+)\]\s(?<record_type>.{6})\s(?<query>.+?\(0\))$'


# Build HEC JSON payload and post it to the server
# Returns true/false depending on whether the post was successful
function BuildAndPostHECEvent($event) {
    $json = @{}
    if ($HECEventHost) { $json.Add("host", $HECEventHost) }
    if ($HECEventSource) { $json.Add("source", $HECEventSource) }
    if ($HECEventSourceType) { $json.Add("sourcetype", $HECEventSourceType) }
    if ($HECEventIndex) { $json.Add("index", $HECEventIndex) }
    $json.Add("event", $event)

    $ret = (Invoke-WebRequest -Uri $HECEndpoint `
                              -Method Post `
                              -ContentType "application/json" `
                              -Body ($json | ConvertTo-Json) `
                              -Headers @{"Authorization"="Splunk {0}" -f $HECToken})

    return ($ret.StatusCode -eq 200 -and (($ret.Content | ConvertFrom-Json).code -eq 0))
}

# Process events in the DNS log and post them to Splunk HEC
function ReadEvents([int]$TailCount, [bool]$LiveTail) {
    $gc_command = "Get-Content $DnsLogPath"

    if ($TailCount -gt 0) { $gc_command = "{0} {1} {2}" -f $gc_command, "-Tail", $TailCount }
    if ($LiveTail) { $gc_command = "{0} {1}" -f $gc_command, "-Wait" }

    Invoke-Expression $gc_command | where {$_ -match $event_regex} | foreach {
        # Remove the full regex match
        $Matches.Remove(0)

        $event = @{}
        $Matches.Keys | foreach {
            $event.Add($_, $Matches.Item($_).Trim())
        }

        # Validate each field of the query against it length, then rebuild it with .
        $query_array = @()
        ([regex]'\((\d+)\)([^\(]+)').Matches($event.Query) | foreach {
            if ($_.Groups[2].Value.Length -eq $_.Groups[1].Value) {
                $query_array += $_.Groups[2].Value
            }
        }
        $event.Query = ($query_array -join ".")


        if (BuildAndPostHECEvent($event)) {
            "Event with query/transaction ID {0} successfully posted to Splunk!" -f $event.transaction_id
        }
    }
}

# Main
if ($Continuous.IsPresent) {
    "Running in continuous mode, press Ctrl+C to exit..."
}

ReadEvents -TailCount ($NewEventsOnly.IsPresent) -LiveTail $Continuous.IsPresent
	# ------------------------------------------------------------------------------------------------------------------------
	#
	# ya-msdnslog-to-hec.ps1: Yet another Microsoft Windows DNS server debug log to Splunk HTTP Event Collector(HEC) parser
	# Written by Elazar Broad
	#
	# ------------------------------------------------------------------------------------------------------------------------

	Param (
	# Splunk HEC Token
	[Parameter(Mandatory=$true)][string]$HECToken,
	# Full URL to the Splunk HEC endpoint, typically http://my.splunk.server:8088/services/collector/event"
	[Parameter(Mandatory=$true)][string]$HECEndpoint,
	[Parameter()][string]$HECEventHost,
	[Parameter()][string]$HECEventSource,
	[Parameter()][string]$HECEventSourceType,
	[Parameter()][string]$HECEventIndex,
	# Path to Windows DNS server debug log, defaults to %WINDIR\System32\dns\dns.log
	[Parameter()][ValidateScript({Test-Path $_})][string]$DnsLogPath = (Join-Path $Env:WinDir "System32\dns\dns.log"),
	[Parameter()][switch]$Continuous,
	[Parameter()][switch]$NewEventsOnly
	)

	# Nasty regex to parse Windows DNS debug log entries
	# group names should be CIM compliant
	[regex]$event_regex = '(?i)^(?<date>[\d\/]{8,10})\s(?<time>[\d\:]{7,8}\s[APM]{2})\s(?<thread_id>[\dA-F]{4})\s(?<context>.{7})\s(?<packet_id>[\dA-F]{16})\s(?<transport>(?:TC\|UD)P)\s(?<direction>.{3})\s(?<src_ip>(?(?:\d{1,3}\.)[\d\.\s]{15}\|[\dA-F\:]{1,45}))\s(?<transaction_id>[\dA-F\s]{4})\s(?<message_type>[R\s]{1})\s(?<query_type>[QNU?]{1})\s\[(?<flags_hex>[\dA-F]{4})\s(?<flags_charcode>[ATDR\s]{4})\s(?<reply_code>[^\]]+)\]\s(?<record_type>.{6})\s(?<query>.+?\(0\))$'


	# Build HEC JSON payload and post it to the server
	# Returns true/false depending on whether the post was successful
	function BuildAndPostHECEvent($event) {
	$json = @{}
	if ($HECEventHost) { $json.Add("host", $HECEventHost) }
	if ($HECEventSource) { $json.Add("source", $HECEventSource) }
	if ($HECEventSourceType) { $json.Add("sourcetype", $HECEventSourceType) }
	if ($HECEventIndex) { $json.Add("index", $HECEventIndex) }
	$json.Add("event", $event)

	$ret = (Invoke-WebRequest -Uri $HECEndpoint `
	-Method Post `
	-ContentType "application/json" `
	-Body ($json \| ConvertTo-Json) `
	-Headers @{"Authorization"="Splunk {0}" -f $HECToken})

	return ($ret.StatusCode -eq 200 -and (($ret.Content \| ConvertFrom-Json).code -eq 0))
	}

	# Process events in the DNS log and post them to Splunk HEC
	function ReadEvents([int]$TailCount, [bool]$LiveTail) {
	$gc_command = "Get-Content $DnsLogPath"

	if ($TailCount -gt 0) { $gc_command = "{0} {1} {2}" -f $gc_command, "-Tail", $TailCount }
	if ($LiveTail) { $gc_command = "{0} {1}" -f $gc_command, "-Wait" }

	Invoke-Expression $gc_command \| where {$_ -match $event_regex} \| foreach {
	# Remove the full regex match
	$Matches.Remove(0)

	$event = @{}
	$Matches.Keys \| foreach {
	$event.Add($_, $Matches.Item($_).Trim())
	}

	# Validate each field of the query against it length, then rebuild it with .
	$query_array = @()
	([regex]'\((\d+)\)([^\(]+)').Matches($event.Query) \| foreach {
	if ($_.Groups[2].Value.Length -eq $_.Groups[1].Value) {
	$query_array += $_.Groups[2].Value
	}
	}
	$event.Query = ($query_array -join ".")


	if (BuildAndPostHECEvent($event)) {
	"Event with query/transaction ID {0} successfully posted to Splunk!" -f $event.transaction_id
	}
	}
	}

	# Main
	if ($Continuous.IsPresent) {
	"Running in continuous mode, press Ctrl+C to exit..."
	}

	ReadEvents -TailCount ($NewEventsOnly.IsPresent) -LiveTail $Continuous.IsPresent