MicrosoftDocs · michaeltlombardi · Jan 3, 2024 · Jan 3, 2024
@@ -1,7 +1,7 @@
 ---
 description: PowerShell logs internal operations from the engine, providers, and cmdlets.
 Locale: en-US
-ms.date: 07/25/2023
+ms.date: 01/03/2024
 online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_logging?view=powershell-5.1&WT.mc_id=ps-gethelp
 schema: 2.0.0
 title: about Logging
@@ -19,11 +19,17 @@ PowerShell logs details about PowerShell operations, such as starting and
 stopping the engine and providers, and executing PowerShell commands.
 
 > [!NOTE]
-> Windows PowerShell versions 3.0, 4.0, 5.0, and 5.1 include **EventLog**
-> cmdlets for the Windows event logs. In those versions, to display the list of
-> **EventLog** cmdlets type: `Get-Command -Noun EventLog`. For more
-> information, see the cmdlet documentation and
-> [about_EventLogs](about_Eventlogs.md) for your version of Windows PowerShell.
+
+> Windows PowerShell 5.1 (and older) include **EventLog** cmdlets for the
+> Windows event logs. In those versions, to display the list of **EventLog**
+> cmdlets type: `Get-Command -Noun EventLog`. For more information, see the
+> cmdlet documentation and [about_EventLogs][02] for your
+> version of Windows PowerShell.
+
+For information about logging in PowerShell 7, see the following articles:
+
+- [about_Logging_Windows][04]
+- [about_Logging_Non-Windows][03]
 
 ## Viewing the PowerShell event log entries on Windows
 
@@ -51,8 +57,8 @@ script blocks that it processes. Once enabled, any new PowerShell session logs
 this information.
 
 > [!NOTE]
-> It's recommended to enable Protected Event Logging, as described below, when
-> using Script Block Logging for anything other than diagnostics purposes.
+> To ensure that sensitive data is protected, enable Protected Event Logging
+> when using Script Block Logging for anything other than diagnostics purposes.
 
 Script Block Logging can be enabled via Group Policy or a registry setting.
 
@@ -101,12 +107,12 @@ content and decrypt content are kept separate.
 The public key can be shared widely and isn't sensitive data. Any content
 encrypted with this public key can only be decrypted by the private key. For
 more information about Public Key Cryptography, see
-[Wikipedia - Public Key Cryptography][04].
+[Wikipedia - Public Key Cryptography][06].
 
 To enable a Protected Event Logging policy, deploy a public key to all machines
 that have event log data to protect. The corresponding private key is used to
 post-process the event logs at a more secure location such as a central event
-log collector, or [SIEM][05] aggregator. You can set up SIEM in Azure. For more
+log collector, or [SIEM][07] aggregator. You can set up SIEM in Azure. For more
 information, see [Generic SIEM integration][01].
 
 ### Enabling Protected Event Logging via Group Policy
@@ -147,11 +153,14 @@ Get-WinEvent Microsoft-Windows-PowerShell/Operational |
 
 ## See also
 
-- [PowerShell the Blue Team][03]
+- [PowerShell the Blue Team][05]
 - [Generic SIEM integration][01]
 
 <!-- link references -->
 [01]: /cloud-app-security/siem
-[03]: https://devblogs.microsoft.com/powershell/powershell-the-blue-team/
-[04]: https://en.wikipedia.org/wiki/Public-key_cryptography
-[05]: https://wikipedia.org/wiki/Security_information_and_event_management
+[02]: about_Eventlogs.md
+[03]: about_Logging_Non-Windows.md
+[04]: about_Logging_Windows.md
+[05]: https://devblogs.microsoft.com/powershell/powershell-the-blue-team/
+[06]: https://wikipedia.org/wiki/Public-key_cryptography
+[07]: https://wikipedia.org/wiki/Security_information_and_event_management
@@ -1,7 +1,7 @@
 ---
 description: Explains how to use the `powershell.exe` command-line interface. Displays the command-line parameters and describes the syntax.
 Locale: en-US
-ms.date: 08/30/2023
+ms.date: 01/03/2024
 no-no-loc: [-Command, -ConfigurationName , -EncodedCommand, -ExecutionPolicy, -File, -Help, -InputFormat, -Mta, -NoExit, -NoLogo, -NonInteractive, -NoProfile, -OutputFormat, -PSConsoleFile, -Sta, -Version, -WindowStyle]
 online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_powershell_exe?view=powershell-5.1&WT.mc_id=ps-gethelp
 schema: 2.0.0
@@ -13,6 +13,11 @@ title: about PowerShell exe
 Explains how to use the `powershell.exe` command-line interface. Displays the
 command-line parameters and describes the syntax.
 
