Search code examples
powershellwindows-server-2019

Auditing Users logging on Remote Desktop, filter out local IP addresses

I have taken a PowerShell from somewhere online (forgot from where) modified it a bit, but I need to filter out local IP address ranges and show only external IPs can someone help me modify the script to do just that?

My local IP address range is 192.168.1.0/254

Param(
[array]$V_V_Array_String_ComputerName = ("BAYVL00-118"),
[datetime]$L_V_1_String_QueryStartDate = "November 1, 2020"
)
ForEach ($L_V_1_String_ComputerName in $V_V_Array_String_ComputerName){
    $L_V_1_String_EventLogFilter = @{
        LogName = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
        ID = 21, 23, 24, 25
         StartTime = (get-date).adddays(-7)
        }
   $L_V_1_String_GetAllEventLog = Get-WinEvent -FilterHashtable $L_V_1_String_EventLogFilter -ComputerName $L_V_1_String_ComputerName
    $L_V_1_String_GetAllEventLog | Foreach {
        $L_V_1_String_EventLog = [xml]$_.ToXml()
        [array]$L_V_1_Array_OutputToFile += New-Object PSObject -Property @{
            TimeCreated = $_.TimeCreated
            User = $L_V_1_String_EventLog.Event.UserData.EventXML.User
            IPAddress = $L_V_1_String_EventLog.Event.UserData.EventXML.Address
            EventID = $L_V_1_String_EventLog.Event.System.EventID
            ServerName = $L_V_1_String_ComputerName
            }       
        }
}
$L_V_1_Array_FilterOutputFile += $L_V_1_Array_OutputToFile | Select TimeCreated, User, ServerName, IPAddress, @{Name='Action';Expression={
    if ($_.EventID -eq '21'){"logon"}
    if ($_.EventID -eq '22'){"Shell start"}
    if ($_.EventID -eq '23'){"logoff"}
    if ($_.EventID -eq '24'){"disconnected"}
    if ($_.EventID -eq '25'){"reconnection"}
    }
}

$L_V_1_Array_CSVFilePath = "A:\U_A\U_W\C_NonFiledFile\U_zzzzzzzz_zzzzzzzz_zzzzzzzz_BayVL00_CCCCCCC_SubparticipationLogOnReport.csv"

$L_V_1_Array_FilterOutputFile | Sort TimeCreated | Export-Csv $L_V_1_Array_CSVFilePath -NoTypeInformation
Solution

  • Assuming your IP Range is 192.168.1.0/24 and not the weird 192.168.1.0/254:

    Param(
   [array]$V_V_Array_String_ComputerName = ("BAYVL00-118"),
   [datetime]$L_V_1_String_QueryStartDate = "November 1, 2020"
)
$L_V_1_Array_FilterOutputFile = $null
[PSCustomObject[]]$L_V_1_Array_OutputToFile = @()
ForEach ($L_V_1_String_ComputerName in $V_V_Array_String_ComputerName){
   $L_V_1_String_EventLogFilter = @{
      LogName = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
      ID = 21, 23, 24, 25
      StartTime = (get-date).adddays(-7)
    }
    $L_V_1_String_GetAllEventLog = Get-WinEvent -FilterHashtable $L_V_1_String_EventLogFilter -ComputerName $L_V_1_String_ComputerName
    $L_V_1_String_GetAllEventLog | Foreach {
       $L_V_1_String_EventLog = [xml]$_.ToXml()
       if ($L_V_1_String_EventLog.Event.UserData.EventXML.Address -ne "LOCAL" `
          -and $L_V_1_String_EventLog.Event.UserData.EventXML.Address -notmatch "^192\.168\.1\.")
       {
          [array]$L_V_1_Array_OutputToFile += [PSCustomObject]@{
             TimeCreated = $_.TimeCreated
             User = $L_V_1_String_EventLog.Event.UserData.EventXML.User
             IPAddress = $L_V_1_String_EventLog.Event.UserData.EventXML.Address
             EventID = $L_V_1_String_EventLog.Event.System.EventID
             ServerName = $L_V_1_String_ComputerName
             Action = switch ($L_V_1_String_EventLog.Event.System.EventID)
                 {
                     21 {
                         "logon"
                         break
                     }
                     22 {
                         "Shell start"
                         break
                     }
                     23 {
                         "logoff"
                         break
                     }
                     24 {
                         "disconnected"
                         break
                     }
                     25 {
                         "reconnection"
                         break
                     }
                     default {
                         break
                     }
                 }
             }       
         }
    }
}
$L_V_1_Array_FilterOutputFile += $L_V_1_Array_OutputToFile | Select TimeCreated, User, ServerName, IPAddress, Action

$L_V_1_Array_CSVFilePath = "A:\U_A\U_W\C_NonFiledFile\U_zzzzzzzz_zzzzzzzz_zzzzzzzz_BayVL00_CCCCCCC_SubparticipationLogOnReport.csv"

$L_V_1_Array_FilterOutputFile | Sort TimeCreated | Export-Csv $L_V_1_Array_CSVFilePath -NoTypeInformation

    First, I added initialization for variables :

    $L_V_1_Array_FilterOutputFile = $null
[PSCustomObject[]]$L_V_1_Array_OutputToFile = @()

    this will avoid problems if the script is running multiple times

    Second, I use PSCustomObject rather than PSObject, far better way now.

    Third changed the 'Action' member directly in the objet creation (switch statment if better here than multiple if.

    Fourth, you have defined the Action member for EventID 22, but not retrieve it (see the $L_V_1_String_EventLogFilter) I leave it as is, but if you want the EventID 22, you need to add it.

    And finally, I did it quickly, but you can do some improvement to have a more readable and faster script.