ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Other Software > Developer's Corner

Have Issue with PowerShell and Formatting/Displaying Data from the Event Logs

(1/2) > >>

Stoic Joker:
Greetings,
   I'm trying to create a report using the Windows Event Logs that displays the RD Gateway logon history of users with PowerShell, but I'm stuck at how to get the length (or Duration in the code) of their session to show up in a string inside of a switch statement.



--- ---Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-TerminalServices-Gateway/Operational'; ID=300,302,303 } | %{

(new-object -Type PSObject -Property @{
TimeCreated = $_.TimeCreated

evId = $_.ID -replace '\s',''

ClientIP = $_.Message -replace '(?smi).*on client computer\s\"+([^\s]+)\",\s+.*','$1'

UserName = $_.Message -replace '(?smi).*The user\s\"+([^\s]+)\",\s+.*','$1'

Duration = $_.Message -replace '(?smi).*\ssession duration was\s+([^\s]+)\s+.*','$1'
})

} | sort UserName, TimeCreated -Descending | Select TimeCreated, ClientIP `
, @{N='Username';E={'{0}' -f $_.UserName}} `
, @{N='evID - User Action Made';E={
switch ($_.evId) {
300 {'300 - Requested Resource Access Authorized'}
302 {'302 - Full Resource Machine Connection'}
303 {"303 - User Disconnected From Resource: 'Duration'"}
default {'This should be unreachable...'}
} Format-Table -AutoSize
}}

No matter what I try, nothing will put the number of seconds number that should be stored in the Duration array into that string for output to the screen. And I need to have it displayed conditionally for only the 303 events - Otherwise it doesn't exist and dumps the whole event message text.

Anybody know the right answer that I can't seem to find?

Thanks in Advance

Stoic Joker

4wd:
Try string interpolation:

--- Code: PowerShell ---303 {"303 - User Disconnected From Resource: $($Duration)"}

Stoic Joker:
Try string interpolation:

--- Code: PowerShell ---303 {"303 - User Disconnected From Resource: $($Duration)"}-4wd (January 24, 2024, 12:04 AM)
--- End quote ---

I tried that and a few different variations ($_.($Duration, $($_.Duration), and etc.); no luck.
Double quotes come out blank, and single quotes just echo back the code as typed.

The part that's killing me, is I'm not even sure which part is broken; the output string creation, or is the elusive data that I can't get to show-up in it just missing/identified wrong/not supposed to be accessible for there until spring...

Do I need to (somehow) pass the other arrays into the switch statement? Something along the lines of:

--- Code: PowerShell ---switch ($_.evId.($_.Duration)) {
Or is that even possible/supposed to be needed?

Thank you.


P.S. If it helps/matters - Test code is being run on a Windows Server 2022 machine.

4wd:
You could also try setting a value regardless of whether there's a match or not:

--- ---Duration = if ($_ -match '(?smi).*\ssession duration was\s+([^\s]+)\s+.*') { $matches[1] } else { "Unknown Duration" }
P.S. I can't actually test it as I only have a Win10 machine, wish I could suggest something more.

Shades:
Which version of PowerShell are you using? The one included in Windows itself or the open-source version?

The open-source version is at version 7.x, Powershell included with Windows isn't.

You can run both versions next to each other, that is not a problem on any of the Windows computers in my care (which all run Win 10, Win 11, Server 2019 or Server 2022). The open source version exists, because MS wants PowerShell to be adopted into every operating system, so it is possible to run PowerShell scripts on Linux servers. Not WSL, but real Linux servers.

The open-source version gets more "love" from everyone, incl. Microsoft, so it may be possible that your script works in the open-source version.

Currently I am using the open source version to "play around" with projects that include LLMs to make the computer create all the scripts it needs to accomplish requests I make. Been using the OpenAI LLMs with that, but also with LLMs I run locally. I only mention it, because OS PowerShell works well with this, while the included PowerShell does not.

Navigation

[0] Message Index

[#] Next page

Go to full version