SecureMFA_RDS

1.0.0.2

Get-xRDS_Logs_RemoteConnectionManager.ps1

                                function Get-xRDS_Logs_RemoteConnectionManager {

<# 

    .DESCRIPTION

    Collects RemoteConnectionManager Logs from RDS Session Hosts.

    .PARAMETER Broker

    -ConnectionBroker - FQDN of RDS ConnectionBroker.

    .PARAMETER Broker

    -Computer - FQDN of RDS computer. (No required if you use connection brokers FQDN).

    .PARAMETER BeforeDays

    -BeforeDays - By default, logs are collected from current days midnight. If you use this value logs are calculated since before number of days.

    .PARAMETER Credential

    -Credential [Optional] - Query RDS Connection Broker resources under provided credentials, the same credentials will be used to query RDS session hosts.

    .PARAMETER UI

    -UI [Optional] - Displays records in GridView for output selection.

    .PARAMETER WINRMPort

    -WINRMPort [Optional] - WINRM Port to test for host connectivity validation. Default port is 5985.

    .EXAMPLE

    # Invokes RDS user's session logoff:

    Get-xRDS_SessionHostList -ConnectionBroker ardscbl01.adatum.labnet

#>

    [CmdletBinding()]

    Param(

        [Parameter(Mandatory=$false)][string]$ConnectionBroker,

        [String]$Computer = "localhost",

        [switch]$UI,

        [Int]$BeforeDays = 0,

        [Int]$WinRMPort = 5985,    

        [PSCredential]$Credential

    )      

    $ObjectsList=@()

    if($ConnectionBroker) {$Collection = Get-xRDS_CollectionsList -ConnectionBroker $ConnectionBroker -Credential $Credential} 

    else {$Collection = @{ $Computer = "Computer"}}

    Try {  

    #List session host maintenance mode

             foreach ($key in $Collection.Keys) 

                {

                $TempObject=@()

                $connection = $null;

                #Test host WInRM access 

                $connection =  Invoke-xRDS_TestPort -hostname $key -port $WinRMPort

                if ($connection.open) {

                write-host "Collecting RDS RemoteConnectionManager logs from $key" -ForegroundColor Cyan

                $ObjectsList += invoke-Command -cn $key -ArgumentList $BeforeDays -ScriptBlock {`

                Get-WinEvent -logname "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" | where {($_.Id -eq "1149" -AND $_.timecreated -gt ((Get-date -hour 0 -minute 0 -second 0).adddays(-($args[0]))))} | %{

                (new-object -Type PSObject -Property @{

                EventID = $_.ID

                TimeGenerated = $_.TimeCreated 

                Message = $_.Message -replace '(?smi):(.*?[^\\]):\s+([^\s]+)\s+.*','$1'

                UserName = if ($_.Message -eq ($_.Message -replace '(?smi).*User:\s+([^\s]+)\s+.*','$1')){""} else {$_.Message -replace '(?smi).*User:\s+([^\s]+)\s+.*','$1'}

                ClientIP = if ($_.ID -eq 1149) {if ($_.Message -eq ($_.Message -replace '(?smi).*Source Network Address:\s+([^\s]+).*','$1')){""} else {$_.Message -replace '(?smi).*Source Network Address:\s+([^\s]+).*','$1'}}

                else {""}

                })

                } | sort TimeGenerated -Descending | Select TimeGenerated,EventID `

                , @{N='UserName';E={

                switch ($_.UserName) {

                "Domain:" {''}

                default {$_}

                }

                }},ClientIP,Message

                }

                }

                else {write-host "Cannot access WinRM port for $key" -ForegroundColor Red}

                } 

             #Output

             If($UI) {$ObjectsList | Out-GridView -PassThru -Title "RDS RemoteConnectionManager Log Details"}

             ELSE {$ObjectsList } 

    } Catch {Write-host $_.Exception.message }   

}