This topic is not brand new, there exists plenty of solutions to forward Windows event logs to Logstash (OSSEC, Snare or NXlog amongst many others). They perform a decent job to collect events on running systems but they need to deploy extra piece of software on the target operating systems. For a specific case, I was looking for a solution to quickly transfer event logs from a live system without having to install extra software.

The latest versions of the Microsoft Windows come with Powershell installed by default. Powershell is, as defined by Wikipedia, a task automation and configuration management framework. PowerShell 3 introduced nice cmdlets to convert data from/to JSON which is a format natively supported by Logstash. The goal is to have a standalone Powershell script executed from a share or a read-only USB-stick that will process Windows event logs and send them to a remote preconfigured Logstash server on a specific TCP port.

The first step is to prepare our Logstash environment to receive new events. Let’s create a new input and store received events to a dedicated index (it will be easier to investigate the collected data):

input {
    tcp {
        port => 5001
        type => 'eventlog'
        code => json {
            charset => 'UTF-8'
        }
    }
}

filer {
    if [type == 'eventlog' {
        grok {
            match => [ 'TimeCreated', "Date(%{NUMBER:timestamp})" ]
        }
        date {
            match => [ 'timestamp', 'UNIX_MX' 
        }
    }
output {
    if [type == 'eventlog' {
        elasticsearch {
            host => 'localhost'
            port => 9300
            node_name => 'forensics'
            cluster => 'forensics-cluster'
            index => 'logstash-evenlog-%{+YYYY.MM.dd}'
       }
    }
}

The Powershell script collects event logs via the cmdled Get-WinEvent and convert them in JSON format with ConvertTo-Json. The fact that Logstash expects one event per line, data received by Get-WinEvent are converted to an array and processed in a loop. Before sending the event via a TCP session, ‘r’ and ‘n’ are removed. Edit the script, change the destination IP/port and just execute the script to send a copy of all the event logs to your Logstash (take care, it could overload your server). A few minutes later (depending on the amount of data to index), you’ll be able to investigate the events from your favourite Kibana session:

Some remarks:

• The script must be run by an administrator to access all eventlogs (especially “security”).
• It is possible to automate the export of event logs via an automated task and by applying a filter to get-WinEvent. In the following example, events for the last hour are processed:
  $start = (get-date).addhours(-1)
  $data = get-winevent -FilterHashtable @{logname=”*”;starttime=$start}

The script is available in my github.com repository.