April 21, 2023 strategy

Our customers asked - Execution of powershell scripts inside NXLog Exec modules

By Collins Maina

ALL SIEM STRATEGY SECURITY ANNOUNCEMENT DEPLOYMENT COMPLIANCE COMPARISON RSS

PowerShell scripts can be used with NXLog for generating, processing, and forwarding logs, as well as for generating configuration content. In this article, we will take a look at how to execute PowerShell directly from NXLog.

You can run a PowerShell script in multiple NXLog instances without using any PowerShell script file, and is achievable through having the script code directly in NXLog’s exec modules. This is ideal because if you need to make any change to the script, it’s easier to modify just the NXLog module rather than change the script on every computer used.

For the sake of demonstration, this is the script we want to include in the NXLog config:

powershell-script.ps1

import-module activedirectory ;get-aduser -filter * -Properties * | Select-Object -Property @{Name='ACCOUNTEXPIRATIONDATE';Expression={$.ACCOUNTEXPIRATIONDATE.ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss")}}, ACCOUNTEXPIRES , @{Name='ACCOUNTLOCKOUTTIME';Expression={$.ACCOUNTLOCKOUTTIME.ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss")}} , BADLOGONCOUNT, CANNOTCHANGEPASSWORD, CANONICALNAME, CERTIFICATES, CITY,CN, COMPANY, COUNTRY,@{Name='Created';Expression={$.Created.ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss")}},DEPARTMENT, DESCRIPTION, DISPLAYNAME, DISTINGUISHEDNAME, DIVISION,EMAILADDRESS, EMPLOYEEID, EMPLOYEENUMBER, ENABLED, GIVENNAME, INITIALS,ISDELETED, @{Name='LASTBADPASSWORDATTEMPT';Expression={$.LASTBADPASSWORDATTEMPT.ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss")}},@{Name='LASTLOGONDATE';Expression={$.LASTLOGONDATE.ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss")}}, LOCKEDOUT, MANAGER, MEMBEROF, @{Name='MODIFIED';Expression={$.MODIFIED.ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss")}}, NAME, OBJECTCATEGORY, OBJECTCLASS, OBJECTGUID, OBJECTSID, OFFICE, ORGANIZATION, OTHERNAME, PASSWORDEXPIRED, @{Name='PASSWORDLASTSET';Expression={$.PASSWORDLASTSET.ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss")}}, PASSWORDNEVEREXPIRES, PASSWORDNOTREQUIRED, PWDLASTSET, SAMACCOUNTNAME, SAMACCOUNTTYPE, SID, STATE, STREETADDRESS, SURNAME, TITLE, @{Name='WHENCHANGED';Expression={$.WHENCHANGED.ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss")}},@{Name='WHENCREATED';Expression={$_.WHENCREATED.ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss")}}  | export-csv -path 'C:\logs\results.csv'

This script collects data from Active Directory and parses it in a specific way. It will generate a file with that data, and NXLog must read that file once a day and then send it to a particular destination. The script is run just once a day.

Using im_exec

The im_exec module will run once and won’t be restarted if it exits. To run this module daily at a specific time, you must add an xm_exec module that restarts your im_exec module. Also, because the file created by the PowerShell script will have the same name, you need to delete the file before running the script to ensure NXLog reads the new file correctly.

The configuration should look like this:

nxlog.conf

<Extension exec_run_powershell_script>
    Module     xm_exec
    <Schedule>
        When    0 1 * * *
        Exec    exec("C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" , 'Remove-Item -Path \""C:\Program Files\nxlog\RopesGray_adusers.csv\""');
        Exec    in_powershell->module_restart();
    </Schedule>
</Extension>

<Input in_powershell>
    Module     im_exec
    Restart    false
    Command    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
    Arg        import-module activedirectory ;get-aduser -filter * -Properties * | Select-Object -Property @{Name='ACCOUNTEXPIRATIONDATE';Expression={$.ACCOUNTEXPIRATIONDATE.ToUniversalTime().ToString(\""yyyy-MM-ddTHH:mm:ss\"")}}, ACCOUNTEXPIRES , @{Name='ACCOUNTLOCKOUTTIME';Expression={$.ACCOUNTLOCKOUTTIME.ToUniversalTime().ToString(\""yyyy-MM-ddTHH:mm:ss\"")}} , BADLOGONCOUNT, CANNOTCHANGEPASSWORD, CANONICALNAME, CERTIFICATES, CITY,CN, COMPANY, COUNTRY,@{Name='Created';Expression={$.Created.ToUniversalTime().ToString(\""yyyy-MM-ddTHH:mm:ss\"")}},DEPARTMENT, DESCRIPTION, DISPLAYNAME, DISTINGUISHEDNAME, DIVISION,EMAILADDRESS, EMPLOYEEID, EMPLOYEENUMBER, ENABLED, GIVENNAME, INITIALS,ISDELETED, @{Name='LASTBADPASSWORDATTEMPT';Expression={$.LASTBADPASSWORDATTEMPT.ToUniversalTime().ToString(\""yyyy-MM-ddTHH:mm:ss\"")}},@{Name='LASTLOGONDATE';Expression={$.LASTLOGONDATE.ToUniversalTime().ToString(\""yyyy-MM-ddTHH:mm:ss\"")}}, LOCKEDOUT, MANAGER, MEMBEROF, @{Name='MODIFIED';Expression={$.MODIFIED.ToUniversalTime().ToString(\""yyyy-MM-ddTHH:mm:ss\"")}}, NAME, OBJECTCATEGORY, OBJECTCLASS, OBJECTGUID, OBJECTSID, OFFICE, ORGANIZATION, OTHERNAME, PASSWORDEXPIRED, @{Name='PASSWORDLASTSET';Expression={$.PASSWORDLASTSET.ToUniversalTime().ToString(\""yyyy-MM-ddTHH:mm:ss\"")}}, PASSWORDNEVEREXPIRES, PASSWORDNOTREQUIRED, PWDLASTSET, SAMACCOUNTNAME, SAMACCOUNTTYPE, SID, STATE, STREETADDRESS, SURNAME, TITLE, @{Name='WHENCHANGED';Expression={$.WHENCHANGED.ToUniversalTime().ToString(\""yyyy-MM-ddTHH:mm:ss\"")}},@{Name='WHENCREATED';Expression={$_.WHENCREATED.ToUniversalTime().ToString(\""yyyy-MM-ddTHH:mm:ss\"")}}  | export-csv -path 'C:\Program Files\nxlog\RopesGray_adusers.csv'
</Input>

