Hello,
I was wondering if possible to automate a powershell script with Elastic.
Perhaps a trigger can set off the script to run?
I read that webhooks might be an option but is there better methods?
Hey @Rios based on that documentation it seems like you can only run a command? would the command be to run
.\run_script.ps1
Also I don't want to run this all the time, I was thinking if there is a way to trigger the command?
You need to pass the full path of your script.
Also, keep in mind that this will execute the script and pass the result into the logstash pipeline and it will be processed by other filters and sent to the configured output.
You cannot trigger this, you need to configure the filter to run on a pre-determined interval or on a schedule.
What you can is to have a conditional in your configuration that will run the script based on the value of the field on some event being processed by the same pipeline.
What you want to achieve with this? It is not clear what is your use case.
Thanks for the information!
The goal is that using the data being ingested into Elastic to trigger a PowerShell script to run.
I could trigger the alert by data being processed by the same pipeline running the script?
if so that could work as the data in particular to my use case is being ingested through logstash
Leandro provided you with info how to use the plugin.
Few more info for options how to use.
-
Logstash. If you already have the PS script, which collect data and output is in JSON, CSV, etc. LS is useful, especially need to filter data, you can use LS as a scheduler/cron. Every a minute, hour, day.... This approach is ideal in case the script already generated data in mentioned formats, you need just to import, with(out) minor data changes.
-
PS Script. You can write your own PS script, collect data from somewhere and directly insert data in ES by using Invoke-WebRequest, and write data as JSON. In that case, use Windows TaskScheduler to trigger or you can run PS manually. Totally versatile, you can integrate abs. everything with ES, especially MS products.
-
ES cmdlets. There is Elastic.Console module, will provide cmdlets for PS ->ES request.
1 Like
Hey @Rios this is great information, but I am not ingesting data from a PS script, I am trying to trigger a script using Elastic's data. The issue is that this isn't a continuous script that needs to be run. The script should only been run if an event occurs.
AFter digging in Elastic github, This is what I am talking about:
Shell script and powershell connector for watcher alerts · Issue #105381 · elastic/kibana (github.com)
1 Like
None of the tools in the stack currently support doings this, but it is quite easy to do that outside Elastic or Logstash, you just need to query elastic and then run your script.
I have a couple of python script that do exactly this, query a specific index for a specific event and if this is found it will trigger other actions.
You also have third party tools, like ElastAlert2 that makes it even easier: Alerts — ElastAlert 2 0.0.1 documentation
2 Likes