Indented! » SysLog http://www.indented.co.uk Mon, 17 Oct 2011 19:03:30 +0000 en hourly 1 http://wordpress.org/?v=3.3.1 NetShell http://www.indented.co.uk/index.php/2010/11/25/netshell/ http://www.indented.co.uk/index.php/2010/11/25/netshell/#comments Thu, 25 Nov 2010 19:56:50 +0000 Chris http://www.indented.co.uk/?p=1561 Yet Another Related Posts Plugin.]]> It’s been a while since I’ve posted, and since it’s almost Christmas I thought I’d better get on with it.

Without further ado I want to post NetShell (I’m not very good at coming up with imaginative names). NetShell is a collection of 17 functions and a few supporting functions in a script module.

Download NetShell

Installation is a manual process, but not too hard. Open up Documents\WindowsPowerShell\Modules, extract the ZIP file. Make sure it includes the NetShell folder or it won’t work. The module is not currently signed, something else on the to-do list. Once it’s there, Import-Module NetShell and off you go.

It includes the following:

ConvertTo-BinaryIP Converts an IP address into a binary string
ConvertTo-Byte A supporting function, a simple conversion of a string to a byte array (ASCII encoding)
ConvertTo-DecimalIP Converts an IP address to 32-bit decimal number
ConvertTo-DottedDecimalIP Converts a binary or 32-bit decimal back to an IP
ConvertTo-Mask Converts from a mask length. For example, gets you from 22 to 255.255.252.0
ConvertTo-MaskLength Converts from the IP form of a mask to the length
ConvertTo-String Another supporting function, converts a byte array to a string (ASCII encoding)
Get-BroadcastAddress Returns the broadcast address for the specified IP address and subnet mask
Get-NetworkAddress Returns the network address for the specified IP address and subnet mask
Get-NetworkRange Returns every IP within the specified range
Get-NetworkSummary Everything about an IP address and mask I considered useful
New-DhcpDiscoverPacket A supporting function for Send-DhcpDiscover. Creates the packet to send (a large byte array)
New-Socket Creates an instance of System.Net.Sockets.Socket, an arbitrary network socket to do with as you please.
New-SysLogDateTime A supporting function to create a DateTime string in the format SysLog likes.
Read-DhcpOption A supporting function to read off an Option from a DHCP packet. Needs to be fed the Extended.BinaryReader class at the top of the module.
Read-DhcpPacket Creates and uses an instance of Extended.BinaryReader to process a DHCP packet and translate the fields.
Receive-Bytes Receives a stream of bytes from the network using a socket
Remove-Socket Cleans up after New-Socket
Send-Bytes Sends an arbitrary byte array over the network using a socket
Send-DhcpDiscover Creates and sends a DHCPDISCOVER packet, then processes and returns the response
Start-Syslog Starts a SysLog server. No termination for this one at the moment. Needs a bit more work.
Test-Smtp Does the SMTP test you normally wind up doing with telnet, returning all the results along with the SMTP banner.
Test-SysLogDateTime A supporting function to check the format of a DateTime that may or may not be present in a SysLog message.
Test-SysLogPRI A supporting function to test of the PRI value in a SysLog message.
Test-TcpPort Returns a boolean indicating whether or not the port connection succeeded.

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

]]> http://www.indented.co.uk/index.php/2010/11/25/netshell/feed/ 1 SysLog in PowerShell http://www.indented.co.uk/index.php/2009/12/01/syslog-in-powershell/ http://www.indented.co.uk/index.php/2009/12/01/syslog-in-powershell/#comments Tue, 01 Dec 2009 16:01:07 +0000 Chris http://www.highorbit.co.uk/?p=1215 Yet Another Related Posts Plugin.]]> I bumped into a requirement to run a SysLog relay on one of my Windows 2008 R2 systems. After poking around on Google, and after getting a bit bored with the third-party offerings, I threw together a simple server of my own.

There is plenty of room for improvement here, but it works (for me at least) as it stands.

Written for and tested under PowerShell 2.0. The script could probably use some error handling.

