PowerShell

PowerShell -Export RDP Logs to Email

The below is a PowerShell script I wrote to grab a list of servers in a TXT file, filter for Event IDs specific to RDP logons and export to email.

To run this Script, you may need to allow Remote Event Log Management through the local firewall on each server.

You will need to modify the following variables to suit your requirements;

$filename

$filedir

$oldfiledir

$OutputFile

You will also need to create a TXT file listing the servers you wish to run the script against, similar to the below;

server_list

You can also grab the full script here: PowerShell Script

 


#PowerShell Script to find and export RDP specific logs to email
#Created by Scott Ellis
#July 2016

#Please note you will require; a TXT file listing server names to be checked and set in the below variable $serverlist
                            #; modify $filename, $filedir, $oldfiledir, $OutputFile to suit your needs

#Log Name to Search For (RDP Logons in this case)
$LogName = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
$Results = @()

#Set Variable for Date (Get Current date, minus 14 days)
$checkDate = (Get-Date).AddDays(-14).Date

#Sets Variable for Current Date
$WorkingDate = Get-Date

#Sets Variable for File name to be outputted with current date
$filename = "RDP Event Logs - " + $WorkingDate.ToString('dd-MM-yyyy')+'.csv'

#Specifies directory where file will be exported to
$filedir="C:\Reports\RDP"

#If script is scheduled, sets variable for location for previous exports to be moved to
$oldfiledir="C:\Reports\RDP\Aged Reports"

#Sets Output location and file name
$OutputFile = $filedir+'\'+$filename

#Sets variable for TXT file listing servers
$serverlist = "C:\Reports\RDP\SERVER_LIST.txt"

#Checks for existing file, and if found, moves to previous exports location as defined by 'oldfiledir' variable
$existingfile = Test-Path $OutputFile
If ($existingfile -eq $true) {
Move-Item $OutputFile $oldfiledir }

#Gets Text File listing servers from 'serverlist' variable and Gets Windows Events using Log Name, Start Time (defined above) and Specific Event IDs (below)
Get-Content $serverlist | ForEach-Object {
$Events = Get-WinEvent -ComputerName $_ -FilterHashTable @{ LogName = $LogName; StartTime = $checkDate; ID = 21,22,23,24,25 }

#Using Filtered Events above, gets RDP event details including; Username, Server, Time, Event ID and Source IP for each server listed in server list TXT file and adds output to ResultsHash
foreach ($Event in $Events) {
    $EventXml = [xml]$Event.ToXML()

    $ResultHash = @{
        Username    = $EventXml.Event.UserData.EventXML.User
        Server      = $Event.MachineName
        Time        = $Event.TimeCreated.ToString()
        'Event ID'  = $Event.ID
        'Source IP' = $EventXml.Event.UserData.EventXML.Address

    }
    #Creates new variable using PSObject with ResultsHash table as Property
    $Results += (New-Object PSObject -Property $ResultHash)
} }
#Exports Output to CSV file (defined above)
$Results | Select-Object Username,Server,Time,'Source IP','Event ID' | Export-Csv $OutputFile

#Creates Legend Table to be included in body of email to help idenitfy Event IDs

# Create a DataTable
$table = New-Object system.Data.DataTable "Event ID Legend"
$col1 = New-Object system.Data.DataColumn "Event ID",([string])
$col2 = New-Object system.Data.DataColumn "Description",([string])
$table.columns.add($col1)
$table.columns.add($col2)

# Add content to the DataTable
$row = $table.NewRow()
$row."Event ID" = "21"
$row.Description = "RDP Logon"
$table.Rows.Add($row)
$row = $table.NewRow()
$row."Event ID" = "23"
$row.Description = "RDP Logoff"
$table.Rows.Add($row)
$row = $table.NewRow()
$row."Event ID" = "24"
$row.Description = "RDP Session Disconnected"
$table.Rows.Add($row)
$row = $table.NewRow()
$row."Event ID" = "25"
$row.Description = "RDP Session Reconnected"
$table.Rows.Add($row)

# Create an HTML version of the DataTable
$html = "<table><tr><td>Event ID</td><td>Description</td></tr>"
foreach ($row in $table.Rows)
{
    $html += "<tr><td>" + $row[0] + "</td><td>" + $row[1] + "</td></tr>"
}
$html += "</table>"

#Sets Settings for Mail

$smtpserver = "smtp.server.com"
$from = "from.from@microsoft.com"
$to = "to.to@microsoft.com"
$subject = "RDP Logons < 14 Days"
$body = "Hi,<br />The below table is your reference in assinsting to identifying Event IDs and their description.<br /><br />" + $html

#Sends Email with Output attached to sender defined above
Send-MailMessage -smtpserver $smtpserver -from $from -to $to -subject $subject -Attachments $OutputFile  -body $body -bodyashtml

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s