For specific use cases (e.g. to collect the state of your secure boot certificate updates) it might be required to run a script on your hosts and collect the data centrally. The best way to achieve this is to use Azure Log Analytics.
Here is how you can achieve this:
1. Setup the Azure Log Analytics Workspace in Azure
1.1 Search in the Azure Portal for "Azure Log Analytics Workspace" and add a new one.
Hint: Formerly Microsoft was showing this data in the portal but they removed it. Its still supported but not the preferred method anymore. Any other methods does not allow the PowerShell based upload. Instead you need the AMA client to gather data. Which does not work for a PowerShell script based solutions were you want to gather your own custom generated data.
2. Gather the required data (WorkspaceID and Preshared Key) for your script
2.1 connect with Powershell to your Subscription
2.2 Ensure Azure modules are loaded (Import-Module Az) or you use the Azure Cloud shell (easiest method)
2.3 Retrieve the Workspace ID (replace RessourceGroup name and Workspace name!)
(Get-AzOperationalInsightsWorkspace -ResourceGroupName rg-xxx -Name "law-xxx-test").CustomerID
Shown ID is your Workspace ID (note/copy it we need it later again!)
2.4 Retrieve the Workspace Keys for uploading
Get-AzOperationalInsightsWorkspaceSharedKeys -ResourceGroupName rg-xxx -Name "law-xxx-test"
Shown SharedKeys are required for the script as well. Please note / copy them and keep the data in a save place!
3. Powershell Code to send some data
For demonstration purposes we gather hostnamen and IP addresses. So you can simply modify the relevant part. This thing will generate your first data.
If there is no log created with this name (here MyHostLog) then it will be generated automatically for you when you send the first data.
Keep in mind you need to modify the former captured WorkspaceID and Workspace Key (I would recommend you use the primary key).
# Function to log Host Name and IP Address to custom log in Azure Log Analytics!
# Simply use start-transcript at the beginning your script and
# stop-transcript as last line in your script for easy logging.
# This will catch up all the write-host and other output as well!
Write-Host "Log Host Name and IP Address to custom log"
$apiVersion = "2016-04-01"
# IMPORTANT! Adjust the code with your own data gathered in step 2!
$workspaceId = "11111111-2222-3333-4444-555555555555"
$workspaceKey = "wJxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx0ww=="
# Name of your log in your Azure Log Analytics Workspace
$logType = "MyHostLog"
# Generation of some sample custom log data. Change this for your purpose
$hostname = $env:COMPUTERNAME
$ipAddress = (Get-NetIPAddress -AddressFamily IPv4 | Where-Object { $_.InterfaceAlias -match "Ethernet*" }).IPAddress
$timestamp = Get-Date -Format "yyyy-MM-ddTHH:mm:ssZ"
# Creation of the log entry. Its good to have a timestamp and may be a host reference if you want! And add here whatever you want!
$logEntry = @(
@{
TimeGenerated = $timestamp
Hostname = $hostname
IPAddress = $ipAddress
}
)
# Generate log entry body and header to send. It will be encrypted and signed with your shared Workspace key from above.
$body = $logEntry | ConvertTo-Json -Depth 3
# Ensure the date is in RFC1123 format
$date = [DateTime]::UtcNow.ToString("r")
# Construct the string to sign
$stringToHash = "POST`n$($body.Length)`napplication/json`nx-ms-date:$date`n/api/logs"
$hmacsha256 = New-Object System.Security.Cryptography.HMACSHA256
$hmacsha256.Key = [Convert]::FromBase64String($workspaceKey)
$hash = $hmacsha256.ComputeHash([Text.Encoding]::UTF8.GetBytes($stringToHash))
$signature = [Convert]::ToBase64String($hash)
$authkey = $workspaceId + ":" + $signature
$authorization = "SharedKey $authkey"
$headers = @{
"Content-Type" = "application/json"
"Authorization" = $authorization
"Log-Type" = $logType
"x-ms-date" = $date
}
# Lets look into the header we have created (this is just for reference in your local logs if you want!)
Write-Host "Header:"
$headers
Write-Host "=================================================="
# Lets look into the body we have created (this is just for reference in your local logs if you want!)
Write-Host "Body:"
$body
# Now lets send the data to the workspace (may be you want to adjust the catch block & finally text)
try {
$response = Invoke-RestMethod -Method Post -Uri "https://$workspaceId.ods.opinsights.azure.com/api/logs?api-version=$apiVersion" -Headers $headers -Body $body
# Output the response (so it got catched in start-transcript log, no response is fine as well!)
Write-Host "Response: $response"
}
catch {
Write-Error "Failed to send the IpReport: $_"
}
finally {
Write-Host "Processing done for IP reporting!"
}
}
# Now call the function
Send-Ip
Thats it! Simply ajdust the sample code as you want.
You find in Azure Log Analytics workspace table "MyHostLog_CL" your first new entry:
