- Community
- :
- Splunk Answers
- :
- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Windows Powershell Transcription: Parsing events
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Windows Powershell Transcription: Parsing events
How are people parsing the powershell transcriptions files which have a large amount of command executions within the file?
For those not familiar, Powershell Transcription will create a log file once a user starts their powershell transaction.
It will log the users name at the top of the file and will not close the file until the command is closed.
In some cases we have a MMC running open all week and this can produce 100's of commands within the powershell transaction file.
Unfortunately, it only logs the user name who initially executed the command at the start at the launch of the process. The subsequent entries just show the command and output.
How do you associate the users name with each of these commands if you want to keep them as separate events?
Or are you just bundling all of those commands into one event?
Or has someone found a way to associate the username to each command?
Windows PowerShell transcript start
Start time: 20190216091018
Username: XYZ
RunAs User: ABC
Configuration Name:
Machine: HOSTNAME
Host Application: C:\WINDOWS\system32\mmc.exe
Process ID: 1111
PSVersion: 5.1.111
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.590
BuildVersion: 10.0.17134
CLRVersion: 4.0.30319
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.
Command start time: 20190216091032
PS>CommandInvocation(Get-ConfigInstalledDBVersion): "Get-ConfigInstalledDBVersion"
>> ParameterBinding(Get-ConfigInstalledDBVersion): name="AdminAddress"; value="xyz.com:80"
>> ParameterBinding(Get-ConfigInstalledDBVersion): name="Upgrade"; value="True"
Command start time: 20190216091031
PS>CommandInvocation(Get-ConfigInstalledDBVersion): "Get-ConfigInstalledDBVersion"
>> ParameterBinding(Get-ConfigInstalledDBVersion): name="AdminAddress"; value="xyz.com:80"
>> ParameterBinding(Get-ConfigInstalledDBVersion): name="Upgrade"; value="True"
Command start time: 20190216091032
PS>CommandInvocation(Get-ConfigInstalledDBVersion): "Get-ConfigInstalledDBVersion"
>> ParameterBinding(Get-ConfigInstalledDBVersion): name="AdminAddress"; value="xyz.com:80"
>> ParameterBinding(Get-ConfigInstalledDBVersion): name="Upgrade"; value="True"
Command start time: 20190216091034
PS>CommandInvocation(Get-ConfigInstalledDBVersion): "Get-ConfigInstalledDBVersion"
>> ParameterBinding(Get-ConfigInstalledDBVersion): name="AdminAddress"; value="xyz.com:80"
>> ParameterBinding(Get-ConfigInstalledDBVersion): name="Upgrade"; value="True"
Command start time: 20190216091037
PS>CommandInvocation(Get-ConfigInstalledDBVersion): "Get-ConfigInstalledDBVersion"
>> ParameterBinding(Get-ConfigInstalledDBVersion): name="AdminAddress"; value="xyz.com:80"
>> ParameterBinding(Get-ConfigInstalledDBVersion): name="Upgrade"; value="True"
SplunkTrust | Where Are They Now - Michael Uschmann
Admin Your Splunk Cloud, Your Way
Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1
