Skip to content

Instantly share code, notes, and snippets.

@tyconsulting

tyconsulting/Publish-EvtToOMS.ps1

Last active December 4, 2016 13:21
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save tyconsulting/72a19595246938ae0fb435a42afa4185 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save tyconsulting/72a19595246938ae0fb435a42afa4185 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Publish-EvtToOMS.ps1
#requires -Version 2.0 -Modules OMSDataInjection
<#
========================================================================
AUTHOR: Tao Yang
DATE: 02/11/2016
Version: 1.0
Comment:
Azure Automation Runbook that reads Windows Event export (evt) files
and inject events to OMS Log Analytics.
========================================================================
#>
PARAM (
[Parameter(Mandatory = $true)][ValidateScript({
Test-Path $_
})][String]$EvtExportPath,
[Parameter(Mandatory = $true)][Alias('OMSConnection')][String]$OMSConnectionName,
[Parameter(Mandatory = $true)][String]$OMSLogTypeName,
[Parameter(Mandatory = $false)][Int]$BatchLimit = 1000,
[Parameter(Mandatory = $false)][String]$OMSTimeStampFieldName = 'TimeCreated'
)
#Define the excluded fields
$arrSkippedProperties = New-Object -TypeName System.Collections.ArrayList
[Void]$arrSkippedProperties.Add('ContainerLog')
[Void]$arrSkippedProperties.Add('Bookmark')
[Void]$arrSkippedProperties.Add('Properties')
[Void]$arrSkippedProperties.Add('KeywordsDisplayNames')
[Void]$arrSkippedProperties.Add('Keywords')
[Void]$arrSkippedProperties.Add('RecordId')
#Get OMS connection
$OMSConnection = Get-AutomationConnection -Name $OMSConnectionName
#Process Evt file
Write-Output -Message "Processing Event Export file $EvtExportPath"
Write-Output "OMS Log Type: '$OMSLogTypeName'"
Write-Output "OMS Log Timestamp field: '$OMSTimeStampFieldName'"
Write-Output "Batch injection limit: $BatchLimit"
$LogQuery = [System.Diagnostics.Eventing.Reader.EventLogQuery]::new($EvtExportPath,[System.Diagnostics.Eventing.Reader.PathType]::FilePath)
$LogReader = New-Object -TypeName System.Diagnostics.Eventing.Reader.EventLogReader -ArgumentList ($LogQuery)
$arrEvents = @()
$i = 0
$BatchCount = 1 #the count of number of batches
$BatchSize = 0 #the number of events in the batch
For ($Event = $LogReader.ReadEvent(); $null -ne $Event; $Event = $LogReader.ReadEvent())
{
$i++
If ($BatchSize -le $BatchLimit)
{
#Write-Output -InputObject "Reading event number $i (Batch Number #$BatchCount)"
$properties = @{}
Foreach ($item in (Get-Member -InputObject $Event -MemberType Properties))
{
$PropertyName = $item.Name
If (!$arrSkippedProperties.Contains($PropertyName))
{
$properties.Add($PropertyName, $Event.$PropertyName)
}
}
#Add Event description
$EventDescription = $Event.FormatDescription()
If ($EventDescription.Length -eq 0)
{
#If formatted description is missing, then use the raw XML
$EventDescription = $Event.ToXML()
}
$properties.Add('Description', $EventDescription)
$objEvtExtract = New-Object -TypeName psobject -Property $properties
$arrEvents += $objEvtExtract
$BatchSize ++
}
if ($BatchSize -eq $BatchLimit)
{
#Submit to OMS
Write-Output -InputObject "Injecting $($arrEvents.count) records to OMS"
$OMSInjectResult = New-OMSDataInjection -OMSConnection $OMSConnection -LogType $OMSLogTypeName -UTCTimeStampField $OMSTimeStampFieldName -OMSDataObject $arrEvents -Verbose
If ($OMSInjectResult -eq $true)
{
Write-Output "OMS log injection successful."
} else {
Write-Error "OMS log injection failed."
}
#clear array and reset batch count
$arrEvents = @()
$BatchCount ++
$BatchSize = 0
}
}
Write-Output -InputObject "Done. Total number of log injected: $i"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment