How PowerShell 7 Logging works in Linux

Logging within Linux for PowerShell 7 is configurable, but does work differently than it does within Windows. In this article, we explore those differences, how to configure PowerShell 7 logging to work effectively, and how to understand those logs.

Installing PowerShell 7 on Linux

Getting started with PowerShell 7 on Linux is easy. There are a number of install guides, but as a quick start, we will assume that the Linux system in use is Ubuntu 18.04. To install PowerShell on to this system you would do the following:

# Download the Microsoft repository GPG keys
wget -q https://packages.microsoft.com/config/ubuntu/18.04/packages-microsoft-prod.deb

# Register the Microsoft repository GPG keys
sudo dpkg -i packages-microsoft-prod.deb

# Update the list of products
sudo apt-get update

# Install PowerShell
sudo apt-get install -y powershell-preview

Now that PowerShell 7 is installed we can test that it’s functional. To do this, simply start the shell with the command, pwsh-preview. If you are dropped into the PowerShell shell, you will be good to go!

What Gets Logged

By default PowerShell will enable informational logging to the operational channel, defaulting to Syslog. Usually, this is information such as the starting and stopping of the PowerShell engine, and the starting and stopping of providers. There will also be some limited details about PowerShell commands. Below are the other available options for logging that are configurable.

• ScriptBlockLogging

• ModuleLogging

• ProtectedEventLogging

• Transcription

What is recommended are to enable ScriptBlock logging. This is very useful to find out if there is malicious commands, and more generally, to understand what commands exactly are being run on your system.

powershell.config.json

On non-Windows systems, the configuration for PowerShell 7 is controlled by the file powershell.config.json. This file is read by the shell and enables configurations such as the ExecutionPolicy and PowerShellPolicies such as logging.

The file must be located in the $PSHome folder. For example, on Ubuntu 18.04, this file would be located in /opt/microsoft/powershell/7-preview. If the file does not exist, create the file there now. Most likely this file will need to be owned by the root user, depending on how PowerShell is installed.

Logging Configuration

A simple logging configuration is below. There are other options available for configuration, such as ExecutionPolicy. Many times, ExecutionPolicy, is set to RemoteSigned, but if you have control over certificates, then AllSigned is more secure. Additionally, we have turned on ScriptBlockLogging.

{
  "Microsoft.PowerShell:ExecutionPolicy": "RemoteSigned",
  "PowerShellPolicies": {
    "ScriptExecution": {
      "ExecutionPolicy": "RemoteSigned",
      "EnableScripts": true
    },
    "ScriptBlockLogging": {
      "EnableScriptBlockInvocationLogging": true,
      "EnableScriptBlockLogging": true
    },
    "ModuleLogging": {
      "EnableModuleLogging": false,
      "ModuleNames": [
        "PSReadline",
        "PowerShellGet"
      ]
    },
    "ProtectedEventLogging": {
      "EnableProtectedEventLogging": false
    },
    "Transcription": {
      "EnableTranscripting": false,
      "EnableInvocationHeader": false
    },
    "ConsoleSessionConfiguration": {
      "EnableConsoleSessionConfiguration": false
    }
  },
  "LogLevel": "verbose"
}

Restart the PowerShell shell, usually be exiting and entering, and if the JSON is valid then the shell will startup as normal. Below are the options for LogChannels and LogLevels.

LogChannels

• Operational (default)

• Analytic

LogLevel

• Always

• Critical

• Error

• Warning

• Informational (default)

• Verbose

• Debug

Reading the Logs

After a while of running PowerShell, your logs should start to accumulate entries. It’s easy to look at this as these entries will, by default, be logged to Syslog. To do this simply run the command cat /var/log/syslog | grep pwsh-preview to see the results. This will tell you if the commands you are expecting to see are being properly logged, especially ScriptBlocks.

Using rsyslog

If your system uses rsyslog, which is a logging system manager and many Linux systems do, then you can optionally redirect the logging to its own file instead of the default location of /var/log/syslog. This is very useful to make readability easier, and management of those files.

1. Under the /etc/rsyslog.d directory, create a new log configuration that is prefixed by a number less than 50, such as 40-powershell.conf.

2. Add the following entry to the file:
   

   ?

   The format below for rsyslog is using a newer format that newer versions of the application uses. Sometimes there is an older format in use, that you can see by referring to the existing PowerShell 7 logging documentation.

   if ( $msg contains "powershell[" ) then {
     action( type="omfile" file="/var/log/powershell.log" )
   }

3. Verify that the file is owned by root, chown root:root 40-powershell.conf.

4. Set permissions for root with read/write and users to read, chmod 644 40-powershell.conf.

5. Restart rsyslog by running the command service rsyslog restart (if using systemd)

After using PowerShell for a while then, all new logging will be redirected into the new /var/log/powershell.log file. If you see that the configuration is not working, you can pull up the the RSysLog log file that is usually stored in /var/log/rsyslog.log. Any errors will show up there and should allow you to troubleshoot any configuration.

Conclusion

Logging with PowerShell is a necessity to monitor your systems and make sure that no malicious code is being executed. It can also be an invaluable help for troubleshooting and debugging purposes. By enabling this on Linux systems, you will be able to accomplish the same thing as Windows already has. Logging is crucial to any secure system and important to consider when using PowerShell. PowerShell makes keeping your systems secure easy with the right configuration.