Logging within Linux for PowerShell 7 is configurable, but does work differently than it does within Windows. In this article, we explore those differences, how to configure PowerShell 7 logging to work effectively, and how to understand those logs.
Installing PowerShell 7 on Linux
Getting started with PowerShell 7 on Linux is easy. There are a number of install guides, but as a quick start, we will assume that the Linux system in use is Ubuntu 18.04. To install PowerShell on to this system you would do the following:
# Download the Microsoft repository GPG keys
wget -q https://packages.microsoft.com/config/ubuntu/18.04/packages-microsoft-prod.deb
# Register the Microsoft repository GPG keys
sudo dpkg -i packages-microsoft-prod.deb
# Update the list of products
sudo apt-get update
# Install PowerShell
sudo apt-get install -y powershell-preview
Now that PowerShell 7 is installed we can test that it’s functional. To do this, simply start the shell with the command, pwsh-preview
. If you are dropped into the PowerShell shell, you will be good to go!
What Gets Logged
By default PowerShell will enable informational logging to the operational channel, defaulting to Syslog. Usually, this is information such as the starting and stopping of the PowerShell engine, and the starting and stopping of providers. There will also be some limited details about PowerShell commands. Below are the other available options for logging that are configurable.
- ScriptBlockLogging
- ModuleLogging
- ProtectedEventLogging
- Transcription
What is recommended are to enable ScriptBlock logging. This is very useful to find out if there is malicious commands, and more generally, to understand what commands exactly are being run on your system.
powershell.config.json
On non-Windows systems, the configuration for PowerShell 7 is controlled by the file powershell.config.json
. This file is read by the shell and enables configurations such as the ExecutionPolicy
and PowerShellPolicies
such as logging.
The file must be located in the $PSHome
folder. For example, on Ubuntu 18.04, this file would be located in /opt/microsoft/powershell/7-preview
. If the file does not exist, create the file there now. Most likely this file will need to be owned by the root
user, depending on how PowerShell is installed.
Logging Configuration
A simple logging configuration is below. There are other options available for configuration, such as ExecutionPolicy
. Many times, ExecutionPolicy
, is set to RemoteSigned
, but if you have control over certificates, then AllSigned
is more secure. Additionally, we have turned on ScriptBlockLogging
.
{
"Microsoft.PowerShell:ExecutionPolicy": "RemoteSigned",
"PowerShellPolicies": {
"ScriptExecution": {
"ExecutionPolicy": "RemoteSigned",
"EnableScripts": true
},
"ScriptBlockLogging": {
"EnableScriptBlockInvocationLogging": true,
"EnableScriptBlockLogging": true
},
"ModuleLogging": {
"EnableModuleLogging": false,
"ModuleNames": [
"PSReadline",
"PowerShellGet"
]
},
"ProtectedEventLogging": {
"EnableProtectedEventLogging": false
},
"Transcription": {
"EnableTranscripting": false,
"EnableInvocationHeader": false
},
"ConsoleSessionConfiguration": {
"EnableConsoleSessionConfiguration": false
}
},
"LogLevel": "verbose"
}
Restart the PowerShell shell, usually be exiting and entering, and if the JSON is valid then the shell will startup as normal. Below are the options for LogChannels and LogLevels.
LogChannels
- Operational (default)
- Analytic
LogLevel
- Always
- Critical
- Error
- Warning
- Informational (default)
- Verbose
- Debug
Reading the Logs
After a while of running PowerShell, your logs should start to accumulate entries. It’s easy to look at this as these entries will, by default, be logged to Syslog. To do this simply run the command cat /var/log/syslog | grep pwsh-preview
to see the results. This will tell you if the commands you are expecting to see are being properly logged, especially ScriptBlocks.
Using rsyslog
If your system uses rsyslog
, which is a logging system manager and many Linux systems do, then you can optionally redirect the logging to its own file instead of the default location of /var/log/syslog
. This is very useful to make readability easier, and management of those files.
- Under the
/etc/rsyslog.d
directory, create a new log configuration that is prefixed by a number less than 50, such as40-powershell.conf
.
- Add the following entry to the file:
if ( $msg contains "powershell[" ) then { action( type="omfile" file="/var/log/powershell.log" ) }
- Verify that the file is owned by
root
,chown root:root 40-powershell.conf
.
- Set permissions for
root
with read/write and users to read,chmod 644 40-powershell.conf
.
- Restart
rsyslog
by running the commandservice rsyslog restart
(if usingsystemd
)
After using PowerShell for a while then, all new logging will be redirected into the new /var/log/powershell.log
file. If you see that the configuration is not working, you can pull up the the RSysLog log file that is usually stored in /var/log/rsyslog.log
. Any errors will show up there and should allow you to troubleshoot any configuration.
Conclusion
Logging with PowerShell is a necessity to monitor your systems and make sure that no malicious code is being executed. It can also be an invaluable help for troubleshooting and debugging purposes. By enabling this on Linux systems, you will be able to accomplish the same thing as Windows already has. Logging is crucial to any secure system and important to consider when using PowerShell. PowerShell makes keeping your systems secure easy with the right configuration.