I'm trying to get better visibility of our PowerShell activity in one of my boxes (cola182) so I enabled process Auditing (EventCode 4688) - Which is working perfectly fine.

However, when I attempted to enable Module Logging (4103)  and Script Block Logging (4104) it doesn't seem like I am receiving these logs.

I went to Policy Editor > Computer Configuration > Windows Components > Powershell logging and made sure that the following were enabled (literally the 3 of them are showing as enabled):

Turn on Module Logging

Turn on PowerShell Script Block Logging

Turn on PowerShell transcription.

I ran a crappy little test.ps1 script in cola182 in hopes that this activity would be reflected in my splunk logs:

$alert = { "I like chicken salad sandwiches" }
& $alert
& $alert

When I check splunk, I am able to see this activity,  but it doesn't come up under 4103

LogName=Windows PowerShell
SourceName=PowerShell
EventCode=800
EventType=4 Type=Information
ComputerName=Cola182 
TaskCategory=Pipeline Execution Details
OpCode=Info
RecordNumber=6578
Keywords=Classic Message=Pipeline execution details for command line: .

ParameterBinding(Out-Default): name="InputObject"; value="I like chicken salad sandwiches"

As simple as my initial script is, technically it's a script block. Howcome I'm not able to see this activity? What am I missing?

Thanks!