Exporting Events from Disconnected Systems to Ingest into Azure Sentinel

I had the occasion recently to work with a customer that had domain controllers that were disconnected from the Internet, but still wanted to ingest the server event logs into Azure Sentinel.

Sifting through research I found there’s a myriad of ways to do it (including standing up a Log Analytics gateway) but one of the requirements was to accomplish it quickly and easily. So, I immediately dusted off my PowerShell chops.

The simple PowerShell script contained below is used to export the event logs (Application, System, and/or Security) from a disconnected server to a folder that resides on a server/workstation that is connected. The Log Analytics agent is installed on the connected system and a Custom Log data source is configured in the Log Analytics workspace for Azure Sentinel. This procedure essentially turns a connected system into a Windows-based forwarder for disconnected systems.

PowerShell script

I’ve documented the PowerShell script pretty well. Note that I can’t take full credit for all the PowerShell components. Much of it was cobbled together from snippets I already had laying around in a scripting folder on OneDrive that I’ve been collecting for years.

Take note that you can:

  1. Schedule it to run periodically.
  2. Modify the number of days to retrieve events.
  3. Enter any number of hostnames (or just 1).
  4. Modify it to only retrieve the logs you want (it currently retrieves Application, System, and Security).
  5. Alter the types of events you want to export. If you want ALL events, just comment-out the TypesofEvents variable line up top and then also the -EntryType $TypesofEvents in the foreach loop.
  6. Change the folder to write the export to.
#Schedule it using this: PowerShell.exe -ExecutionPolicy ByPass -File eventexport.ps1

Set-Variable -Name EventAge -Value 1     #Sets the number of days that will be exported
Set-Variable -Name ServerNames -Value @("Server1", "Server2", "Server3", "Server4")   #Replace with your own Server name or names
Set-Variable -Name Logs -Value @("Application", "System", "Security")  # Checking app, system, and security logs - only use what you want/need
Set-Variable -Name TypesofEvents -Value @("Error", "Warning")  # Loading only Errors and Warnings
Set-Variable -Name ExportFolder -Value "C:\TEMP\"


$exportlog_c = @()   #consolidated error log
$now=get-date
$startdate=$now.adddays(-$EventAge)
$ExportFile=$ExportFolder + "exportlog" + $now.ToString("yyyy-MM-dd---hh-mm-ss") + ".csv"  

foreach($comp in $ServerNames)
{
 foreach($log in $Logs)
 {
  Write-Host Processing $comp\$log
 $exportlog = get-eventlog -ComputerName $comp -log $log -After $startdate -EntryType $TypesofEvents
 $exportlog_c += $exportlog  #consolidating
  }
}
$explortlog_sorted = $explortlog_c | Sort-Object TimeGenerated    
Write-Host Exporting to $ExportFile
$explortlog_sorted|Select EntryType, TimeGenerated, Source, EventID, MachineName | Export-CSV $ExportFile -NoTypeInfo 
Write-Host Done!

Thoughts? Comments? Have a better way to do it? Let me know.

OR — why not work out your own solution and participate in our 1st-ever Azure Sentinel Hackathon?

THERE ARE PRIZES!

Authors