This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Windows Powershell logs

HemanathSeethar
Beginner
Beginner

‎2018-09-24 05:16 AM

How to collect windows Powershell logs which are under event viewer using existing Winrm method, We have Netwitness 11.1 running in our infra

Labels:
5 REPLIES 5

AngelaStranahan
Employee
Employee

‎2018-09-24 10:03 AM

These are for TaskScheduler, but you should be able to do the same for Powershell.

To collect Application and Services Logs using Windows Eventing over WinRM:

  1. Use the guide provided on SCOL to configure collection over WinRM
  2. Find the full path found in the Event viewer for the log.  The example below is for the Microsoft-Windows-TaskScheduler/Operational log

     event_viewer.png

  3. Select to edit your configured Windows Event Source
    event_source_config.png

  4. Enter the full path within the Channel section of the Event Category Source dialog

    event_source_edit.png

JoshRandall
Valued Contributor Valued Contributor
Valued Contributor

‎2018-09-24 06:53 PM

Hemanath Seetharaman

You'll want to add "Windows PowerShell"

pastedImage_2.png

 

...to the Windows event collection Channel in your Log Collector (Local and/or Remote, depending on your environment), e.g.:

pastedImage_1.png


Mr. Mongo

AngelaStranahan
Employee
Employee

‎2018-09-25 01:46 PM

Within RSA NetWitness Endpoint, configuration of the endpoint agent is very similar to the Windows Event Source Configuration for a Log Decoder. See the Endpoint Insights Agent Installation Guide for Version 11.2 > Generating an Agent Packager with Windows Log Collection > Channel Filters. You'll find the steps for PowerShell collection on pages 13 -14.

HemanathSeethar
Beginner
Beginner
In response to JoshRandall

‎2018-09-26 05:23 AM

Thank You Joshua.. This was helpful and we are seeing powershell logs now.. Now we will explore what events to include inside Windows powershell logging..

0 Likes

HemanathSeethar
Beginner
Beginner

‎2018-09-26 05:26 AM

Thankyou Angela.. we are currently running netwitness 11.1 and RSA CS was asking if we have NW Endpoint Server in our infra which we do not have and something I am exploring as well for this endpoint agent.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.