Running Powershell script on a schedule to retrieve and format Windows Event logs and send to logstash output


#1 MCon30318

I have a Powershell script that is retrieving events from Windows Event logs that are written by a certain application.  It then parses the exception info from the Event_Data portion into separate fields and combines them into JSON (the exception info is written in one big block of text, but each line has fields that we want to separate out into distinct fields so that the data is easier to filter in Kibana.  I have an input im_exec module in nxlog.conf that runs that script and a route to send that input to an om_tcp output for our logstash instance.  This works fine when you restart the service, however I'm having a problem getting this to pick up events after the initial restart.  I've tried adding a schedule both to the input module and adding an xm_exec module to restart the input module on a scheduled basis.  Anyone have any ideas on how to get this script to run repeatedly so that i can pick up and format new events?  I've looked through the schedule documentation and tried some of the suggestions on other discussions that look a bit similar, but none seem to have worked so far.

 

This is what I have in the conf file currently:

 

   define ROOT C:\Program Files (x86)\nxlog      Moduledir %ROOT%\modules   CacheDir %ROOT%\data   Pidfile %ROOT%\data\nxlog.pid   SpoolDir %ROOT%\data   LogFile %ROOT%\data\nxlog.log   LogLevel INFO

   

   <Extension json>         Module xm_json   </Extension>

   define LogFile %ROOT%\data\nxlog.log

   

<Input input_logs_powershell>   Module  im_exec   Restart true    Command "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"   Arg     "-ExecutionPolicy"   Arg     "Bypass"   Arg     "-NoProfile"   # This specifies the path to the PowerShell script.   Arg     "-File"   Arg     "D:\Temp\events_parser.ps1"

<Exec>       # Parse JSON       parse_json();

   </Exec>

</Input>

 

<Output logs_to_Kibana>      Module om_tcp      Host logstash_hostname      Port 6710   exec to_json();   </Output>

<Route input_logs_powershell>PATH input_logs_powershell =>logs_to_Kibana

</Route>