Windows Powershell logs
How to collect windows Powershell logs which are under event viewer using existing Winrm method, We have Netwitness 11.1 running in our infra
- Community Thread
- Forum Thread
- RSA NetWitness Endpoint
- RSA NetWitness Platform
These are for TaskScheduler, but you should be able to do the same for Powershell.
To collect Application and Services Logs using Windows Eventing over WinRM:
- Use the guide provided on SCOL to configure collection over WinRM
- Find the full path found in the Event viewer for the log. The example below is for the Microsoft-Windows-TaskScheduler/Operational log
- Select to edit your configured Windows Event Source
- Enter the full path within the Channel section of the Event Category Source dialog
Within RSA NetWitness Endpoint, configuration of the endpoint agent is very similar to the Windows Event Source Configuration for a Log Decoder. See the Endpoint Insights Agent Installation Guide for Version 11.2 > Generating an Agent Packager with Windows Log Collection > Channel Filters. You'll find the steps for PowerShell collection on pages 13 -14.
Thank You Joshua.. This was helpful and we are seeing powershell logs now.. Now we will explore what events to include inside Windows powershell logging..
Thankyou Angela.. we are currently running netwitness 11.1 and RSA CS was asking if we have NW Endpoint Server in our infra which we do not have and something I am exploring as well for this endpoint agent.