rdp-log.ps1
# Script is modified by Debojyoti Banerjee
# Original Source of this script has been taken from " https://p0w3rsh3ll.wordpress.com/2012/03/22/audit-rdp-connections/"
# Extract last day's RDP session details and sen mail to the list of users.
set-executionpolicy unrestricted
$yesterday = (get-date) - (new-timespan -day 1)
$allRDPevents = Get-WinEvent -FilterHashtable @{Logname = "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" ; ID = 1149,1150,1148 ; StartTime=$yesterday } -ErrorAction SilentlyContinue
$RDPevents = @()
foreach ($event in $allRDPevents)
{
$result = $type = $null
# http://technet.microsoft.com/en-us/library/ee891195%28v=ws.10%29.aspx
switch ($event.ID)
{
1148 { $result = "failed" }
1149 { $result = "succeeded" }
1150 { $result = "merged" }
}
#
$IP = ([net.ipaddress]$Event.Properties[2].Value).IPAddressToString
$SourceNetworkAddress = ([System.Net.Dns]::gethostentry( $IP )).Hostname
$RDPevents += New-Object -TypeName PSObject -Property @{
SourceHost = $SourceNetworkAddress + "(" + $IP + ")"
User = $event.Properties[0].Value
TimeCreated = $event.TimeCreated
#--------------The following informations may be displayed latter-------------
#ComputerName = $env:computername
#SourceIP = $IP
#Domain = $event.Properties[1].Value
#SourceHost = $SourceNetworkAddress.Hostname
#Result = $result
#-----------------------------------------------------------------------------
}
}
# Display results
clear
$RDPevents | Format-Table -Wrap | Out-String -Width 150 > c:/rdp-audit.txt
send-mailmessage -from "User01 <debojyotib@testdomain.com>" -to "debojyotib@testdomain.com", `
"santojitg@testdomain.com", "kausiks@testdomain.com", "ashishj@testdomain.com", "debasishba@testdomain.com", `
"gvsl-leads@testdomain.com" `
-subject "RDP Audit log" `
-body "The log is attached" `
-Attachments "c:/rdp-audit.txt" 172.16.28.1