This topic is not brand new, there exists plenty of solutions to forward Windows event logs to Logstash (OSSEC, Snare or NXlog amongst many others). They perform a decent job to collect events on running systems but they need to deploy extra piece of software on the target operating systems. For a specific case, I was looking for a solution to quickly transfer event logs from a live system without having to install extra software.
The latest versions of the Microsoft Windows come with Powershell installed by default. Powershell is, as defined by Wikipedia, a task automation and configuration management framework. PowerShell 3 introduced nice cmdlets to convert data from/to JSON which is a format natively supported by Logstash. The goal is to have a standalone Powershell script executed from a share or a read-only USB-stick that will process Windows event logs and send them to a remote preconfigured Logstash server on a specific TCP port.
The first step is to prepare our Logstash environment to receive new events. Let’s create a new input and store received events to a dedicated index (it will be easier to investigate the collected data):
input { tcp { port => 5001 type => 'eventlog' code => json { charset => 'UTF-8' } } } filer { if [type == 'eventlog' { grok { match => [ 'TimeCreated', "Date(%{NUMBER:timestamp})" ] } date { match => [ 'timestamp', 'UNIX_MX' } } output { if [type == 'eventlog' { elasticsearch { host => 'localhost' port => 9300 node_name => 'forensics' cluster => 'forensics-cluster' index => 'logstash-evenlog-%{+YYYY.MM.dd}' } } }
The Powershell script collects event logs via the cmdled Get-WinEvent and convert them in JSON format with ConvertTo-Json. The fact that Logstash expects one event per line, data received by Get-WinEvent are converted to an array and processed in a loop. Before sending the event via a TCP session, ‘r’ and ‘n’ are removed. Edit the script, change the destination IP/port and just execute the script to send a copy of all the event logs to your Logstash (take care, it could overload your server). A few minutes later (depending on the amount of data to index), you’ll be able to investigate the events from your favourite Kibana session:
Some remarks:
- The script must be run by an administrator to access all eventlogs (especially “security”).
- It is possible to automate the export of event logs via an automated task and by applying a filter to get-WinEvent. In the following example, events for the last hour are processed:
$start = (get-date).addhours(-1)
$data = get-winevent -FilterHashtable @{logname=”*”;starttime=$start}
The script is available in my github.com repository.