Powershell History Logs

PreviousWindows Defender event-viewer and logs NextLog Locations

Last updated 8 days ago

Agent

Navigate to in windows system

C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf

Add the following code

[monitor://C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt]
sourcetype = powershell_history
index = powershellHistory

[monitor://C:\Users\*\AppData\Roaming\Microsoft\PowerShell\PSReadLine\History]
sourcetype = powershell_history_json
index = powershellHistory

monitor - this line will monitor all power-shell histories on all users
sourcetype - can be anything
index - you will make a index in Splunk and this needs to be the same as that in my case i named the index powershellHistory

Adding a index to Splunk

Hit settings in the top right corner > then click on indexes
Hit the button
Name the index powershellHistory in this case, also change the app to "Search & Reporting"

save

Restart agent

on the PC that has the forwarder go into services and find splunk forwarder service and hit restart

Finding data in splunk

in the search of splunk type in

index="poweshellhistory"