I had the occasion recently to work with a customer that had domain controllers that were disconnected from the Internet, but still wanted to ingest the server event logs into Azure Sentinel.
Sifting through research I found there’s a myriad of ways to do it (including standing up a Log Analytics gateway) but one of the requirements was to accomplish it quickly and easily. So, I immediately dusted off my PowerShell chops.
The simple PowerShell script contained below is used to export the event logs (Application, System, and/or Security) from a disconnected server to a folder that resides on a server/workstation that is connected. The Log Analytics agent is installed on the connected system and a Custom Log data source is configured in the Log Analytics workspace for Azure Sentinel. This procedure essentially turns a connected system into a Windows-based forwarder for disconnected systems.
PowerShell script
I’ve documented the PowerShell script pretty well. Note that I can’t take full credit for all the PowerShell components. Much of it was cobbled together from snippets I already had laying around in a scripting folder on OneDrive that I’ve been collecting for years.
Take note that you can:
- Schedule it to run periodically.
- Modify the number of days to retrieve events.
- Enter any number of hostnames (or just 1).
- Modify it to only retrieve the logs you want (it currently retrieves Application, System, and Security).
- Alter the types of events you want to export. If you want ALL events, just comment-out the TypesofEvents variable line up top and then also the -EntryType $TypesofEvents in the foreach loop.
- Change the folder to write the export to.
#Schedule it using this: PowerShell.exe -ExecutionPolicy ByPass -File eventexport.ps1
Set-Variable -Name EventAge -Value 1 #Sets the number of days that will be exported
Set-Variable -Name ServerNames -Value @("Server1", "Server2", "Server3", "Server4") #Replace with your own Server name or names
Set-Variable -Name Logs -Value @("Application", "System", "Security") # Checking app, system, and security logs - only use what you want/need
Set-Variable -Name TypesofEvents -Value @("Error", "Warning") # Loading only Errors and Warnings
Set-Variable -Name ExportFolder -Value "C:\TEMP\"
$exportlog_c = @() #consolidated error log
$now=get-date
$startdate=$now.adddays(-$EventAge)
$ExportFile=$ExportFolder + "exportlog" + $now.ToString("yyyy-MM-dd---hh-mm-ss") + ".csv"
foreach($comp in $ServerNames)
{
foreach($log in $Logs)
{
Write-Host Processing $comp\$log
$exportlog = get-eventlog -ComputerName $comp -log $log -After $startdate -EntryType $TypesofEvents
$exportlog_c += $exportlog #consolidating
}
}
$explortlog_sorted = $explortlog_c | Sort-Object TimeGenerated
Write-Host Exporting to $ExportFile
$explortlog_sorted|Select EntryType, TimeGenerated, Source, EventID, MachineName | Export-CSV $ExportFile -NoTypeInfo
Write-Host Done!Thoughts? Comments? Have a better way to do it? Let me know.
OR — why not work out your own solution and participate in our 1st-ever Azure Sentinel Hackathon?
THERE ARE PRIZES!
You must log in to post a comment.