+## Long description
+
+For information about the command-line options for PowerShell 7, see
+[about_Pwsh][01].
+
 ## SYNTAX
 
 ```
@@ -69,7 +74,7 @@ the contents of the script block back out to you.
 A string passed to **Command** is still executed as PowerShell code, so the
 script block curly braces are often not required in the first place when
 running from `cmd.exe`. To execute an inline script block defined inside a
-string, the [call operator][04] `&` can be used:
+string, the [call operator][05] `&` can be used:
 
 ```cmd
 powershell.exe -Command "& {Get-WinEvent -LogName security}"
@@ -113,7 +118,7 @@ script that explicitly sets an exit code other than `0` or `1`, that exit code
 is converted to `1` for process exit code. To preserve the specific exit code,
 add `exit $LASTEXITCODE` to your command string or script block.
 
-For more information, see `$LASTEXITCODE` in [about_Automatic_Variables][02].
+For more information, see `$LASTEXITCODE` in [about_Automatic_Variables][03].
 
 Similarly, the value 1 is returned when a script-terminating
 (runspace-terminating) error, such as a `throw` or `-ErrorAction Stop`, occurs
@@ -143,7 +148,7 @@ Sets the default execution policy for the current session and saves it in the
 `$env:PSExecutionPolicyPreference` environment variable. This parameter does
 not change the PowerShell execution policy that's set in the registry. For
 information about PowerShell execution policies, including a list of valid
-values, see [about_Execution_Policies][03].
+values, see [about_Execution_Policies][04].
 
 ### -File - | \<filePath\> \<args\>
 
@@ -202,7 +207,7 @@ When the script file terminates with an `exit` command, the process exit code
 is set to the numeric argument used with the `exit` command. With normal
 termination, the exit code is always `0`.
 
-For more information, see `$LASTEXITCODE` in [about_Automatic_Variables][02].
+For more information, see `$LASTEXITCODE` in [about_Automatic_Variables][03].
 
 ### -InputFormat {Text | XML}
 
@@ -258,7 +263,7 @@ Starts the specified version of PowerShell. Valid values are 2.0 and 3.0. The
 version that you specify must be installed on the system. If Windows PowerShell
 3.0 is installed on the computer, "3.0" is the default version. Otherwise,
 "2.0" is the default version. For more information, see
-[Installing PowerShell][01].
+[Installing PowerShell][02].
 
