Get-xRDS_Logs_RemoteConnectionManager.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
function Get-xRDS_Logs_RemoteConnectionManager {

<#
    .DESCRIPTION
    Collects RemoteConnectionManager Logs from RDS Session Hosts.
  
    .PARAMETER Broker
    -ConnectionBroker - FQDN of RDS ConnectionBroker.
 
    .PARAMETER Broker
    -Computer - FQDN of RDS computer. (No required if you use connection brokers FQDN).
 
    .PARAMETER BeforeDays
    -BeforeDays - By default, logs are collected from current days midnight. If you use this value logs are calculated since before number of days.
 
    .PARAMETER Credential
    -Credential [Optional] - Query RDS Connection Broker resources under provided credentials, the same credentials will be used to query RDS session hosts.
 
    .PARAMETER UI
    -UI [Optional] - Displays records in GridView for output selection.
 
    .PARAMETER WINRMPort
    -WINRMPort [Optional] - WINRM Port to test for host connectivity validation. Default port is 5985.
 
    .EXAMPLE
    # Invokes RDS user's session logoff:
    Get-xRDS_SessionHostList -ConnectionBroker ardscbl01.adatum.labnet
#>



    [CmdletBinding()]
    Param(
        [Parameter(Mandatory=$false)][string]$ConnectionBroker,
        [String]$Computer = "localhost",
        [switch]$UI,
        [Int]$BeforeDays = 0,
        [Int]$WinRMPort = 5985,    
        [PSCredential]$Credential
    )      
   
    $ObjectsList=@()

    if($ConnectionBroker) {$Collection = Get-xRDS_CollectionsList -ConnectionBroker $ConnectionBroker -Credential $Credential} 
    else {$Collection = @{ $Computer = "Computer"}}

    Try {  

    #List session host maintenance mode

             foreach ($key in $Collection.Keys) 
                {

                $TempObject=@()
                $connection = $null;

                #Test host WInRM access
                $connection =  Invoke-xRDS_TestPort -hostname $key -port $WinRMPort
                
                if ($connection.open) {
                write-host "Collecting RDS RemoteConnectionManager logs from $key" -ForegroundColor Cyan

                $ObjectsList += invoke-Command -cn $key -ArgumentList $BeforeDays -ScriptBlock {`
                Get-WinEvent -logname "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" | where {($_.Id -eq "1149" -AND $_.timecreated -gt ((Get-date -hour 0 -minute 0 -second 0).adddays(-($args[0]))))} | %{
                (new-object -Type PSObject -Property @{
                EventID = $_.ID
                TimeGenerated = $_.TimeCreated 

                Message = $_.Message -replace '(?smi):(.*?[^\\]):\s+([^\s]+)\s+.*','$1'
                UserName = if ($_.Message -eq ($_.Message -replace '(?smi).*User:\s+([^\s]+)\s+.*','$1')){""} else {$_.Message -replace '(?smi).*User:\s+([^\s]+)\s+.*','$1'}
                ClientIP = if ($_.ID -eq 1149) {if ($_.Message -eq ($_.Message -replace '(?smi).*Source Network Address:\s+([^\s]+).*','$1')){""} else {$_.Message -replace '(?smi).*Source Network Address:\s+([^\s]+).*','$1'}}
                else {""}

                })
                } | sort TimeGenerated -Descending | Select TimeGenerated,EventID `
                , @{N='UserName';E={
                switch ($_.UserName) {
                "Domain:" {''}
                default {$_}
                }
                }},ClientIP,Message
                }

                }
                
                else {write-host "Cannot access WinRM port for $key" -ForegroundColor Red}
                   
                } 

             #Output
             If($UI) {$ObjectsList | Out-GridView -PassThru -Title "RDS RemoteConnectionManager Log Details"}
             ELSE {$ObjectsList } 

    } Catch {Write-host $_.Exception.message }   

}