Messages - Stoic Joker [ switch to compact view ]

Pages: [1] 2 3 4 5 6 ... 1225next
1
Developer's Corner / Re: Have Issue with PowerShell and Formatting/Displaying Data from the Event Logs
« on: January 26, 2024, 12:41 PM »
Which version of PowerShell are you using? The one included in Windows itself or the open-source version?

The open-source version is at version 7.x, Powershell included with Windows isn't.
-Shades (January 25, 2024, 06:16 PM)

Normally I'm a what's in the box/living of the land sort of guy. But I may have to explore the OS version.

The open-source version gets more "love" from everyone, incl. Microsoft, so it may be possible that your script works in the open-source version.
-Shades (January 25, 2024, 06:16 PM)

No... The prevailing Rule-of-Thumb is: I screwed something up.

Typically because I've usually screwed something up ... As I just don't do this often enough to be/get good at it - Hence, I'm not.

I once spent an entire afternoon working on code with ChatGPT. The reason it took so long is that ChatGPT wasn't astute enough to simply inform me, that I was a Freaking Idiot. Because after some additional tangentially related research I realized that what I was asking it to do was flat-out impossible.


I think I might just be gettin old.

2
Developer's Corner / Re: Have Issue with PowerShell and Formatting/Displaying Data from the Event Logs
« on: January 26, 2024, 10:23 AM »
You could also try setting a value regardless of whether there's a match or not:
[Select]
Duration = if ($_ -match '(?smi).*\ssession duration was\s+([^\s]+)\s+.*') { $matches[1] } else { "Unknown Duration" }

P.S. I can't actually test it as I only have a Win10 machine, wish I could suggest something more.
-4wd (January 25, 2024, 05:32 AM)

Yeah, I had a feeling that might be a problem...

But! The duration part solved itself later in the code, when I ran it through a formatting routine that returns blank if the input is not a number:
[Select]
@{Name='Duration  ';Expression={'{0}' -f [timespan]::fromseconds($_.Duration).ToString("d\.hh\:mm\:ss")}}

Then I ran into a variation of the same problem on the next value that your code above worked perfectly on:
[Select]
Target = if ($_.Message -match '(?smi).*to resource\s\"+([^\s]+).INTERNALDOMAINNAME.com\".\s+.*') { $matches[1] }
else {
$_.Message -replace '(?smi).*network resource:\s\"+([^\s]+).LAP.com\".\s+.*','$1'
}

The output report combines two different event types (connect and disconnect) in the same column, that both needed the same (internal resource machine name) info that was worded differently in their source event messages.

So if anybody else needs it, the now working/finished report code looks like so:
[Select]
$Start = (Get-Date).AddDays(-14)

$End = Get-Date ## (Get-Date).Date AutoMagically Makes it Midnight of that Date.

Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-TerminalServices-Gateway/Operational';
StartTime=$Start; EndTime=$End; ID=302,303 } | %{

(new-object -Type PSObject -Property @{
TimeStamp = $_.TimeCreated

evId = $_.ID -replace '\s',''

ClientIP = $_.Message -replace '(?smi).*on client computer\s\"+([^\s]+)\",\s+.*','$1'

UserName = $_.Message -replace '(?smi).*The user\s\"+([^\s]+)\",\s+.*','$1'

Duration = $_.Message -replace '(?smi).*\ssession duration was\s+([^\s]+)\s+.*','$1'

Target = if ($_.Message -match '(?smi).*to resource\s\"+([^\s]+).LAP.com\".\s+.*') { $matches[1] }
else {
$_.Message -replace '(?smi).*network resource:\s\"+([^\s]+).INTERNALDOMAINNAME.com\".\s+.*','$1'
}

})

} | sort UserName, TimeStamp -Descending | Select `
 @{Name='Event Date and Time   ';Expression={'{0}' -f $_.TimeStamp}} `
, @{Name='User Location  ';Expression={'{0}' -f $_.ClientIP}} `
, @{Name='Target Machine';Expression={'{0}' -f $_.Target}} `
, @{Name='Username    ';Expression={'{0}' -f $_.UserName}} `
, @{N='User Action Made   ';E={
switch ($_.evId) {
302 {"Connected"}
303 {"Disconnected After:"}
default {'Should be unreachable'}
}}} `
, @{Name='Duration  ';Expression={'{0}' -f [timespan]::fromseconds($_.Duration).ToString("d\.hh\:mm\:ss")}} | Format-Table -AutoSize -Wrap



Thank You!

3
Developer's Corner / Re: Have Issue with PowerShell and Formatting/Displaying Data from the Event Logs
« on: January 24, 2024, 10:15 AM »
Try string interpolation:
Code: PowerShell [Select]
  1. 303 {"303 - User Disconnected From Resource: $($Duration)"}
-4wd (January 24, 2024, 12:04 AM)

I tried that and a few different variations ($_.($Duration, $($_.Duration), and etc.); no luck.
Double quotes come out blank, and single quotes just echo back the code as typed.

The part that's killing me, is I'm not even sure which part is broken; the output string creation, or is the elusive data that I can't get to show-up in it just missing/identified wrong/not supposed to be accessible for there until spring...

Do I need to (somehow) pass the other arrays into the switch statement? Something along the lines of:
Code: PowerShell [Select]
  1. switch ($_.evId.($_.Duration)) {

Or is that even possible/supposed to be needed?

Thank you.


P.S. If it helps/matters - Test code is being run on a Windows Server 2022 machine.


4
Developer's Corner / Have Issue with PowerShell and Formatting/Displaying Data from the Event Logs
« on: January 23, 2024, 10:24 AM »
Greetings,
   I'm trying to create a report using the Windows Event Logs that displays the RD Gateway logon history of users with PowerShell, but I'm stuck at how to get the length (or Duration in the code) of their session to show up in a string inside of a switch statement.


[Select]
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-TerminalServices-Gateway/Operational'; ID=300,302,303 } | %{

(new-object -Type PSObject -Property @{
TimeCreated = $_.TimeCreated

evId = $_.ID -replace '\s',''

ClientIP = $_.Message -replace '(?smi).*on client computer\s\"+([^\s]+)\",\s+.*','$1'

UserName = $_.Message -replace '(?smi).*The user\s\"+([^\s]+)\",\s+.*','$1'

Duration = $_.Message -replace '(?smi).*\ssession duration was\s+([^\s]+)\s+.*','$1'
})

} | sort UserName, TimeCreated -Descending | Select TimeCreated, ClientIP `
, @{N='Username';E={'{0}' -f $_.UserName}} `
, @{N='evID - User Action Made';E={
switch ($_.evId) {
300 {'300 - Requested Resource Access Authorized'}
302 {'302 - Full Resource Machine Connection'}
303 {"303 - User Disconnected From Resource: 'Duration'"}
default {'This should be unreachable...'}
} Format-Table -AutoSize
}}


No matter what I try, nothing will put the number of seconds number that should be stored in the Duration array into that string for output to the screen. And I need to have it displayed conditionally for only the 303 events - Otherwise it doesn't exist and dumps the whole event message text.

Anybody know the right answer that I can't seem to find?

Thanks in Advance

Stoic Joker

5
Living Room / Re: Looking for Raspberry Pi with Pass-Through Power
« on: August 17, 2023, 01:06 PM »
Interesting... But I'm not sure if the monitoring software will run on the alternates as vendor specified Raspberry, which may not matter - I just don't know enough about these things to guess worth a damn.



Pages: [1] 2 3 4 5 6 ... 1225next
Go to full version