Sending Windows Event Logs to Logstash

This topic is not brand new, there exists plenty of solutions to forward Windows event logs to Logstash (OSSECSnare or NXlog amongst many others). They perform a decent job to collect events on running systems but they need to deploy extra piece of software on the target operating systems. For a specific case, I was looking for a solution to quickly transfer event logs from a live system without having to install extra software.

The latest versions of the Microsoft Windows come with Powershell installed by default. Powershell is, as defined by Wikipedia, a task automation and configuration management framework. PowerShell 3 introduced nice cmdlets to convert data from/to JSON which is a format natively supported by Logstash. The goal is to have a standalone Powershell script executed from a share or a read-only USB-stick that will process Windows event logs and send them to a remote preconfigured Logstash server on a specific TCP port.

The first step is to prepare our Logstash environment to receive new events. Let’s create a new input and store received events to a dedicated index (it will be easier to investigate the collected data):

input {
    tcp {
        port => 5001
        type => 'eventlog'
        code => json {
            charset => 'UTF-8'
        }
    }
}

filer {
    if [type == 'eventlog' {
        grok {
            match => [ 'TimeCreated', "Date(%{NUMBER:timestamp})" ]
        }
        date {
            match => [ 'timestamp', 'UNIX_MX' 
        }
    }
output {
    if [type == 'eventlog' {
        elasticsearch {
            host => 'localhost'
            port => 9300
            node_name => 'forensics'
            cluster => 'forensics-cluster'
            index => 'logstash-evenlog-%{+YYYY.MM.dd}'
       }
    }
}

The Powershell script collects event logs via the cmdled Get-WinEvent and convert them in JSON format with ConvertTo-Json. The fact that Logstash expects one event per line, data received by Get-WinEvent are converted to an array and processed in a loop. Before sending the event via a TCP session, ‘r’ and ‘n’ are removed. Edit the script, change the destination IP/port and just execute the script to send a copy of all the event logs to your Logstash (take care, it could overload your server). A few minutes later (depending on the amount of data to index), you’ll be able to investigate the events from your favourite Kibana session:

Events in Logstash

(Click to enlarge)

Some remarks:

  • The script must be run by an administrator to access all eventlogs (especially “security”).
  • It is possible to automate the export of event logs via an automated task and by applying a filter to get-WinEvent. In the following example, events for the last hour are processed:
    $start = (get-date).addhours(-1)
    $data = get-winevent -FilterHashtable @{logname=”*”;starttime=$start}

The script is available in my github.com repository.

Leave a Reply