It has been a long time since I haven’t blogged about my new love Operations Management Suite . This blog post will show you how easily you can audit all PowerShell commands that executed in your environment with Log Analytics in Operations Management Suite.
I love PowerShell and I think GUI should be only for discoverability and we (IT Pros) should work only with PowerShell even if it is hard in the beginning. One of the advantage of using PowerShell it has universal auditing no matter you use Microsoft products or third party one. We can easily create a group policy that will log every PowerShell cmdlet that is executed. I just need to open Group Policy Management Console in my AD, create new policy and under Computer Configuration –> Policies –> Administrative Templates –> Windows Components –> Windows PowerShell configure Turn on Module Logging like this:
You can enable logging per module. In my case I am including all PowerShell modules.
When you configure such policy for all your servers including domain controllers all PowerShell commands will be logged.
If you have servers that are not in dome you can easily use other technologies to configure those logs like DSC.
After that your can open the Operations Management Suite portal. Go to Settings Tile –> Logs tab and add Microsoft-Windows-PowerShell/Operational log :
After that just wait until logs are being sent to MSOMS.
Finding who used command like Restart-Computer is simple as executing the following query:
For me this is very powerful scenario that you can use in your environment. Imagine even more scenarios when we have the option of adding custom fields which was announced as coming at Ignite.