none
PowerShell: How to export the logon/off time to csv file?? RRS feed

  • Question

  • Hi everyone, i need some help on writing powershell script in windows server 2008 r2

    i am trying to wirte a script that will scan through the log files and extract all logon time and logoff time of managers group, and the output should be in excel cvs text format.

    Please help

    Thanks!

    Johnson

    Friday, April 18, 2014 12:53 PM

Answers

  • Here's a method that worked for me.  I'm sure there's a more efficient way to do it but this should get you started:

    $Group = "Your Manager Group"
    $managers = get-adgroupmember $Group | select -expand sid | select -expand value
    $Events = Get-WinEvent -LogName Security -filterXpath "*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and ( Task = 12544 or Task = 12545 ) and (EventID=4624 or EventID=4634)]]" | select TimeCreated,Message
    $Results = Foreach ($Event in $Events) {
      Foreach ($Manager in $Managers) {
        If ($Event.Message -match $Manager) {
          $Result = "" | Select User,Domain,SID,LogEvent,TimeCreated
          $Result.TimeCreated = $Event.TimeCreated
          $Result.SID = $Manager
          $Messages = $Event.Message -split "`n"
          If ($Messages[0] -match "on") {
            $Result.LogEvent = "Logon"
            for ($i = 1;$i -lt $Messages.Count;$i++) {
              If ($Messages[$i] -match $Manager) {
                $Result.User = ($Messages[$i + 1] -split ":")[1].trim(" ")
                $Result.Domain = ($Messages[$i + 2] -split ":")[1].trim(" ")
                Break
              }
            }
          } Else {
            $Result.LogEvent = "Logoff"
            for ($i = 1;$i -lt $Messages.Count;$i++) {
              If ($Messages[$i] -match $Manager) {
                $Result.User = ($Messages[$i + 1] -split ":")[1].trim(" ")
                $Result.Domain = ($Messages[$i + 2] -split ":")[1].trim(" ")
                Break
              }
            }
          }
          $Result
        }
      }
    }
    $Results | Export-CSV c:\ManagerLogEvents.csv -notype
    

    This only captures successful logoff and logon, it would not capture failed logons or anything else.


    I hope this post has helped!

    • Marked as answer by Johnson Stone Saturday, April 19, 2014 3:33 AM
    Friday, April 18, 2014 2:46 PM

All replies

  • Please look in the repository for the script you are asking for.  We do not write scripts on demand.

    The repository has a number of scripts that extract logon information.


    ¯\_(ツ)_/¯

    Friday, April 18, 2014 2:36 PM
  • Here's a method that worked for me.  I'm sure there's a more efficient way to do it but this should get you started:

    $Group = "Your Manager Group"
    $managers = get-adgroupmember $Group | select -expand sid | select -expand value
    $Events = Get-WinEvent -LogName Security -filterXpath "*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and ( Task = 12544 or Task = 12545 ) and (EventID=4624 or EventID=4634)]]" | select TimeCreated,Message
    $Results = Foreach ($Event in $Events) {
      Foreach ($Manager in $Managers) {
        If ($Event.Message -match $Manager) {
          $Result = "" | Select User,Domain,SID,LogEvent,TimeCreated
          $Result.TimeCreated = $Event.TimeCreated
          $Result.SID = $Manager
          $Messages = $Event.Message -split "`n"
          If ($Messages[0] -match "on") {
            $Result.LogEvent = "Logon"
            for ($i = 1;$i -lt $Messages.Count;$i++) {
              If ($Messages[$i] -match $Manager) {
                $Result.User = ($Messages[$i + 1] -split ":")[1].trim(" ")
                $Result.Domain = ($Messages[$i + 2] -split ":")[1].trim(" ")
                Break
              }
            }
          } Else {
            $Result.LogEvent = "Logoff"
            for ($i = 1;$i -lt $Messages.Count;$i++) {
              If ($Messages[$i] -match $Manager) {
                $Result.User = ($Messages[$i + 1] -split ":")[1].trim(" ")
                $Result.Domain = ($Messages[$i + 2] -split ":")[1].trim(" ")
                Break
              }
            }
          }
          $Result
        }
      }
    }
    $Results | Export-CSV c:\ManagerLogEvents.csv -notype
    

    This only captures successful logoff and logon, it would not capture failed logons or anything else.


    I hope this post has helped!

    • Marked as answer by Johnson Stone Saturday, April 19, 2014 3:33 AM
    Friday, April 18, 2014 2:46 PM
  • thank you. I will try my best anyway 

    and i am reading some threads about it right now.

    sorry for any inconvenience 

    Friday, April 18, 2014 4:56 PM
  • thank you.

    I will study it hard

    Friday, April 18, 2014 4:58 PM