Creating PowerShell Script & Task Scheduler in Active Directory Server
1. On each Microsoft Windows Active Directory server, create and configure a PowerShell script to collect log data to an output file. NXLog reads the output file and sends data to the Chronicle.
2. Create the PowerShell script. See the following Query. Change the value of $OUTPUTFILEPATH
to the location where the output file should be written. This file will be read by NXLog. Data must be stored in JSON format.
========================================
# Import the Active Directory module
Import-Module ActiveDirectory
# Define the output file path
$outputFilePath = "C:\AD\output.json"
# Remove the old file if it exists
if (Test-Path $outputFilePath) {
Remove-Item $outputFilePath
}
# Get user objects from Active Directory and convert them to JSON
Get-ADUser -Filter * -Properties * | ForEach-Object {
$User = Get-ADUser -Identity $_.DistinguishedName -Properties *
$User | ConvertTo-JSON -Compress | Out-File -Encoding UTF8 -Append -FilePath $OUTPUTFILEPATH
}
# Get computer objects from Active Directory and convert them to JSON
Get-ADComputer -Filter * -Properties * | ForEach-Object {
# Excluding attributes
$Computer = Get-ADComputer -Identity $_.DistinguishedName -Properties * |
Select-Object -Property * -ExcludeProperty 'ms-Mcs-AdmPwd', 'msDS-KeyCredentialLink', 'unicodePwd', 'userPassword', 'lmPwdHistory', 'ntPwdHistory', 'supplementalCredentials', 'ms-TS-GatewayUserPassword', 'cACertificate', 'userCertificate', 'userSMIMECertificate'
$Computer | ConvertTo-JSON -Compress | Out-File -Encoding UTF8 -Append -FilePath $OUTPUTFILEPATH
}
# Output a confirmation message
Write-Host "New output file created: $OUTPUTFILEPATH"
========================================
Run PowerShell Script Using Schedule Task
Create a recurring task that runs the script to fetch and write data to the output file
- Open the Task Scheduler application.
- Click on "Create task" on the right panel.
- Enter the Name and Description for the task.
- Select “Run whether user is logged on or not” & “Do not store password”.
- Select the "Run with highest privileges" checkbox to make sure all data is retrieved.
In the "Triggers" tab, define when you want to repeat the task.
- In the "Actions" tab, click "New..." to create a new action for the task, in dropdown menu, select "Start a program" as the action type.
- In the "Program/script" field, browse and select the path to the PowerShell executable (powershell.exe). You can usually find it in the "C:\Windows\System32\WindowsPowerShell\v1.0" directory.
- In the "Add arguments (optional)" field, provide the full path to your PowerShell script, including its file extension (e.g., "C:\AD\AD.ps1")
OK and Save, then Task Scheduler will be created and shown as below
NxLog Agent in Windows Active Directory Server
Install the NXLog Agent (NxLog Community Edition) on Microsoft Windows Active Directory Server.
And paste the below Query in the NxLog.conf file.
Panic Soft
#NoFreeOnExit TRUE
define ROOT C:\Program Files\nxlog
define ADCONTEXT_OUTPUT_DESTINATION_ADDRESS Forwarder IP
define ADCONTEXT_OUTPUT_DESTINATION_PORT 11736
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension json>
Module xm_json
</Extension>
<Input in_adcontext>
Module im_file
File "C:\AD\output.json"
DirCheckInterval 3600
PollInterval 3600
</Input>
<Output out_chronicle_adcontext>
Module om_tcp
Host %ADCONTEXT_OUTPUT_DESTINATION_ADDRESS%
Port %ADCONTEXT_OUTPUT_DESTINATION_PORT%
</Output>
<Route ad_context_to_chronicle>
Path in_adcontext => out_chronicle_adcontext
</Route>
Please add the below Collector in Forwarder Config File
- syslog:
common:
enabled: true
data_type: WINDOWS_AD
data_hint:
batch_n_seconds: 10
batch_n_bytes: 1048576
tcp_address: 0.0.0.0:11736
udp_address: 0.0.0.0:11736
Check status in Chronicle:
- Repeat the process for each type which needs to be onboarded to chronicle.
- Once the configuration is completed, need to validate the logs in chronicle using a regular expression as (".*") this expression or with specific hostname, will provide the log source types which are ingesting to chronicle, below is the screen shot for reference.
Comments
0 comments
Please sign in to leave a comment.