https://community.splunk.com/t5/Getting-Data-In/Not-getting-EventCodes-4103-and-4104-even-though-logging-is/m-p/537353#M90063 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/227795">@weetabixsplunk</a>&nbsp;!</P><P>&nbsp;</P><P>Have a look here, and let me know if this helps : <A href="https://docs.splunk.com/Documentation/UBA/5.0.4/GetDataIn/AddPowerShell" target="_blank">https://docs.splunk.com/Documentation/UBA/5.0.4/GetDataIn/AddPowerShell</A></P><P>&nbsp;</P><P>Cheers,</P><P>David</P> Wed, 27 Jan 2021 06:36:49 GMT DavidHourani 2021-01-27T06:36:49Z https://community.splunk.com/t5/Getting-Data-In/Not-getting-EventCodes-4103-and-4104-even-though-logging-is/m-p/533376#M89592 <P>I'm trying to get better visibility of our PowerShell activity in one of my boxes (cola182) so I enabled process Auditing (EventCode 4688) - Which is working perfectly fine.</P><P>However, when I attempted to enable Module Logging (4103)&nbsp; and Script Block Logging (4104) it doesn't seem like I am receiving these logs.</P><P>I went to Policy Editor &gt; Computer Configuration &gt; Windows Components &gt; Powershell logging and made sure that the following were enabled (literally the 3 of them are showing as enabled):<BR /><BR />Turn on Module Logging</P><P>Turn on PowerShell Script Block Logging</P><P>Turn on PowerShell transcription.</P><P>I ran a crappy little test.ps1 script in cola182 in hopes that this activity would be reflected in my splunk logs:<BR /><BR />$alert = { "I like chicken salad sandwiches" }<BR />&amp; $alert<BR />&amp; $alert<BR /><BR /></P><P>When I check splunk, I am able to see this activity,&nbsp; but it doesn't come up under 4103</P><P>&nbsp;</P><P><SPAN class="t">LogName=Windows</SPAN> <SPAN class="t">PowerShell</SPAN><BR /><SPAN class="t">SourceName=PowerShell</SPAN><BR /><SPAN class="t">EventCode=800</SPAN><BR /><SPAN class="t">EventType=4</SPAN> <SPAN class="t">Type=Information</SPAN><BR /><SPAN class="t">ComputerName=Cola182</SPAN>&nbsp;<BR /><SPAN class="t">TaskCategory=Pipeline</SPAN> <SPAN class="t">Execution</SPAN> <SPAN class="t h">Details</SPAN><BR /><SPAN class="t">OpCode=Info</SPAN><BR /><SPAN class="t">RecordNumber=6578</SPAN><BR /><SPAN class="t">Keywords=Classic</SPAN> <SPAN class="t">Message=Pipeline</SPAN> <SPAN class="t">execution</SPAN> <SPAN class="t">details</SPAN> <SPAN class="t">for</SPAN> <SPAN class="t">command</SPAN> <SPAN class="t">line:</SPAN> <SPAN class="t">.</SPAN></P><P><SPAN class="t"><SPAN class="t h">ParameterBinding</SPAN><SPAN>(</SPAN>Out-Default<SPAN>)</SPAN>: name=<SPAN>"</SPAN>InputObject<SPAN>"; </SPAN>value=<SPAN>"I like chicken salad sandwiches</SPAN><SPAN>"</SPAN></SPAN></P><P>&nbsp;</P><P><SPAN class="t"><SPAN>As simple as my initial script is, technically it's a script block. Howcome I'm not able to see this activity? What am I missing?</SPAN></SPAN></P><P><SPAN class="t"><SPAN>Thanks!</SPAN></SPAN></P><P>&nbsp;</P> Wed, 16 Dec 2020 22:07:12 GMT https://community.splunk.com/t5/Getting-Data-In/Not-getting-EventCodes-4103-and-4104-even-though-logging-is/m-p/533376#M89592 weetabixsplunk 2020-12-16T22:07:12Z https://community.splunk.com/t5/Getting-Data-In/Not-getting-EventCodes-4103-and-4104-even-though-logging-is/m-p/537353#M90063 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/227795">@weetabixsplunk</a>&nbsp;!</P><P>&nbsp;</P><P>Have a look here, and let me know if this helps : <A href="https://docs.splunk.com/Documentation/UBA/5.0.4/GetDataIn/AddPowerShell" target="_blank">https://docs.splunk.com/Documentation/UBA/5.0.4/GetDataIn/AddPowerShell</A></P><P>&nbsp;</P><P>Cheers,</P><P>David</P> Wed, 27 Jan 2021 06:36:49 GMT https://community.splunk.com/t5/Getting-Data-In/Not-getting-EventCodes-4103-and-4104-even-though-logging-is/m-p/537353#M90063 DavidHourani 2021-01-27T06:36:49Z