Auditing PowerShell with Operations Management Suite


It has been a long time since I haven’t blogged about my new love Operations Management Suite Smile. This blog post will show you how easily you can audit all PowerShell commands that executed in your environment with Log Analytics in Operations Management Suite.

I love PowerShell and I think GUI should be only for discoverability and we (IT Pros) should work only with PowerShell even if it is hard in the beginning. One of the advantage of using PowerShell it has universal auditing no matter you use Microsoft products or third party one. We can easily create a group policy that will log every PowerShell cmdlet that is executed. I just need to open Group Policy Management Console in my AD, create new policy and under Computer Configuration  –> Policies –> Administrative Templates –> Windows Components –> Windows PowerShell configure Turn on Module Logging like this:

image

You can enable logging per module. In my case I am including all PowerShell modules.

When you configure such policy for all your servers including domain controllers all PowerShell commands will be logged.

If you have servers that are not in dome you can easily use other technologies to configure those logs like DSC.

After that your can open the Operations Management Suite portal. Go to Settings Tile –> Logs tab and add Microsoft-Windows-PowerShell/Operational log :

image

After that just wait until logs are being sent to MSOMS.

Finding who used command like Restart-Computer is simple as executing the following query:

image

For me this is very powerful scenario that you can use in your environment. Imagine even more scenarios when we have the option of adding custom fields which was announced as coming at Ignite.

Advertisements

One thought on “Auditing PowerShell with Operations Management Suite

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s