Remote Desktop Server Connection Log Script

This script creates a CSV based on a date that you input that shows the connection logs (logon, logoff, disconnected, reconnected) from the [[Event Logs|event logs]] on the [[Remote Desktop Services (RDS)]] server. ```PowerShell # List of servers to read the log from and the event log to read $ServerName = 'RDS1', 'RDS2', 'RDS3' $EventLogPath = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' # Input day of the log to read and calculate end time $StartDate = Read-Host "What day do you want to review" $EndDate = Get-Date $StartDate $EndDate = $EndDate.AddDays(1).ToString("MM/dd/yyyy") # Calculate log file name based on day reviewed and remove any file with that name in the path $LogName = Get-Date $StartDate -Format 'yyyy-MM-dd' $LogName = 'C:\temp\'+$LogName+'_log.csv' If ([System.IO.File]::Exists($LogName)) {Remove-Item $LogName} # Loop each server ForEach ($Server in $ServerName) { $filter = @{ Logname = $EventLogPath StartTime = Get-Date $StartDate EndTime = Get-Date $EndDate ID = 21, 23 , 24, 25 } # Get event log information and append to log csv file if ((get-winevent -ComputerName $Server -FilterHashtable $filter -ErrorAction SilentlyContinue).count -ne 0) { $events = get-winevent -ComputerName $Server -FilterHashtable $filter | Select-Object TimeCreated, @{Name = 'Server Name'; expression={$Server }}, @{Name = 'User' ; Expression = { $_.Properties.value[0] } }, ID, @{Name = 'Session ID' ; Expression = { $_.Properties.value[1] } }, @{Name = 'Source Network Address:'; Expression = { $_.Properties.value[2] } } | Export-csv -path $LogName -Append $ImportedCSV = Import-CSV $LogName #Translate event codes to English $NewCSV = Foreach ($Entry in $ImportedCsv) { Switch ($Entry.'Id') { 21 {$Entry.'Id' = 'Logon'} 23 {$Entry.'Id' = 'Logoff'} 24 {$Entry.'Id' = 'Disconnected'} 25 {$Entry.'Id' = 'Reconnected'} } $Entry } $NewCSV | Export-CSV $LogName -NoTypeInformation } } #Rename ID column header to Description $dat = get-content $LogName $headers = $dat | select -first 1 $headers = $headers -split "," $headers[3] = "Description" $headers = $headers -join "," $dat[0] = $headers $dat | set-content $LogName ``` # Source [[SOLVED] Need a way to determine when and how long a user connected to RDP server - Microsoft Remote Desktop Services (spiceworks.com)](https://community.spiceworks.com/topic/2315228-need-a-way-to-determine-when-and-how-long-a-user-connected-to-rdp-server)