In the last part of my JEA series, I`ll cover some of the logging and reporting options available in JEA sessions.
Profile gravatar of Anil Erduran
Follow me:

Anil Erduran

Anil Erduran is a principal consultant and subject matter expert for Hitachi Data Systems EMEA, based in London, UK. He is also a dual category Microsoft Most Valuable Professional in Cloud and Datacenter Management and Microsoft Azure. Anil can be found on Twitter @anil_erduran.
Profile gravatar of Anil Erduran
Follow me:

Latest posts by Anil Erduran (see all)

Contents of this article

Logging with JEA ^

One benefit of JEA is the ability to record all the actions performed by admins. There are different options to see what admins are doing on remote systems.

One easy way to track everything on JEA sessions is to enable PowerShell Transcriptions to record every single action taken by admins. In PowerShell 5.0, the Start-Transcript cmdlet now supports remote sessions. You can also enable automatic transcription via Group Policy.

Turn on PowerShell Transcription

Turn on PowerShell Transcription

Enabling this policy means that the Start-Transcript cmdlet will be triggered and capture the inputs and outputs of each command for every PowerShell session on the target server.

For JEA, you need to use the "TranscriptDirectory" field in your session configuration file.

Once you have defined a directory in which to place session transcripts, all actions taken during JEA sessions will be recorded. Below is the transcription of our DNS operator admin. You can even track error messages.

Transcript logs

Transcript logs

Another way to record PowerShell actions is to enable Module Logging. The policy shown below helps you enable Module Logging for your environment. You can enable this policy for every PS Module or you can select individual modules.

Enable PowerShell module based logging

Enable PowerShell module based logging

Module Logging records all actions in the Event Viewer and provides a bit more information than transcript-level logging. For example, under the PowerShell-Operations view in the Event Viewer, you can search for EventId:4103.

Module logging events

Module logging events

Reporting in JEA ^

After a while, you might have bunch of JEA endpoints configured in your environment for different purposes. For basic reporting, you can use the Get-PSSessionConfiguration cmdlet. This cmdlet will list all custom and default session configurations for your local machine.

Getting existing PSSessionConfigurations

Getting existing PSSessionConfigurations

If you want to have a bit more detail regarding role capabilities, such as available cmdlets, versions, and sources, you can use the Get-PSSessionCapability command for a particular user.

Getting role capability details

Getting role capability details

You can also enable, disable, register, or unregister existing PSSession configurations.

In addition, Test-PSSessionConfigurationFile is a good way to verify if a session configuration file contains valid keys and values. Here is the full list of the available commands.

All available PSSession commands

All available PSSession commands

Take part in our competition and win $100!

Share
1+

Related Posts

0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

CONTACT US

Please ask IT administration questions in the forum. Any other messages are welcome.

Sending
© 4sysops 2006 - 2017

Log in with your credentials

or    

Forgot your details?

Create Account