Here is powershell script example to extract data out of LogInsight into CSV files for multiple search items where /text/CONTAINS is required… you can easily adapt ‘/text/CONTAINS‘ in this script to use different matching criteria… just check out the documentation here.
So to the script..
So that I don’t keep being prompted for credentials I save the account user and password with the powershell Get-Credential command.
$cred = Get-Credential $cred | Export-Clixml -Path "D:\LogExtract\Config\LogInsight.xml"
Script usage:
./Get-LogInsight -Provider 'ActiveDirectory' -LogInsightAddress 'log.vMan.ch' -creds 'LogInsight' -SearchText 'WINSRV2','WINSRV4' -StartDate '2017/05/12 13:00' -EndDate '2017/05/13 13:05' -interval 5
-Provider ‘ActiveDirectory’ for Active Directory users or ‘Local’ for Loginsight users
-LogInsightAddress FQDN or IP of Loginsight
-creds credentials file to use.
-SearchText array of items to search
-StartDate start date for the query
-EndDate end date for the query
-interval interval in minutes to extract logs (batches which helps get around the 20000 row export limit)
<# Get Events from LogInsight via the API, extracting more than the 20000 rows can be a pain so this allows the calls to be extracted in batches by using X minute intervals as a "work around" for the export limit. Usage: ./Get-LogInsight -Provider 'ActiveDirectory' -LogInsightAddress 'log.vMan.ch' -creds 'LogInsight' -SearchText '192.168.16.130','192.168.16.131' -StartDate '2017/02/12 13:00' -EndDate '2017/02/13 13:05' -interval 5 Use -Provider 'ActiveDirectory' for active directory credentials or -Provider 'Local' for LogInsight users #> param ( [String]$LogInsightAddress = 'log.vman.ch', [String]$creds = 'LogInsight', [String]$Provider = 'ActiveDirectory', [Array]$SearchText = @('WINSRV2','WINSRV4'), [DateTime]$StartDate = '2017/02/12 14:10', [DateTime]$EndDate = '2017/02/12 20:20', [Int]$interval = 5 ) $ScriptPath = (Get-Item -Path ".\" -Verbose).FullName if($creds -gt ""){ $cred = Import-Clixml -Path "$ScriptPath\config\$creds.xml" $User = $cred.GetNetworkCredential().Username $Password = $cred.GetNetworkCredential().Password } else { echo "Credentials not specified, bye bye!" Exit } #Take all certs. add-type @" using System.Net; using System.Security.Cryptography.X509Certificates; public class TrustAllCertsPolicy : ICertificatePolicy { public bool CheckValidationResult( ServicePoint srvPoint, X509Certificate certificate, WebRequest request, int certificateProblem) { return true; } } "@ [System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy #Start Script $lookupintervalMS = ($interval * 60 * 1000) $ContentType = "application/json" $header = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" $header.Add("Accept", 'application/json') $header.Add("Content-Type", 'application/json') $header.Add("User-Agent", 'vManCHExtractor/1.0') $Authurl = 'https://'+$LogInsightAddress+'/api/v1/sessions' $AuthBody = @" { "username": "$User", "password": "$Password", "provider": "$Provider" } "@ $Auth = Invoke-RestMethod -Method POST -uri $Authurl -ContentType $ContentType -Headers $header -Body $Authbody $header.Add('Authorization',"Bearer $($auth.sessionId)") [int64]$StartDateEpoc = Get-Date -Date $StartDate.ToUniversalTime() -UFormat %s $StartDateEpoc = $StartDateEpoc*1000 $StartDateFile = $StartDate.tostring("yyyyMMdd-HHmmss") $EndDateFile = $EndDate.tostring("yyyyMMdd-HHmmss") ForEach ($Lookup in $SearchText){ [int64]$EndDateEpoc = Get-Date -Date $EndDate.ToUniversalTime() -UFormat %s $LookupDateEndEpoc = $EndDateEpoc*1000 $LookupDateStartEpoc = ($LookupDateEndEpoc - $lookupintervalMS) While ($LookupDateEndEpoc -ne $StartDateEpoc) { $QueryURL = 'https://'+$LogInsightAddress+'/api/v1/events/timestamp/>='+$LookupDateStartEpoc+'/timestamp/<='+$LookupDateEndEpoc + '/text/CONTAINS '+$Lookup +'?limit=20000&timeout=300000' $LogInsightResults = Invoke-RestMethod -Method GET -uri $QueryURL -ContentType $ContentType -Headers $header Write-host "Log Collection incremented by 5 min for $Lookup, waiting for LookupEnd $LookupDateEndEpoc to hit StartTime $StartDateEpoc" $LookupDateStartEpoc = ($LookupDateStartEpoc - $lookupintervalMS) $LookupDateEndEpoc = ($LookupDateEndEpoc - $lookupintervalMS) $LogInsightResults.events.text | Out-file -FilePath "$ScriptPath\Results\$Lookup-$StartDateFile-$EndDateFile.log"-Append } } Remove-Variable * -Force -ErrorAction SilentlyContinue
Hope this helps someone 🙂
vMan
Recent Comments