The first module (exec_run_powershell_script) will delete the file and restarts the im_exec module to allow it to be executed again. Also, the timing for this module is defined as a cron job to allow you to specify the time you want it to run (in this case, every day at 1:00 AM).

The second module (in_powershell) has two sections:

Command To indicate you will run powershell.exe
Arg Contains the whole script as a single line. It doesn’t matter if the command has spaces, pipes, single quotes, or anything else. You just need to be careful to escape the double quotes correctly.

Using xm_exec

When using xm_exec, you don’t need any extra module because the execution time is defined inside the very same exec. Additionally, before the PowerShell script, there’s a line to delete the file first. In this scenario, you need to use the exec command instead of exec_async to ensure the file is deleted before the PowerShell script runs.

The configuration should look like this:

nxlog.conf

<Extension exec_powershell>
    Module    xm_exec
    <Schedule>
        When    0 1 * * *
        <Exec>
            exec("C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" , 'Remove-Item -Path \""C:\Program Files\nxlog\customer.csv\""');
            exec("C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" , 'import-module activedirectory ;get-aduser -filter * -Properties * | Select-Object -Property @{Name=\""ACCOUNTEXPIRATIONDATE\"";Expression={$.ACCOUNTEXPIRATIONDATE.ToUniversalTime().ToString(\""yyyy-MM-ddTHH:mm:ss\"")}}, ACCOUNTEXPIRES , @{Name=\""ACCOUNTLOCKOUTTIME\"";Expression={$.ACCOUNTLOCKOUTTIME.ToUniversalTime().ToString(\""yyyy-MM-ddTHH:mm:ss\"")}} , BADLOGONCOUNT, CANNOTCHANGEPASSWORD, CANONICALNAME, CERTIFICATES, CITY,CN, COMPANY, COUNTRY,@{Name=\""Created\"";Expression={$.Created.ToUniversalTime().ToString(\""yyyy-MM-ddTHH:mm:ss\"")}},DEPARTMENT, DESCRIPTION, DISPLAYNAME, DISTINGUISHEDNAME, DIVISION,EMAILADDRESS, EMPLOYEEID, EMPLOYEENUMBER, ENABLED, GIVENNAME, INITIALS,ISDELETED, @{Name=\""LASTBADPASSWORDATTEMPT\"";Expression={$.LASTBADPASSWORDATTEMPT.ToUniversalTime().ToString(\""yyyy-MM-ddTHH:mm:ss\"")}},@{Name=\""LASTLOGONDATE\"";Expression={$.LASTLOGONDATE.ToUniversalTime().ToString(\""yyyy-MM-ddTHH:mm:ss\"")}}, LOCKEDOUT, MANAGER, MEMBEROF, @{Name=\""MODIFIED\"";Expression={$.MODIFIED.ToUniversalTime().ToString(\""yyyy-MM-ddTHH:mm:ss\"")}}, NAME, OBJECTCATEGORY, OBJECTCLASS, OBJECTGUID, OBJECTSID, OFFICE, ORGANIZATION, OTHERNAME, PASSWORDEXPIRED, @{Name=\""PASSWORDLASTSET\"";Expression={$.PASSWORDLASTSET.ToUniversalTime().ToString(\""yyyy-MM-ddTHH:mm:ss\"")}}, PASSWORDNEVEREXPIRES, PASSWORDNOTREQUIRED, PWDLASTSET, SAMACCOUNTNAME, SAMACCOUNTTYPE, SID, STATE, STREETADDRESS, SURNAME, TITLE, @{Name=\""WHENCHANGED\"";Expression={$.WHENCHANGED.ToUniversalTime().ToString(\""yyyy-MM-ddTHH:mm:ss\"")}},@{Name=\""WHENCREATED\"";Expression={$_.WHENCREATED.ToUniversalTime().ToString(\""yyyy-MM-ddTHH:mm:ss\"")}}  | export-csv -path \""C:\Program Files\nxlog\RopesGray_adusers.csv\""');
        </Exec>
    </Schedule>
</Extension>

Note	The script is enclosed into single quotes and only the double quotes are escaped.

For more information on using PowerShell scripts and Logging PowerShell activity with NXLog, see the Windows PowerShell section in the NXLog User Guide.

GET STARTED TODAY:

CONTACT US Our experts are happy to help REQUEST A FREE TRIAL Give NXLog Enterprise Edition a try GET PRICING Request a quote

NXLog Ltd. develops multi-platform log collection tools that support many different log sources, formats, transports, and integrations. The tools help administrators collect, parse, and forward logs so they can more easily respond to security issues, investigate operational problems, and analyze event data. NXLog distributes the free and open source NXLog Community Edition and offers additional features and support with the NXLog Enterprise Edition.

This document is provided for informational purposes only and is subject to change without notice. Trademarks are the properties of their respective owners.