This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
david_auquiere
Cadet 1st Class
Cadet 1st Class
‎2019-05-15 14:18
1688 views

Agent Manager - logs from powershell

Hello,

I would like to receive windows logs in my SIEM when powershell commands are run...I activate logs on servers and they are stored in "Applications and Services Logs->Microsoft->Windows->Powershell->Operational" (see Event Viewer Windows Server 2012R2)

Is it possible to do that?

Thanks for your input

David
0 Likes
Reply
Report Inappropriate Content
6 Replies
ScorpionSting
Absent Member.
Absent Member.
‎2019-05-16 00:41

david_auquiere;2499786 wrote:
Hello,

I would like to receive windows logs in my SIEM when powershell commands are run...I activate logs on servers and they are stored in "Applications and Services Logs->Microsoft->Windows->Powershell->Operational" (see Event Viewer Windows Server 2012R2)

Is it possible to do that?

Thanks for your input

David


How are you collecting Windows Logs at the moment (if at all)? SAM, WECS, SmartConnector ?

With WECS, you can configure the event source's Connection Mode's EventLogQuery (but it's very easy to completely break this if you get it wrong)...

Visit my Website for links to Cool Solution articles.
0 Likes
Reply
Report Inappropriate Content
david_auquiere
Cadet 1st Class
Cadet 1st Class
‎2019-05-16 08:50

We use SAM. And I don't see how to configure supplier in Agent Manager to get logs stored in the windows server in "Applications and Services Logs->Microsoft->Windows->Powershell->Operational" (server 2012R2)

Thanks,

david
0 Likes
Reply
Report Inappropriate Content
ScorpionSting
Absent Member.
Absent Member.
‎2019-05-16 23:44

david_auquiere;2499819 wrote:
We use SAM. And I don't see how to configure supplier in Agent Manager to get logs stored in the windows server in "Applications and Services Logs->Microsoft->Windows->Powershell->Operational" (server 2012R2)

Thanks,

david


I haven't actually used SAM before...places I've worked have had paranoid Windows guys that wouldn't allow "other" software on DC's...but the name of the event log to try and capture is "Microsoft-Windows-PowerShell/Operational"... It looks like you might be after Step 15 of Section 3's Adding an Agent Manager Event Source Server

Visit my Website for links to Cool Solution articles.
0 Likes
Reply
Report Inappropriate Content
rochfo
Commodore
Commodore
‎2019-05-18 18:14

ScorpionSting;2499897 wrote:
I haven't actually used SAM before...places I've worked have had paranoid Windows guys that wouldn't allow "other" software on DC's...but the name of the event log to try and capture is "Microsoft-Windows-PowerShell/Operational"... It looks like you might be after Step 15 of Section 3's Adding an Agent Manager Event Source Server


We use SAM extensively and this is a limitation of the software. There are no providers in SAM that allow you to collect any logs outside of the standard windows event logs. The Arcsight Windows connector might help you here but you will need to setup a Windows Event Forwarding subscription to push/pull events from your sources and then setup an Arcsight Smartconnector to collect the Forwarded Events log on your WEF collector server. We do this for sysmon events using a sysmon flex connector for Arcsight and forward them using CEF1.0 to the Sentinel Collector. They don't fully parse, some command line stuff is missing, but it gets most events.

It would be much easier if SAM allowed this, I'm hoping it is planned, most SIEMs allow you to collect any of these logs.
0 Likes
Reply
Report Inappropriate Content
david_auquiere
Cadet 1st Class
Cadet 1st Class
‎2019-05-22 13:17

Thank you all for your clear answer...I add it in the idea list...perhaps, it could change...
0 Likes
Reply
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.