Powershell History Logs
Agent
Navigate to in windows system
C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.confAdd the following code
[monitor://C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt]
sourcetype = powershell_history
index = powershellHistory
[monitor://C:\Users\*\AppData\Roaming\Microsoft\PowerShell\PSReadLine\History]
sourcetype = powershell_history_json
index = powershellHistorymonitor - this line will monitor all power-shell histories on all users
sourcetype - can be anything
index - you will make a index in Splunk and this needs to be the same as that in my case i named the index powershellHistory
Adding a index to Splunk
Hit settings in the top right corner > then click on indexes
Hit the button
Name the index powershellHistory in this case, also change the app to "Search & Reporting"
save
Restart agent
on the PC that has the forwarder go into services and find splunk forwarder service and hit restart
Finding data in splunk
in the search of splunk type in
index="poweshellhistory"Last updated