Get-xRDS_Logs_LocalSessionManager.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
function Get-xRDS_Logs_LocalSessionManager {

<#
    .DESCRIPTION
    Collects LocalSessionManager Logs from RDS Session Hosts.
  
    .PARAMETER Broker
    -ConnectionBroker - FQDN of RDS ConnectionBroker.
 
    .PARAMETER Broker
    -Computer - FQDN of RDS computer. (No required if you use connection brokers FQDN).
 
    .PARAMETER BeforeDays
    -BeforeDays - By default, logs are collected from current days midnight. If you use this value logs are calculated since before number of days.
 
    .PARAMETER Credential
    -Credential [Optional] - Query RDS Connection Broker resources under provided credentials, the same credentials will be used to query RDS session hosts.
 
    .PARAMETER UI
    -UI [Optional] - Displays records in GridView for output selection.
 
    .PARAMETER WINRMPort
    -WINRMPort [Optional] - WINRM Port to test for host connectivity validation. Default port is 5985.
 
    .EXAMPLE
    # Invokes RDS user's session logoff:
    Get-xRDS_SessionHostList -ConnectionBroker ardscbl01.adatum.labnet
#>



    [CmdletBinding()]
    Param(
        [Parameter(Mandatory=$false)][string]$ConnectionBroker,
        [String]$Computer = "localhost",
        [switch]$UI,
        [Int]$BeforeDays = 0,
        [Int]$WinRMPort = 5985,    
        [PSCredential]$Credential
    )      
   
    $ObjectsList=@()

    if($ConnectionBroker) {$Collection = Get-xRDS_CollectionsList -ConnectionBroker $ConnectionBroker -Credential $Credential} 
    else {$Collection = @{ $Computer = "Computer"}}

    Try {  

    #List session host maintenance mode

             foreach ($key in $Collection.Keys) 
                {

                $TempObject=@()
                $connection = $null;

                #Test host WInRM access
                $connection =  Invoke-xRDS_TestPort -hostname $key -port $WinRMPort
                
                if ($connection.open) {
                write-host "Collecting RDS LocalSessionManager logs from $key" -ForegroundColor Cyan

                $ObjectsList += invoke-Command -cn $key -ArgumentList $BeforeDays -ScriptBlock {`
                Get-WinEvent -logname "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" | where {($_.Id -eq "21" -OR $_.Id -eq "23" -OR $_.Id -eq "24" -OR $_.Id -eq "25" -OR $_.Id -eq "39" -OR $_.Id -eq "40" -AND $_.timecreated -gt ((Get-date -hour 0 -minute 0 -second 0).adddays(-($args[0]))))} | %{
                (new-object -Type PSObject -Property @{
                EventID = $_.ID
                TimeGenerated = $_.TimeCreated 


                Message = $_.Message -replace '(?smi):(.*?[^\\]):\s+([^\s]+)\s+.*','$1'

                UserName = if ($_.Message -eq ($_.Message -replace '(?smi).*User:\s+([^\s]+)\s+.*','$1')){""} else {$_.Message -replace '(?smi).*User:\s+([^\s]+)\s+.*','$1'}

                ReasonCode = if ($_.ID -eq 40) {if ($_.Message -eq ($_.Message -replace '(?smi).*reason code\s+([^\s]+).*','$1')){""} else {$_.Message -replace '(?smi).*reason code\s+([^\s]+).*','$1'}}
                else {""}

                ClientIP = if ($_.ID -eq 21) {if ($_.Message -eq ($_.Message -replace '(?smi).*Source Network Address:\s+([^\s]+).*','$1')){""} else {$_.Message -replace '(?smi).*Source Network Address:\s+([^\s]+).*','$1'}}
                ElseIf ($_.ID -eq 24) {if ($_.Message -eq ($_.Message -replace '(?smi).*Source Network Address:\s+([^\s]+).*','$1')){""} else {$_.Message -replace '(?smi).*Source Network Address:\s+([^\s]+).*','$1'}}
                ElseIf ($_.ID -eq 25) {if ($_.Message -eq ($_.Message -replace '(?smi).*Source Network Address:\s+([^\s]+).*','$1')){""} else {$_.Message -replace '(?smi).*Source Network Address:\s+([^\s]+).*','$1'}}
                else {""}

                SessionID = if ($_.ID -eq 40) {$_.Message -replace '(?smi)Session\s+([^\s]+)\s+.*','$1'}
                ElseIf ($_.ID -eq 23) {$_.Message -replace '(?smi).*Session ID:\s+([^\s]+).*','$1'}
                else {if ($_.Message -eq ($_.Message -replace '(?smi).*Session ID:\s+([^\s]+)\s+.*','$1')){$_.Message -replace '(?smi)Session\s+([^\s]+)\s+.*','$1'} else {$_.Message -replace '(?smi).*Session ID:\s+([^\s]+)\s+.*','$1'}}

                })
                } | sort TimeGenerated -Descending | Select TimeGenerated,EventID,SessionID,UserName,ClientIP `
                , @{N='Action';E={
                switch ($_.EventID) {
                21 {'LOGON'}
                23 {'LOGOFF'}
                24 {'DISCONNECT'}
                25 {'RECONNECTION'}
                40 {'DISCONNECT'}
                default {$_}
                }
                }},ReasonCode `
                , @{N='Reason';E={
                switch ($_.ReasonCode) {
                1 {'The disconnection was initiated by an administrative tool on the server in another session.'}
                2 {'The disconnection was due to a forced logoff initiated by an administrative tool on the server in another session.'}
                3 {'The idle session limit timer on the server has elapsed.'}
                4 {'The active session limit timer on the server has elapsed.'}
                5 {'Another user connected to the server, forcing the disconnection of the current connection.'}
                6 {'The server ran out of available memory resources.'}
                7 {'The server denied the connection.'}
                9 {'The user cannot connect to the server due to insufficient access privileges.'}
                10 {'The server does not accept saved user credentials and requires that the user enter their credentials for each connection.'}
                11 {'The disconnection was initiated by the user disconnecting his or her session on the server or by an administrative tool on the server.'}
                12 {'The disconnection was initiated by the user logging off his or her session on the server.'}
                default {$_}
                }
                }},Message}

                }
                
                else {write-host "Cannot access WinRM port for $key" -ForegroundColor Red}
                   
                } 

             #Output
             If($UI) {$ObjectsList | Out-GridView -PassThru -Title "RDS LocalSessionManager Log Details"}
             ELSE {$ObjectsList } 

    } Catch {Write-host $_.Exception.message }   

}