LesserGeek

In the Azure cloud Log Analytics workspace, Azure sentinel, Azure Monitor, PowerBi and other cloud services provide unique capabilities for logging, monitoring and reporting. In this quick tip I am going to share a Powershell Script that can help send custom data into Log Analytics workspace based on which you can then create Sentinel Analytics Alerts, Incidents or PowerBI reports, the possibilities are virtually unlimited once you have the data in Log Analytics.

Function Build-Signature {
[CmdletBinding()]
Param (
  [Parameter(Mandatory = $true)]
  $customerId,
  [Parameter(Mandatory = $true)]
  $sharedKey,
  [Parameter(Mandatory = $true)]
  $date,
  [Parameter(Mandatory = $true)]
  $contentLength,
  [Parameter(Mandatory = $true)]
  $method,
  [Parameter(Mandatory = $true)]
  $contentType,
  [Parameter(Mandatory = $true)]
  $resource
)
  $xHeaders = "x-ms-date:" + $date
  $stringToHash = $method + "`n" + $contentLength + "`n" + $contentType + "`n" + $xHeaders + "`n" + $resource
  $bytesToHash = [Text.Encoding]::UTF8.GetBytes($stringToHash)
  $keyBytes = [Convert]::FromBase64String($sharedKey)
  $sha256 = New-Object System.Security.Cryptography.HMACSHA256
  $sha256.Key = $keyBytes
  $calculatedHash = $sha256.ComputeHash($bytesToHash)
  $encodedHash = [Convert]::ToBase64String($calculatedHash)
  $authorization = 'SharedKey {0}:{1}' -f $customerId,$encodedHash
  return $authorization
}

Function New-CustomOMSEvent {
[CmdletBinding()]
Param (
  [Parameter(Mandatory = $true)]
  [string] $ResourceGroupName,
  [Parameter(Mandatory = $true)]
  [string] $workspaceName,
  [Parameter(Mandatory = $true)]
  [HashTable]$logevent,
  [Parameter(Mandatory = $true)]
  [string] $CustomTable
   
)
  $workspace = (Get-azOperationalInsightsWorkspace).Where({$_.Name -eq $workspaceName})
  $rfc1123date = [DateTime]::UtcNow.ToString("r")
  $logevent.Add("DateValue",$rfc1123date)
  $json= $logevent | convertto-Json
  $customerid=($workspace.Customerid.guid)
  $sharedKey=(Get-AzOperationalInsightsWorkspaceSharedKeys -ResourceGroupName $workspace.resourceGroupName -Name $workspace.Name).PrimarySharedKey
  $body = ([System.Text.Encoding]::UTF8.GetBytes($json))
  $resource = "/api/logs"
  $contentLength = $body.Length
  $signature = Build-Signature -customerId $customerId -sharedKey $sharedKey -date $rfc1123date -contentLength $contentLength -method "POST" -contentType "application/json" -resource $resource
  $uri = "https://" + $customerId + ".ods.opinsights.azure.com" + $resource + "?api-version=2016-04-01"
  $headers = @{
    "Authorization" = $signature;
    "Log-Type" = $CustomTable;
    "x-ms-date" = $rfc1123date;
  }

  $response = Invoke-WebRequest -Uri $uri -Method "POST" -ContentType "application/json" -Headers $headers -Body $body -UseBasicParsing
  return $response.StatusCode
}

$customData = @{
    Message = "Test Message"
    System = "Mycomputername"
    
}

New-CustomOMSEvent -ResourceGroupName lessergeektestrg -workspaceName LessergeekTestLogAnalyticsworkspace -LogEvent $customData -CustomTable "CustomDataFromPowershell"

In the above code I have created two functions. “Build-Signature” creates an authentication signature to be used in the web requests. “New-CustomOMSEvent” function sends the actually custom data into the log analytics workspace. In the above example script I am sending custom data into a table called “CustomDataFromPowershell” which will appear as “CustomDataFromPowershell_CL”, containing the fields “Message” and “System”, you can add any fields you wish in the hash table structure passed as the LogEvent parameter. with a few minor changes in the script you can send an array of hash tables if you wish to store multiple events at the same time. Please note that I have used Az module Powershell commands to fetch the Log Analytics Workspace Object containing unique customer ID of the log analytics workspace, primary key to be used with the web request authentication, this can be replaced with hard codes values, secure variables in devops pipelines or REST API code to fetch the workspace details if you are using any other programming language that can make web requests/REST API to send the data.

When you run the above code you will see that a custom table and custom fields would be added to Log Analytics Workspace

You can also set the default retention for this data in the newly added feature that is still in preview

To see the collected data in log analytics workspace you can expand the “Custom Logs” section under logs

A kusto query can then be run to fetch the actual data sent to the custom table.

One additional benefit of using Log Analytics workspace for storing custom data is that it allows you to setup custom retention for the data and the data would be automatically cleaned up after the retention period is over. I am not saying that this cannot be done in any other cloud resource.