Getting Data In

Not getting EventCodes 4103 and 4104 even though logging is enabled (powershell).

weetabixsplunk
Explorer

I'm trying to get better visibility of our PowerShell activity in one of my boxes (cola182) so I enabled process Auditing (EventCode 4688) - Which is working perfectly fine.

However, when I attempted to enable Module Logging (4103)  and Script Block Logging (4104) it doesn't seem like I am receiving these logs.

I went to Policy Editor > Computer Configuration > Windows Components > Powershell logging and made sure that the following were enabled (literally the 3 of them are showing as enabled):

Turn on Module Logging

Turn on PowerShell Script Block Logging

Turn on PowerShell transcription.

I ran a crappy little test.ps1 script in cola182 in hopes that this activity would be reflected in my splunk logs:

$alert = { "I like chicken salad sandwiches" }
& $alert
& $alert

When I check splunk, I am able to see this activity,  but it doesn't come up under 4103

 

LogName=Windows PowerShell
SourceName=PowerShell
EventCode=800
EventType=4 Type=Information
ComputerName=Cola182 
TaskCategory=Pipeline Execution Details
OpCode=Info
RecordNumber=6578
Keywords=Classic Message=Pipeline execution details for command line: .

ParameterBinding(Out-Default): name="InputObject"; value="I like chicken salad sandwiches"

 

As simple as my initial script is, technically it's a script block. Howcome I'm not able to see this activity? What am I missing?

Thanks!

 

Labels (1)
0 Karma

DavidHourani
Super Champion

Hi @weetabixsplunk !

 

Have a look here, and let me know if this helps : https://docs.splunk.com/Documentation/UBA/5.0.4/GetDataIn/AddPowerShell

 

Cheers,

David

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!