NetWitness Community

DELVALERIO · ‎2017-03-07

Is anyone processing Windows Powershell Logs with Netwitness? I am curious what parser is used or did you write a custom parser?

EricPartington · ‎2017-03-07

Powershell logs can be parsed by the default windows log parsers. If you download the parser from RSA live and rename the envision file to .zip and extract you can take a look at the parser and see what Powershell messages are extracted and where.

The one part that I have not been able to test is the script block logging and what can be seen from that.

these are the Powershell logs that I have recently parsed in my environment

40962, 40961, 53504, 4100

DELVALERIO · ‎2017-03-14

Thanks Eric. How did you get the powershell logs into your environment? We are currently ingesting the Win Security Event logs, but cant figure out how to also grab the powershell logs, without grabbing All the logs. We are collecting from about 16,000 servers and dont want all the other logs.

EricPartington · ‎2017-03-14

In my test lab I am finding that using Windows Event collection is the best method to gather logs from server and endpoints based on collections and then capture those with WMI from one central computer. That way you can define the event logs specifically (as well as filters) to get exactly what you want.

That is how I am grabbing the powershell logs into NWLogs.

Windows client (powershell logs) -> WMI to WEF server -> ForwardedEvents log -> WMI -> NWLogCollector

NetWitness Community

Windows Powershell logs