i'm trying to get the logon,logoff,connect, disconnect info from the above log. Here is what i have so far:
Get-WinEvent -logname "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" | where {($_.Id -eq "21" -OR $_.Id -eq "24" -OR $_.Id -eq "25" -OR $_.Id -eq "23")} | Export-Csv C:\RDS.csvThen I just wanted these columns and i put them in a diff csv:
Import-Csv C:\RDS.csv | select Message,TimeCreated | Export-Csv -Path c:\FixedRDS.csv –NoTypeInformation
Now i have two columns:
MessageTimeCreated
Message consists of multi-line, and Timcreated is just a single.
There's probably a better way that two diff .csv files to get to this point, but i'm just starting out here. The objective is to parse out the Message line into muliple columns: I'd like the first column to be Message and the value in the above example to be "Sesseion has been disconnected" I suppose that could just say "disconnected", but eitherway that value. The next column would be "User", then I don't need the "Session ID" or "Source Network Address" (though this doesn't eve show up on each record). The last column would be "TimeCreated" like this:
The end result of this is to insert into a SQL server table. Maybe there is even a better way of doing all of that in one shot.
Thanks