 ### -WindowStyle \<Window style\>
 
@@ -303,7 +308,8 @@ powershell.exe -encodedCommand $encodedCommand
 ```
 
 <!-- link references -->
-[01]: /powershell/scripting/install/installing-windows-powershell
-[02]: about_Automatic_Variables.md#lastexitcode
-[03]: about_Execution_Policies.md
-[04]: about_operators.md#special-operators
+[01]: /powershell/module/microsoft.powershell.core/about/about_pwsh
+[02]: /powershell/scripting/install/installing-windows-powershell
+[03]: about_Automatic_Variables.md#lastexitcode
+[04]: about_Execution_Policies.md
+[05]: about_operators.md#special-operators
@@ -1,7 +1,7 @@
 ---
 description: PowerShell logs internal operations from the engine, providers, and cmdlets.
 Locale: en-US
-ms.date: 12/08/2023
+ms.date: 01/03/2024
 online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_logging_non-windows?view=powershell-7.2&WT.mc_id=ps-gethelp
 schema: 2.0.0
 title: about Logging Non-Windows
@@ -18,20 +18,23 @@ PowerShell logs details of PowerShell operations, such as starting and stopping
 the engine and starting and stopping providers. It also logs details about
 PowerShell commands.
 
+For information about logging in Windows PowerShell 5.1, see
+[about_Logging][02].
+
 The location of PowerShell logs is dependent on the target platform.
 
 - On Linux, PowerShell logs to the **systemd journal** that can forward to a
   **syslog** server. For more information, see the `man` pages for your Linux
   distribution.
 - On macOS, Apple's unified logging system is used. For more information, see
-  [Apple's developer documentation on logging][01].
+  [Apple's developer documentation on logging][07].
 
 PowerShell supports configuring two categories of logging:
 
 - Module logging - Record the pipeline execution events for members of
   specified modules. Module logging must be enabled for both the session and
   specific modules. For more information about configuring this logging, see
-  [about_PowerShell_Config][02].
+  [about_PowerShell_Config][05].
 
   If module logging is enabled through configuration, you can enable and
   disable logging for specific modules in a session by setting the value of the
@@ -61,7 +64,7 @@ PowerShell supports configuring two categories of logging:
   > [!NOTE]
   > It's recommended to enable Protected Event Logging, when using Script Block
   > Logging for anything other than diagnostics purposes. For more information,
-  > see [about_PowerShell_Config][03].
+  > see [about_PowerShell_Config][06].
 
 ## Configuring logging on Linux or macOS
 
@@ -315,7 +318,7 @@ PowerShell in the **Console** application.
 1. Generate PowerShell information to log from the instance of PowerShell
    started in the first step.
 
-For more information, see [view log messages in Console on Mac][05].
+For more information, see [view log messages in Console on Mac][08].
 
 ### Viewing PowerShell log data from the command line on macOS
 
@@ -369,25 +372,26 @@ For more information, run `log show --help` to view the help for the `log show`
 command.
 
 You may also want to consider saving the logs to a more secure location such as
-[Security Information and Event Management (SIEM)][06] aggregator. Using
+[Security Information and Event Management (SIEM)][09] aggregator. Using
 Microsoft Defender for Cloud Apps, you can set up SIEM in Azure. For more
-information, see [Generic SIEM integration][07].
+information, see [Generic SIEM integration][01].
 
 ## See also
 
 - For Linux **syslog** and **rsyslog.conf** information, refer to the Linux
   computer's local `man` pages
 - For macOS **logging** information, see
-  [Apple's developer documentation on logging][01]
-- For Windows, see [about_Logging_Windows][08]
-- [Generic SIEM integration][07]
+  [Apple's developer documentation on logging][07]
+- For Windows, see [about_Logging_Windows][03]
+- [Generic SIEM integration][01]
 
 <!-- link references -->
-[01]: https://developer.apple.com/documentation/os/logging
-[02]: about_PowerShell_Config.md#modulelogging
-[03]: about_PowerShell_Config.md#protectedeventlogging
+[01]: /defender-cloud-apps/siem
+[02]: /powershell/module/microsoft.powershell.core/about/about_logging?view=powershell-5.1&preserve-view=true
+[03]: about_Logging_Windows.md
 [04]: about_PowerShell_Config.md#common-configuration-settings
-[05]: https://support.apple.com/guide/console/log-messages-cnsl1012/mac
