Need help to fetch event viewer security Account Name,Logondate,Log off date,Source Network address,

All replies

• 

  

  0

  Sign in to vote

  You can only get that from the registry.

  Please carefully review the following links to set your expectation for posting in  technical forums.

  This Forum is for Scripting Questions Rather than script requests

  • Script Gallery.
  • Forum for Script requests
    1. Microsoft Virtual Academy - Getting Started with Microsoft PowerShell
    2. PowerShell Documentation
    3. PowerShell Style Guidelines
  • How to ask questions in a technical forum
  • Rubber duck problem solving
  • How to write a bad forum post
  • Help Vampires: A Spotter's Guide
  • This forum is for scripting questions rather than script requests

  ---

  \_(ツ)_/

  Tuesday, January 15, 2019 12:47 AM
• 

  

  0

  Sign in to vote

  I could not get any help above group. Still waiting for Powershell script.

  Friday, January 18, 2019 7:41 PM
• 

  

  0

  Sign in to vote

  I could not get any help above group. Still waiting for Powershell script.

  We do not provide script  on request.  Please read the links I posted.

  Script requests should be posted in this forum: Forum for Script requests

  ---

  \_(ツ)_/

  Friday, January 18, 2019 7:48 PM
• 

  

  0

  Sign in to vote

  This is very similar, perhaps you could adjust it as necessary.

  • https://gallery.technet.microsoft.com/scriptcenter/Remote-Desktop-Connection-3fe225cd

  ---

  
  

  Mike Crowley

  My Blog | MikeCrowley.US

  Baseline Technologies | Baseline.Consulting

  “ Being ignorant is not so much a shame, as being unwilling to learn ”

  -Ben Franklin

  Monday, January 21, 2019 7:08 PM
• 

  

  0

  Sign in to vote

  Here is a more complete and more useful way to retrieve these events.  It can allow you to match logon and logoff events by "SessionID".

  function Get-TSUserEvents{
      [CmdletBinding()]
      Param(
          [string[]]$ComputerName = $env:COMPUTERNAME,
          [datetime]$StartTime = [datetime]::Today 
      )
      
      Begin{
          $actions = @{
              '21' = 'logon'
              '22' = 'Shell start'
              '23' = 'Logoff'
              '24' = 'Disconnected'
              '25' = 'Reconnected'
          }
          $LogFilter = @{
              LogName = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
              ID      = 21, 22, 23, 24, 25
              StartTime = $StartTime
          }
          
      }
      
      Process{
          foreach ($server in $ComputerName) {
              Get-WinEvent -FilterHashtable $LogFilter -ComputerName $Server |
                  ForEach-Object { 
                      $entry = [xml]$_.ToXml()
                      [pscustomobject]@{
                          ServerName = $server
                          EventID = $entry.Event.System.EventID
                          TimeCreated = $_.TimeCreated
                          SessionID = $entry.Event.UserData.EventXML.SessionID
                          User = $entry.Event.UserData.EventXML.User
                          IPAddress = $entry.Event.UserData.EventXML.Address
                          Action = $actions[$entry.Event.System.EventID]
                      }        
                  } 
  
          }
      }
  }

  To export just do this:

  Get-TSUserEvents | Export-Csv $filename -NoType

  ---

  \_(ツ)_/

  
  

  
  

  • Edited by jrv Monday, January 21, 2019 8:06 PM

  Monday, January 21, 2019 8:04 PM