topic Re: How to pull in Windows Event logs from the Windows PowerShell path in Getting Data In

How to pull in Windows Event logs from the Windows PowerShell path

TheBravoSierra — Wed, 09 Feb 2022 19:46:42 GMT

Hi,

I'm trying to pull in Windows Event logs from the Windows PowerShell path. This path includes 800s, which I've seen in event viewer so I know they're generated and stored here. I just can't seem to pull anything and I don't see much help on the internet to pulling this path.

This is my inputs.conf:

[WinEventLog://Windows PowerShell/]
disabled=0

Note: This is different from the other PowerShell path where I get my 4103 and 4104 codes:

[WinEventLog://Microsoft-Windows-PowerShell/Operational]
disabled=0

Any helps is appreciated. Thanks.

Re: Read logs from PowerShell

PickleRick — Wed, 09 Feb 2022 18:07:28 GMT

You have to get a proper path from the Event Log properties.

You seem to have a right one in the second case (Microsoft-Windows-PowerShell/Operational).

But the first one doesn't seem right. Check the properties of this log in Event Viewer and see its Full Name

Re: How to pull in Windows Event logs from the Windows PowerShell path

TheBravoSierra — Wed, 09 Feb 2022 20:49:26 GMT

My inputs.conf was incorrect. I had a / at the end of PowerShell. Removed the / and now it is ingesting properly.