Module xm_json Module im_etw Provider Microsoft-Windows-DNSServer if $EventID >= 256 and $EventID <= 286 $DNS_LogType = 'Analytical'; if $EventID >= 512 and $EventID <= 596 $DNS_LogType = 'Audit'; to_json(); define WORKSPACE 18fb21ab-d8d4-4448-bdf6-3748c9c03135 define SHAREDKEY VfIQqBoz6fxmnI/E4PKVPza2clH/YAdJ20RnCDwzHCqCMnobYdM1/dD1+KJ6cI6AkR4xPJlTIWI/jfwPU6QHmw== define SUBDOMAIN ods.opinsights.azure.com define RESOURCE api/logs define APIVER api-version=2016-04-01 define SIZELIMIT 65000 Module xm_perl PerlCode %INSTALLDIR%\modules\extension\perl\sentinelauth.pl

Module om_http URL https://%WORKSPACE%.%SUBDOMAIN%/%RESOURCE%?%APIVER% ContentType application/json HTTPSAllowUntrusted TRUE HTTPSCAFile %INSTALLDIR%\cert\ca-certificates.crt create_stat('ec', 'COUNT'); create_stat('bc', 'COUNT'); create_var('batch'); create_var('nextbatch'); add_stat('ec',1); #---BEGIN--- the enrichment of this event with any new fields: # The following can be used for debugging batch mode if needed: $BatchNumber = get_stat('bc'); $EventNumber = get_stat('ec'); to_json(); #---END--- the enrichment of this event if (size(get_var('batch')) + size($raw_event) + 3) > %SIZELIMIT% # Flush this batch of events { set_var('nextbatch', $raw_event); $raw_event = '[' + get_var('batch') + ']'; add_stat('bc',1); set_var('batch',get_var('nextbatch')); $Workspace = "%WORKSPACE%"; $SharedKey = "%SHAREDKEY%"; $ContentLength = string(size($raw_event)); $dts = strftime(now(),'YYYY-MM-DDThh:mm:ssUTC'); $dts_no_tz = replace($dts,'Z',''); $parsedate_utc_false = parsedate($dts_no_tz,FALSE); $x_ms_date = strftime($parsedate_utc_false, '%a, %d %b %Y %T GMT'); plxm->call("genauth"); add_http_header('Authorization',$authorization); add_http_header('Log-Type',$SourceModuleName); add_http_header('x-ms-date',$x_ms_date); } else { $delimiter = get_stat('ec') == 1 ? '' : ",\n"; set_var('batch', get_var('batch') + $delimiter + $raw_event); drop(); }

Path DNS_Logs => AzureHTTP