Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

 

PowerShell logging and auditing

ADAudit Plus simplifies the process of tracking PowerShell activity by transforming the raw and noisy PowerShell log data into real-time reports and alerts. This enables you to stay on top of PowerShell activity with ease.

Highlights of PowerShell auditing with ADAudit Plus

Code monitoring

Audit PowerShell commands and the contents of scripts that are executed in your Windows Server environment.

Process tracking

Know who executed a PowerShell process, when, and from where in your environment.

Audit-ready compliance reports

Automate the generation and delivery of PowerShell auditing reports to meet compliance needs.

Instant security alerts

Get notified in real time via email and SMS about critical activities, such as the execution of a particular script.

PowerShell logging and auditing with native tools

Windows PowerShell is widely used to manage critical Windows Server resources, such as users, groups, GPOs, and files. So, tracking PowerShell activity is imperative. PowerShell activity occurring in your environment can be tracked by following the three steps outlined below.

  •  
    Step 1: Enable logging of PowerShell activity

    PowerShell supports three types of logging: module logging, script block logging, and transcription.

    • Module logging lets you specify the modules that you want to log.
    • Script block logging records the full contents of code; it also provides information on the user who ran the PowerShell commands.
    • Transcription records the commands that are run along with their results; however, it does not record the contents of executed scripts or the output written to other destinations such as a file system.
    • To enable module logging via Group Policy, navigate to Computer Configuration → Policies → Administrative Templates → Windows Components → Windows PowerShell → Turn on Module Logging. To log all modules, navigate to Turn on Module Logging → Options → Show and enter * in the Module Names window.
    • To enable script block logging via Group Policy, navigate to Computer Configuration → Policies → Administrative Templates → Windows Components → Windows PowerShell → Turn on PowerShell Script Block Logging.
    • To enable transcription via Group Policy, navigate to Computer Configuration → Policies → Administrative Templates → Windows Components → Windows PowerShell → Turn on PowerShell Transcription. To record a timestamp for each command executed, navigate to Turn on PowerShell Transcription and check the Include invocation headers box.

    Tip: It is recommended that, at a minimum, script block logging should be enabled to track code executed in PowerShell.

  •  
    Step 2: Configure suitable PowerShell log size

    To configure PowerShell log size via Group Policy, navigate to Computer Configuration → Preferences → Windows Settings. Right-click Registry, then select New → Registry Item. In the New Registry Properties window:

    • In Action field, select Update from the drop-down.
    • In the Hive field, select HKEY_LOCAL_MACHINE from the drop-down.
    • In the Key Path field, enter SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-PowerShell\Operational.
    • In the Value name field, uncheck the box beside Default and type in MaxSize.
    • In the Value type field, select REG_DWORD from the drop-down.
    • In the Value data field, type in a suitable value.
    • In the Base field, select Decimal.
    • Click Apply.

    Tip: The size of the PowerShell event log should be set to at least 150MB to ensure that data is preserved for a reasonable period of time.

  •  
    Step 3: Continuously track PowerShell events

    PowerShell logs can be found in the Event Viewer under
    Application and Service Logs → Microsoft → Windows → PowerShell → Operational.

    • Module logging events are written to event ID 4103.
    • Script block logging events are written to event ID 4104.
    • Transcription logs are not written to any event ID; instead, they are stored as flat text files whose default location is C:\Users\%USERNAME%\Documents.

    Tip: Considering the huge volume of PowerShell events that get generated, keeping track of PowerShell activity using native tools can be a labor-intensive process. A third-party solution like ADAudit Plus can help you overcome this problem.

Stay on top of PowerShell activity with just a few clicks

  • 1
     

    Get notified in real time via email and SMS about critical activities, such as the execution of a particular script.

    2
     

    Automate response actions, such as shutting down a device

    Configure instant security alerts

    Configure instant security alerts
    Get notified in real time via email and SMS about critical activities, such as the execution of a particular script.
    Automate response actions, such as shutting down a device

  • 1
     

    Maintain a comprehensive audit trail of who did what, when, and from where.

    2
     

    Automate the generation and delivery of reports to meet compliance needs.

    Audit-ready compliance reports

    Audit-ready compliance reports
    Automate the generation and delivery of reports to meet compliance needs.
    Automate the generation and delivery of reports to meet compliance needs.

Get full visibility into PowerShell activity
using ADAudit Plus.

Get your free trial

Keep your Active Directory, file servers, Windows servers, and workstations secure and compliant with ADAudit Plus

Audit AD changes

Receive real-time notifications on changes occurring across both on-premises and Azure Active Directory.

 
Track user logons

Gain complete visibility into user logon activity, spanning from logon failures to logon history.

 
Troubleshoot account lockouts

Detect lockouts instantly and know their root cause by tracking down the source of authentication failures.

 
Monitor privileged users

Get a consolidated audit trail of administrator and other privileged user activities.

 
Track file access

Audit access to Windows, NetApp, EMC, and Synology files and folders.

 
Audit Windows member servers

Monitor local logon/logoff activities; changes to local users, groups, user rights; and more.

 
Detect insider threats

Leverage user behavior analytics (UBA) to detect anomalies based on activity patterns.

 
Demonstrate compliance

Automate generation of detailed reports and demonstrate compliance with SOX, GDPR, and other mandates.