david_auquiere Absent Member.
Absent Member.
1104 views

Agent Manager - logs from powershell

Hello,

I would like to receive windows logs in my SIEM when powershell commands are run...I activate logs on servers and they are stored in "Applications and Services Logs->Microsoft->Windows->Powershell->Operational" (see Event Viewer Windows Server 2012R2)

Is it possible to do that?

Thanks for your input

David
0 Likes
5 Replies
ScorpionSting Absent Member.
Absent Member.

Re: Agent Manager - logs from powershell

david_auquiere;2499786 wrote:
Hello,

I would like to receive windows logs in my SIEM when powershell commands are run...I activate logs on servers and they are stored in "Applications and Services Logs->Microsoft->Windows->Powershell->Operational" (see Event Viewer Windows Server 2012R2)

Is it possible to do that?

Thanks for your input

David


How are you collecting Windows Logs at the moment (if at all)? SAM, WECS, SmartConnector ?

With WECS, you can configure the event source's Connection Mode's EventLogQuery (but it's very easy to completely break this if you get it wrong)...

Visit my Website for links to Cool Solution articles.
0 Likes
david_auquiere Absent Member.
Absent Member.

Re: Agent Manager - logs from powershell

We use SAM. And I don't see how to configure supplier in Agent Manager to get logs stored in the windows server in "Applications and Services Logs->Microsoft->Windows->Powershell->Operational" (server 2012R2)

Thanks,

david
0 Likes
ScorpionSting Absent Member.
Absent Member.

Re: Agent Manager - logs from powershell

david_auquiere;2499819 wrote:
We use SAM. And I don't see how to configure supplier in Agent Manager to get logs stored in the windows server in "Applications and Services Logs->Microsoft->Windows->Powershell->Operational" (server 2012R2)

Thanks,

david


I haven't actually used SAM before...places I've worked have had paranoid Windows guys that wouldn't allow "other" software on DC's...but the name of the event log to try and capture is "Microsoft-Windows-PowerShell/Operational"... It looks like you might be after Step 15 of Section 3's Adding an Agent Manager Event Source Server

Visit my Website for links to Cool Solution articles.
0 Likes
Highlighted
rochfo Super Contributor.
Super Contributor.

Re: Agent Manager - logs from powershell

ScorpionSting;2499897 wrote:
I haven't actually used SAM before...places I've worked have had paranoid Windows guys that wouldn't allow "other" software on DC's...but the name of the event log to try and capture is "Microsoft-Windows-PowerShell/Operational"... It looks like you might be after Step 15 of Section 3's Adding an Agent Manager Event Source Server


We use SAM extensively and this is a limitation of the software. There are no providers in SAM that allow you to collect any logs outside of the standard windows event logs. The Arcsight Windows connector might help you here but you will need to setup a Windows Event Forwarding subscription to push/pull events from your sources and then setup an Arcsight Smartconnector to collect the Forwarded Events log on your WEF collector server. We do this for sysmon events using a sysmon flex connector for Arcsight and forward them using CEF1.0 to the Sentinel Collector. They don't fully parse, some command line stuff is missing, but it gets most events.

It would be much easier if SAM allowed this, I'm hoping it is planned, most SIEMs allow you to collect any of these logs.
0 Likes
david_auquiere Absent Member.
Absent Member.

Re: Agent Manager - logs from powershell

Thank you all for your clear answer...I add it in the idea list...perhaps, it could change...
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.