Generate List of RDS logon and logoff events

# Generates a csv file of RDS Logons on given servers.

<#
This will list:

Date/Time , logon or logoff, Event ID, Username, SessionID, Source IPAddress, Computer user logged onto.

Eg:

2015-04-28T15:38:22,23,logoff,andrewst,6,,Server08
2015-04-28T15:36:37,23,logoff,sheffieldd,3,,Server10
2015-04-28T15:30:40,21,logon,ryank,4,172.16.0.122,Server08
2015-04-28T15:21:13,23,logoff,powelll,8,,Server09
2015-04-28T15:12:35,21,logon,sheffieldd,3,172.16.0.138,Server10

The output can be sorted by date / Time.  The date / time is specifically in this format to make sorting easier.  Logoff events have no IP address associated.  For best results, use the File -> Open option in Excel to import the file as a Comma separated file.


Parameters:
ComputerList - list of computer names or IP Addresses to check
OutputFile - the csv that will be written to
DomainName - the domain name (will be removed from output to make analysis easier
#>

$outputFile="\\server11\audit\RDSLogons.csv"
$ComputerList="Server08","Server09","Server10"
$DomainName="QLDPAPER"


## This will get the Event ID 23 and 21 from LocalSessionManager logs of a list of given computers and export them.

$TodaysDate=get-date -UFormat "%Y%m%d"
$TodaysTime=get-date -UFormat "%H%M"
$TempFile1="$env:TEMP`\Userlogons$TodaysDate$TodaysTime.csv1"
$TempFile2="$env:TEMP`\Userlogons$TodaysDate$TodaysTime.csv2"
$TempFile3="$env:TEMP`\Userlogons$TodaysDate$TodaysTime.csv3"

## Create the date time object.  We will overwrite this data, but using this object gives us the structure.
$datetimeobject=new-object DateTime

## Delete the outputFile
remove-item $outputFile

Foreach ($Computer in $ComputerList)
{
    ## Cycle through each server and get the LocalSessionManager logs, where the event ID is 23 or 21.  Export to CSV.
    get-winevent -logname *LocalSessionManager* -computername $Computer | select timecreated, id, message, $Computer | where-object {($_.id -eq "23") -or ($_.id -eq "21")} | export-csv $TempFile1 -notypeinformation

    ## Import the first file skipping the first line to remove the headers.
    get-content $TempFile1 | select -skip 1 | set-content $TempFile2


    ## Remove the unnecessary CRLF, domain, extraneous detail
    [STRING]$StringCleanup=[io.file]::ReadAllText($TempFile2)
    $StringCleanup=$StringCleanup -replace ":`\r`\n`\r`\nUser: ","`",`""
    $StringCleanup=$StringCleanup -replace "$DomainName\\",""
    $StringCleanup=$StringCleanup -replace "`\r`\nSession ID: ","`",`""
    $StringCleanup=$StringCleanup -replace "`\r`\nSource Network Address: ","`",`""
    $StringCleanup=$StringCleanup -replace "Remote Desktop Services: Session logon succeeded","logon"
    $StringCleanup=$StringCleanup -replace "Remote Desktop Services: Session logoff succeeded","logoff"
    $StringCleanup=$StringCleanup -replace "Remote Desktop Services: Session logoff succeeded","logoff"

    ## Add the header again and export
    $StringCleanup='"Date","EVENTID","Event","User","SessionID","IP","Server"' + "`r`n"+$StringCleanup
    $StringCleanup | out-file $Tempfile3 -force


    ## The date time is still a separate item:  EG:  25/05/2015 8:00:25 AM
    ## Convert this into a datetime object and cast as sortable (ISO8601)
    ## Do this per line
    $ResetDateTime=Import-csv $TempFile3
    $ResetDateTime | foreach-object {
        $newdate=[datetime]::ParseExact($_.date,"d/MM/yyyy h:mm:ss tt",[System.Globalization.CultureInfo]::InvariantCulture,[System.Globalization.DateTimeStyles]::none)
        $newdate=$newdate.GetDateTimeFormats('s')

        ## Create a new item to hold the line, remove the <space>,<space> errors introduced in converting the time
        [string]$outputtowrite=$newdate+","+$_.EventID+","+$_.Event+","+$_.User+","+$_.SessionID+","+$_.IP+","+$Computer
        $outputtowrite=$outputtowrite -replace " , ",","

        ## Output the file
        $outputtowrite | out-file $outputFile -append

    }
}