Oct 26 2020 12:20 PM
I have an script which pull the fallowing Windows log, "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational". from few servers.
PS script:
Get-WinEvent -ComputerName $s.Name -logname "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" -MaxEvents 300 | Where-Object {$_.ID -Like '21'}| Select -ExpandProperty Message
I'm getting the following results:
User: ANY\User1
Session ID: 6
Source Network Address: 192.168.1.1
Remote Desktop Services: Session logon succeeded:
User: ANY\User2
Session ID: 7
Source Network Address: 192.168.1.2
Remote Desktop Services: Session logon succeeded:
User: ANY\User3
Session ID: 8
Source Network Address: 192.168.1.3
Remote Desktop Services: Session logon succeeded:
....
I would like to see how I can parse all the results in Columns:
Users Session ID SourceNet RDS
ANY\User1 6 192.168.1.1 Session logon succeeded
ANY\User2 7 192.168.1.2 Session logon succeeded
ANY\User3 8 192.168.1.3 Session logon succeeded
Any help is appreciated.
Thanks.
Oct 28 2020 02:48 AM - edited Oct 28 2020 02:50 AM
Use this
$Fullresult=@()
$allevents=Get-WinEvent -ComputerName $s.Name -logname "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" -MaxEvents 300 | Where-Object {$_.ID -Like '21'}| Select -ExpandProperty Message
foreach ($singleevent in $allevents){
$Result=New-Object PSObject
$Result | Add-Member -NotePropertyName "User" -NotePropertyValue ($singleevent.split("`n")[2].substring(6))
$Result | Add-Member -NotePropertyName "SessionID " -NotePropertyValue ($singleevent.split("`n")[3].substring(12))
$Result | Add-Member -NotePropertyName "SourceNet" -NotePropertyValue ($singleevent.split("`n")[4].substring(24))
$Result | Add-Member -NotePropertyName "RDS" -NotePropertyValue ($singleevent.split("`n")[0].substring(25))
$Fullresult+=$Result
}
$Fullresult | ft -AutoSize -Wrap
The Message value seems to be a string and what I did is splitting the string in to array by using the `n newline and then add them to a PSCustome Object which hold the value
---------------------------------
If this answers your question, please Click on Best Response and give a like :)
Oct 28 2020 02:55 AM
Solution$Fullresult=@()
$allevents=Get-WinEvent -ComputerName $s.Name -logname "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" -MaxEvents 300 | Where-Object {$_.ID -Like '21'}| Select -ExpandProperty Message
foreach ($singleevent in $allevents){
$Result=New-Object PSObject
$Result | Add-Member -NotePropertyName "User" -NotePropertyValue ($singleevent.split("`n")[2].substring(6))
$Result | Add-Member -NotePropertyName "SessionID " -NotePropertyValue ($singleevent.split("`n")[3].substring(12))
$Result | Add-Member -NotePropertyName "SourceNet" -NotePropertyValue ($singleevent.split("`n")[4].substring(24))
$Result | Add-Member -NotePropertyName "RDS" -NotePropertyValue ($singleevent.split("`n")[0].substring(25))
$Fullresult+=$Result
}
$Result | ft -AutoSize
Use this script, This script will store the result in a new PSObject.
I use the Split method to split and be able to read the lines like this, the `n refer to a new line.
Hope this help
----------------------------------------------
If this answers your question, please click on Best Response and give Like :)
Oct 28 2020 02:55 AM
Solution$Fullresult=@()
$allevents=Get-WinEvent -ComputerName $s.Name -logname "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" -MaxEvents 300 | Where-Object {$_.ID -Like '21'}| Select -ExpandProperty Message
foreach ($singleevent in $allevents){
$Result=New-Object PSObject
$Result | Add-Member -NotePropertyName "User" -NotePropertyValue ($singleevent.split("`n")[2].substring(6))
$Result | Add-Member -NotePropertyName "SessionID " -NotePropertyValue ($singleevent.split("`n")[3].substring(12))
$Result | Add-Member -NotePropertyName "SourceNet" -NotePropertyValue ($singleevent.split("`n")[4].substring(24))
$Result | Add-Member -NotePropertyName "RDS" -NotePropertyValue ($singleevent.split("`n")[0].substring(25))
$Fullresult+=$Result
}
$Result | ft -AutoSize
Use this script, This script will store the result in a new PSObject.
I use the Split method to split and be able to read the lines like this, the `n refer to a new line.
Hope this help
----------------------------------------------
If this answers your question, please click on Best Response and give Like :)