Quote Originally Posted by ScorpionSting View Post
I haven't actually used SAM before...places I've worked have had paranoid Windows guys that wouldn't allow "other" software on DC's...but the name of the event log to try and capture is "Microsoft-Windows-PowerShell/Operational"... It looks like you might be after Step 15 of Section 3's Adding an Agent Manager Event Source Server
We use SAM extensively and this is a limitation of the software. There are no providers in SAM that allow you to collect any logs outside of the standard windows event logs. The Arcsight Windows connector might help you here but you will need to setup a Windows Event Forwarding subscription to push/pull events from your sources and then setup an Arcsight Smartconnector to collect the Forwarded Events log on your WEF collector server. We do this for sysmon events using a sysmon flex connector for Arcsight and forward them using CEF1.0 to the Sentinel Collector. They don't fully parse, some command line stuff is missing, but it gets most events.

It would be much easier if SAM allowed this, I'm hoping it is planned, most SIEMs allow you to collect any of these logs.