-[06]: https://wikipedia.org/wiki/Security_information_and_event_management
-[07]: /defender-cloud-apps/siem
-[08]: about_Logging_Windows.md
+[05]: about_PowerShell_Config.md#modulelogging
+[06]: about_PowerShell_Config.md#protectedeventlogging
+[07]: https://developer.apple.com/documentation/os/logging
+[08]: https://support.apple.com/guide/console/log-messages-cnsl1012/mac
+[09]: https://wikipedia.org/wiki/Security_information_and_event_management
@@ -1,7 +1,7 @@
 ---
 description: PowerShell logs internal operations from the engine, providers, and cmdlets to the Windows event log.
 Locale: en-US
-ms.date: 12/08/2023
+ms.date: 01/03/2024
 online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7.2&WT.mc_id=ps-gethelp
 schema: 2.0.0
 title: about Logging Windows
@@ -18,12 +18,15 @@ the Windows event log.
 PowerShell logs details about PowerShell operations, such as starting and
 stopping the engine and providers, and executing PowerShell commands.
 
+For information about logging in Windows PowerShell 5.1, see
+[about_Logging][02].
+
 PowerShell supports configuring two categories of logging:
 
 - Module logging - Record the pipeline execution events for members of
   specified modules. Module logging must be enabled for both the session and
   specific modules. For more information about configuring this logging, see
-  [about_PowerShell_Config][01].
+  [about_PowerShell_Config][05].
 
   If module logging is enabled through configuration, you can enable and
   disable logging for specific modules in a session by setting the value of the
@@ -49,7 +52,7 @@ PowerShell supports configuring two categories of logging:
   When you enable Script Block Logging, PowerShell records the content of all
   script blocks that it processes. Once enabled, any new PowerShell session
   logs this information. For more information, see
-  [Enabling Script Block Logging](#enabling-script-block-logging).
+  [Enabling Script Block Logging][03].
 
 ## Registering the PowerShell event provider on Windows
 
@@ -137,7 +140,7 @@ function Enable-PSScriptBlockLogging {
 
 You can set the `ScriptBlockLogging` option in the `powershell.config.json`
 file that controls how PowerShell behaves. For more information, see
-[about_PowerSHell_Config][02].
+[about_PowerSHell_Config][06].
 
 ## Protected Event Logging
 
@@ -159,13 +162,13 @@ content and decrypt content are kept separate.
 The public key can be shared widely and isn't sensitive data. Any content
 encrypted with this public key can only be decrypted by the private key. For
 more information about Public Key Cryptography, see
-[Wikipedia - Public Key Cryptography][03].
+[Wikipedia - Public Key Cryptography][08].
 
 To enable a Protected Event Logging policy, deploy a public key to all machines
 that have event log data to protect. The corresponding private key is used to
 post-process the event logs at a more secure location such as a central event
-log collector, or [SIEM][04] aggregator. You can set up SIEM in Azure. For more
-information, see [Generic SIEM integration][05].
+log collector, or [SIEM][09] aggregator. You can set up SIEM in Azure. For more
+information, see [Generic SIEM integration][01].
 
 ### Enabling Protected Event Logging via Group Policy
 
@@ -205,15 +208,17 @@ Get-WinEvent Microsoft-Windows-PowerShell/Operational |
 
 ## See also
 
-- [about_Logging_Non-Windows][06]
+- [about_Logging_Non-Windows][04]
 - [PowerShell the Blue Team][07]
-- [Generic SIEM integration][05]
+- [Generic SIEM integration][01]
 
 <!-- link references -->
-[01]: about_PowerShell_Config.md#modulelogging
-[02]: about_PowerShell_Config.md#scriptblocklogging
-[03]: https://en.wikipedia.org/wiki/Public-key_cryptography
-[04]: https://wikipedia.org/wiki/Security_information_and_event_management
-[05]: /cloud-app-security/siem
-[06]: about_Logging_Non-Windows.md
+[01]: /cloud-app-security/siem
+[02]: /powershell/module/microsoft.powershell.core/about/about_logging?view=powershell-5.1&preserve-view=true
+[03]: #enabling-script-block-logging
+[04]: about_Logging_Non-Windows.md
+[05]: about_PowerShell_Config.md#modulelogging
+[06]: about_PowerShell_Config.md#scriptblocklogging
 [07]: https://devblogs.microsoft.com/powershell/powershell-the-blue-team/
+[08]: https://en.wikipedia.org/wiki/Public-key_cryptography
+[09]: https://wikipedia.org/wiki/Security_information_and_event_management