# SysLog.ps1
#
# A basic SysLog server. Behaviour should be fairly consistent with
# RFC 3164 (http://www.ietf.org/rfc/rfc3164.txt).

# Network Configuration

$SysLogPort = 514                  # Default SysLog Port
$Buffer = New-Object Byte[] 1024   # Maximum SysLog message size

# Server Configuration

$EnableMessageValidation = $True   # Enable check of the PRI and Header
$EnableRelay = $True               # Enable relay to $RelayTargetIP
$EnableLocalLogging = $True        # Enable local logging of received messages
$EnableConsoleLogging = $False     # Enable logging to the console
$EnableHostNameLookup = $True      # Lookup hostname for connecting IP
$EnableHostNamesOnly = $True       # Uses Host Name only instead of FQDNs

$RelayTargetIP = "10.0.0.1"        # Must be an IP Address
$LogFolder = "C:\SysLog\LogFiles"  # Path must exist

# Global variables used to store day and date-stamp for log roll-over

$Day = (Get-Date).Day
$DateStamp = (Get-Date).ToString("yyyy.MM.dd")

# Relay Initialisation

If ($EnableRelay)
{
  $RelayTarget = [Net.IPAddress]::Parse($RelayTargetIP)
  $RelayTargetEndPoint = New-Object Net.IPEndPoint($RelayTarget, $SysLogPort)
}

# A launcher for the process
#
# Caller: Manual / Script

Function Start-SysLog
{
  $Socket = CreateSocket
  StartReceive $Socket
}

# Create and bind to the socket
#
# Caller: Start-SysLog

Function CreateSocket
{
  $Socket = New-Object Net.Sockets.Socket(
    [Net.Sockets.AddressFamily]::Internetwork,
    [Net.Sockets.SocketType]::Dgram,
    [Net.Sockets.ProtocolType]::Udp)

  $ServerIPEndPoint = New-Object Net.IPEndPoint(
    [Net.IPAddress]::Any,
    $SysLogPort)

  $Socket.Bind($ServerIPEndPoint)

  Return $Socket
}

# Recieve a single message
#
# Caller: Start-SysLog

Function StartReceive([Net.Sockets.Socket]$Socket)
{
  # Placeholder to store source of incoming packet
  $SenderIPEndPoint = New-Object Net.IPEndPoint([Net.IPAddress]::Any, 0)
  $SenderEndPoint = [Net.EndPoint]$SenderIPEndPoint

  $ServerRunning = $True
  While ($ServerRunning -eq $True)
  {
    $BytesReceived = $Socket.ReceiveFrom($Buffer, [Ref]$SenderEndPoint)
    $Message = $Buffer[0..$($BytesReceived - 1)]

    $Message = ValidateMessage $Message $SenderEndPoint.Address.IPAddressToString

    If ($EnableRelay)
    {
      RelayMessage $Socket $Message
    }
  }
}

# Relay the message to an upstream SysLog server. Either basic forwarding,
# or full validation.
#
# Caller: StartReceive

Function RelayMessage([Net.Sockets.Socket]$Socket, [Byte[]]$Message)
{
  [Void]$Socket.SendTo($Message, $RelayTargetEndPoint)
}

# Check the validity of the message (if option is enabled). Adjust message
# according to recommendations in RFC 3164.
#
# Caller: StartReceive

Function ValidateMessage([Byte[]]$Message, [String]$HostName)
{
  If ($EnableMessageValidation)
  {
    $MessageString = [Text.Encoding]::ASCII.GetString($Message)

    If (IsValidPRI($MessageString))
    {
      If (!(IsValidDateTime($MessageString)))
      {
        $PRI = [Int]($MessageString -Replace "<|>.*")
        $HostName = GetHostName $HostName
        $MessageString = "<$PRI>$(NewDateTimeString) $HostName $MessageString"
        $Message = EncodeMessage $MessageString
      }
    }
    Else
    {
      $HostName = GetHostName $HostName
      $MessageString = "<13>$(NewDateTimeString) $HostName $MessageString"
      $Message = EncodeMessage $MessageString
    }
  }
  If ($EnableLocalLogging -Or $EnableConsoleLogging)
  {
    If ($MessageString -eq $Null)
    {
      $MessageString = [Text.Encoding]::ASCII.GetString($Message)
    }
    If ($EnableLocalLogging) { WriteToLog $MessageString $HostName }
    If ($EnableConsoleLogging) { Write-Host $MessageString }
  }
  Return $Message
}

