查看windows mstsc远程登陆日志（client ip）

最近有个需求，要看一下windows MSTSC的登陆日志。

测试环境：

    win10

参考：

https://social.technet.microsoft.com/Forums/windows/en-US/efabde54-be5e-4be2-bf1b-b146934047e1/logging-ip-adderess-during-remote-desktop-connection?forum=winserverTS

Hi,

You may view the Remote Desktop connection client ip address information in the following logs:

Event Viewer\Applications and Services Logs\Microsoft\Windows\TerminalServices-LocalSessionManager

Event Viewer\Applications and Services Logs\Microsoft\Windows\TerminalServices-RemoteConnectionManager

Event Viewer\Windows Logs\Security  (Event ID: 4624, Logon Type: 10)

-TP
Event Viewer\Applications and Services Logs\Microsoft\Windows\TerminalServices-LocalSessionManager

Event Viewer\Applications and Services Logs\Microsoft\Windows\TerminalServices-RemoteConnectionManager

Event Viewer\Windows Logs\Security  (Event ID: 4624, Logon Type: 10)

-TP

powersherll：

找不到出处了，运行之后在当前目录生成登陆日志。

<#

.SYNOPSIS 
    This script reads the event log "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" from 
    multiple servers and outputs the human-readable results to a CSV.  This data is not filterable in the native 
    Windows Event Viewer.

    Version: November 9, 2016


.DESCRIPTION
    This script reads the event log "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" from 
    multiple servers and outputs the human-readable results to a CSV.  This data is not filterable in the native 
    Windows Event Viewer.

    NOTE: Despite this log's name, it includes both RDP logins as well as regular console logins too.
    
    Author:
    Mike Crowley
    https://BaselineTechnologies.com

 .EXAMPLE
?
    .\RDPConnectionParser.ps1 -ServersToQuery Server1, Server2 -StartTime "November 1"
 
.LINK
    https://MikeCrowley.us/tag/powershell

#>

Param(
    [array]$ServersToQuery = (hostname),
    [datetime]$StartTime = "January 1, 1970"
)

    foreach ($Server in $ServersToQuery) {

        $LogFilter = @{
            LogName = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
            ID = 21, 23, 24, 25
            StartTime = $StartTime
            }

        $AllEntries = Get-WinEvent -FilterHashtable $LogFilter -ComputerName $Server

        $AllEntries | Foreach { 
            $entry = [xml]$_.ToXml()
            [array]$Output += New-Object PSObject -Property @{
                TimeCreated = $_.TimeCreated
                User = $entry.Event.UserData.EventXML.User
                IPAddress = $entry.Event.UserData.EventXML.Address
                EventID = $entry.Event.System.EventID
                ServerName = $Server
                }        
            } 

    }

    $FilteredOutput += $Output | Select TimeCreated, User, ServerName, IPAddress, @{Name='Action';Expression={
                if ($_.EventID -eq '21'){"logon"}
                if ($_.EventID -eq '22'){"Shell start"}
                if ($_.EventID -eq '23'){"logoff"}
                if ($_.EventID -eq '24'){"disconnected"}
                if ($_.EventID -eq '25'){"reconnection"}
                }
            }

    $Date = (Get-Date -Format s) -replace ":", "."
    $FilePath = "$env:USERPROFILE\Desktop\$Date`_RDP_Report.csv"
    $FilteredOutput | Sort TimeCreated | Export-Csv $FilePath -NoTypeInformation

Write-host "Writing File: $FilePath" -ForegroundColor Cyan
Write-host "Done!" -ForegroundColor Cyan


#End