Other Software > Developer's Corner

Have Issue with PowerShell and Formatting/Displaying Data from the Event Logs

<< < (2/2)

Stoic Joker:
You could also try setting a value regardless of whether there's a match or not:

--- ---Duration = if ($_ -match '(?smi).*\ssession duration was\s+([^\s]+)\s+.*') { $matches[1] } else { "Unknown Duration" }
P.S. I can't actually test it as I only have a Win10 machine, wish I could suggest something more.
-4wd (January 25, 2024, 05:32 AM)
--- End quote ---

Yeah, I had a feeling that might be a problem...

But! The duration part solved itself later in the code, when I ran it through a formatting routine that returns blank if the input is not a number:

--- ---@{Name='Duration  ';Expression={'{0}' -f [timespan]::fromseconds($_.Duration).ToString("d\.hh\:mm\:ss")}}
Then I ran into a variation of the same problem on the next value that your code above worked perfectly on:

--- ---Target = if ($_.Message -match '(?smi).*to resource\s\"+([^\s]+).INTERNALDOMAINNAME.com\".\s+.*') { $matches[1] }
else {
$_.Message -replace '(?smi).*network resource:\s\"+([^\s]+).LAP.com\".\s+.*','$1'
}
The output report combines two different event types (connect and disconnect) in the same column, that both needed the same (internal resource machine name) info that was worded differently in their source event messages.

So if anybody else needs it, the now working/finished report code looks like so:

--- ---$Start = (Get-Date).AddDays(-14)

$End = Get-Date ## (Get-Date).Date AutoMagically Makes it Midnight of that Date.

Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-TerminalServices-Gateway/Operational';
StartTime=$Start; EndTime=$End; ID=302,303 } | %{

(new-object -Type PSObject -Property @{
TimeStamp = $_.TimeCreated

evId = $_.ID -replace '\s',''

ClientIP = $_.Message -replace '(?smi).*on client computer\s\"+([^\s]+)\",\s+.*','$1'

UserName = $_.Message -replace '(?smi).*The user\s\"+([^\s]+)\",\s+.*','$1'

Duration = $_.Message -replace '(?smi).*\ssession duration was\s+([^\s]+)\s+.*','$1'

Target = if ($_.Message -match '(?smi).*to resource\s\"+([^\s]+).LAP.com\".\s+.*') { $matches[1] }
else {
$_.Message -replace '(?smi).*network resource:\s\"+([^\s]+).INTERNALDOMAINNAME.com\".\s+.*','$1'
}

})

} | sort UserName, TimeStamp -Descending | Select `
 @{Name='Event Date and Time   ';Expression={'{0}' -f $_.TimeStamp}} `
, @{Name='User Location  ';Expression={'{0}' -f $_.ClientIP}} `
, @{Name='Target Machine';Expression={'{0}' -f $_.Target}} `
, @{Name='Username    ';Expression={'{0}' -f $_.UserName}} `
, @{N='User Action Made   ';E={
switch ($_.evId) {
302 {"Connected"}
303 {"Disconnected After:"}
default {'Should be unreachable'}
}}} `
, @{Name='Duration  ';Expression={'{0}' -f [timespan]::fromseconds($_.Duration).ToString("d\.hh\:mm\:ss")}} | Format-Table -AutoSize -Wrap


Thank You!

Stoic Joker:
Which version of PowerShell are you using? The one included in Windows itself or the open-source version?

The open-source version is at version 7.x, Powershell included with Windows isn't.
-Shades (January 25, 2024, 06:16 PM)
--- End quote ---

Normally I'm a what's in the box/living of the land sort of guy. But I may have to explore the OS version.

The open-source version gets more "love" from everyone, incl. Microsoft, so it may be possible that your script works in the open-source version.
-Shades (January 25, 2024, 06:16 PM)
--- End quote ---

No... The prevailing Rule-of-Thumb is: I screwed something up.

Typically because I've usually screwed something up ... As I just don't do this often enough to be/get good at it - Hence, I'm not.

I once spent an entire afternoon working on code with ChatGPT. The reason it took so long is that ChatGPT wasn't astute enough to simply inform me, that I was a Freaking Idiot. Because after some additional tangentially related research I realized that what I was asking it to do was flat-out impossible.


I think I might just be gettin old.

Navigation

[0] Message Index

[*] Previous page