# Validate the PRI (Priority Field - Facility and Severity)
# No parsing is performed. No network prioritisation is implemented
#
# Caller: ValidateMessage

Function IsValidPRI([String]$MessageString)
{
  If ($MessageString.SubString(0, 1) -ne "<")
  {
    Return $False
  }
  If (!$MessageString.SubString(2, 3).Contains(">"))
  {
    Return $False
  }

  $PRI = [Int]($MessageString -Replace "<|>.*")
  # PRI = (Facility * 8) + Severity. Maximum and minimum values from RFC 3164
  If ($PRI -lt 1 -Or $PRI -gt 191)
  {
    Return $False
  }
  Return $True
}

# Validate the TimeStamp formatting
#
# Caller: ValidateMessage

Function IsValidDateTime([String]$MessageString)
{
  $IsValid = $False
  If ($MessageString -Match "(?<=\>)\w{3}\s\s?\d{1,2}\s(\d\d:){2}\d\d(?=\s)")
  {
    $Date = New-Object DateTime
    ForEach ($Format in @("MMM  d hh:mm:ss", "MMM dd hh:mm:ss"))
    {
      $Date = New-Object DateTime
      $IsValid = [DateTime]::TryParseExact(
        $Matches[0],
        $Format,
        [Globalization.CultureInfo]::InvariantCulture,
        [Globalization.DateTimeStyles]::AssumeUniversal,
        [Ref]$Date)
      If ($IsValid) { Return $True }
    }
  }
  Return $False
}

# Create a new DateTime String
#
# Caller: ValidateMessage

Function NewDateTimeString
{
  $Date = (Get-Date).ToUniversalTime()
  If ($Date.Day -lt 10)
  {
    Return $Date.ToString("MMM  d HH:mm:ss")
  }
  Return $Date.ToString("MMM dd HH:mm:ss")
}

# Attempt to lookup the HostName if an IP value was passed.
# [Net.Dns]::GetHostEntry fails to return if a Forward Lookup record
# does not exist. NsLookup as a simple alternative.
#
# Caller: ValidateMessage

Function GetHostName([String]$HostName)
{
  If (!$EnableHostNameLookup) { Return $HostName }
  If ([Net.IPAddress]::TryParse($HostName, [Ref]$Null))
  {
    $Temp = (nslookup -q=ptr $HostName | ?{ $_ -Like "*name = *" })
    $Temp = $Temp -Replace ".*name = "
    If ($Temp -ne [String]::Empty) { $HostName = $Temp }
  }
  If ($EnableHostNamesOnly)
  {
    Return $HostName.Split(".")[0]
  }
  Return $HostName
}

# Returns a Byte Array representation of the original message.
# If the length is greater than 1024 Bytes the array is truncated
# as stipulated under RFC 3164.
#
# Caller: ValidateMessage

Function EncodeMessage([String]$MessageString)
{
  $Message = [Text.Encoding]::ASCII.GetBytes($MessageString)
  If ($Message.Length -gt 1024)
  {
    Return $Message[0..1023]
  }
  Return $Message
}

# Maintain a per-host log file in the $LogFolder
# Script does not clean up old log files
#
# Caller: ValidateMessage

Function WriteToLog([String]$MessageString, [String]$HostName)
{
  # Simple time based roll-over check
  If ((Get-Date).Day -ne $Day)
  {
    $Day = (Get-Date).Day
    $DateStamp = (Get-Date).ToString("yyyy.MM.dd")
  }

  $LogFile = "$LogFolder\$HostName-$DateStamp.log"
  $MessageString >> $LogFile
}

# Start the server

Start-SysLog

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

]]> http://www.indented.co.uk/index.php/2009/12/01/syslog-in-powershell/feed/ 3