-
Notifications
You must be signed in to change notification settings - Fork 0
/
Fetch-Canary-Syslog.ps1
38 lines (31 loc) · 1.61 KB
/
Fetch-Canary-Syslog.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
$ConfigFile = '.\Fetch-Canary-Syslog-Config.xml'
$ConfigParams = [xml](get-content $ConfigFile)
# Initialize configuration variables from config xml file
$WorkerURL = $ConfigParams.configuration.cloudflare.URL.value
$WorkerAuth = $ConfigParams.configuration.cloudflare.auth.value
$SyslogTarget = $ConfigParams.configuration.syslog.fqdn.value
$SyslogPort = $ConfigParams.configuration.syslog.port.value
$OutputFile = $ConfigParams.configuration.file.canarylogs.value
# Force TLS 1.2
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
# Request the queued Canary events (-UseBasicParsing ensures we don't use the deprecated IE HTML renderer)
$Response = Invoke-WebRequest -Uri $WorkerURL -Headers @{ 'auth' = $WorkerAuth} -UseBasicParsing
if($Response.Statuscode -eq 204){exit 0} # Nothing to process - resultset is empty
# Prepare the Syslog UDP socket
if ($SyslogTarget -ne "syslog.hostname.here") {
$UdpClient = New-Object System.Net.Sockets.UdpClient $SyslogTarget, $SyslogPort
}
$Content = $Response.Content
$SyslogArray = $Content.Split([Environment]::NewLine, [StringSplitOptions]::RemoveEmptyEntries)
ForEach ($SyslogEntry in $SyslogArray){
# Convert message to array of ASCII bytes.
$bytearray = $([System.Text.Encoding]::ASCII).getbytes($SyslogEntry)
# Send the Syslog message...
if ($SyslogTarget -ne "syslog.hostname.here") {
$UdpClient.Send($bytearray, $bytearray.length) | out-null
}
else {
# No syslog server was specified in the configuration file, so output to a local file
Add-Content $OutputFile $SyslogEntry
}
}