Closed TheTaylorLee closed 1 year ago
Feature Target Details
Describe the solution you'd like Add events 24 and 25 to the function output
Why is this change needed? So that reconnect and disconnect events are also exported to the log
Code Sample
function Get-RemoteDesktopLogins { [cmdletbinding()] param ( [Parameter(Position = 0, Mandatory = $true)]$OutputPath ) #Common Variables $LogName = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' $Results = @() $Events21 = Get-WinEvent -LogName $LogName | Where-Object { ($_.Id -like '21*') } $Events23 = Get-WinEvent -LogName $LogName | Where-Object { ($_.Id -like '23*') } $Events24 = Get-WinEvent -LogName $LogName | Where-Object { ($_.Id -like '24*') } $Events25 = Get-WinEvent -LogName $LogName | Where-Object { ($_.Id -like '25*') } #Foreach to retrieve event 21 foreach ($Event in $Events21) { $EventXml = [xml]$Event.ToXML() $ResultHash = @{ Time = $Event.TimeCreated.ToString() 'Event ID' = $Event.Id 'Desc' = ($Event.Message -split "`n")[0] 'Username' = $EventXml.Event.UserData.EventXML.User 'Source IP' = $EventXml.Event.UserData.EventXML.Address 'Details' = $Event.Message 'Computer' = $EventXML.Event.System.Computer } $Results += (New-Object PSObject -Property $ResultHash) } #End of Events loop #Output results to file $Results | Export-Csv $Outputpath -Append -NTI #Foreach to retrieve event 23 foreach ($Event in $Events23) { $EventXml = [xml]$Event.ToXML() $ResultHash = @{ Time = $Event.TimeCreated.ToString() 'Event ID' = $Event.Id 'Desc' = ($Event.Message -split "`n")[0] 'Username' = $EventXml.Event.UserData.EventXML.User 'Source IP' = $EventXml.Event.UserData.EventXML.Address 'Details' = $Event.Message 'Computer' = $EventXML.Event.System.Computer } $Results += (New-Object PSObject -Property $ResultHash) } #End of Events loop #Output results to file $Results | Export-Csv $Outputpath -Append -NTI foreach ($Event in $Events24) { $EventXml = [xml]$Event.ToXML() $ResultHash = @{ Time = $Event.TimeCreated.ToString() 'Event ID' = $Event.Id 'Desc' = ($Event.Message -split "`n")[0] 'Username' = $EventXml.Event.UserData.EventXML.User 'Source IP' = $EventXml.Event.UserData.EventXML.Address 'Details' = $Event.Message 'Computer' = $EventXML.Event.System.Computer } $Results += (New-Object PSObject -Property $ResultHash) } #End of Events loop #Output results to file $Results | Export-Csv $Outputpath -Append -NTI foreach ($Event in $Events25) { $EventXml = [xml]$Event.ToXML() $ResultHash = @{ Time = $Event.TimeCreated.ToString() 'Event ID' = $Event.Id 'Desc' = ($Event.Message -split "`n")[0] 'Username' = $EventXml.Event.UserData.EventXML.User 'Source IP' = $EventXml.Event.UserData.EventXML.Address 'Details' = $Event.Message 'Computer' = $EventXML.Event.System.Computer } $Results += (New-Object PSObject -Property $ResultHash) } #End of Events loop #Output results to file $Results | Export-Csv $Outputpath -Append -NTI }
Feature Target Details
Describe the solution you'd like Add events 24 and 25 to the function output
Why is this change needed? So that reconnect and disconnect events are also exported to the log
Code Sample