# Define the log and the Event IDs for successful logons and reconnections
$LogName = "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
$EventIDs = 21, 25
# Fetch the events
$RdpEvents = Get-WinEvent -FilterHashtable @{LogName=$LogName; Id=$EventIDs} -ErrorAction SilentlyContinue
# Parse and format the output
$RdpEvents | ForEach-Object {
$xml = [xml]$_.ToXml()
[PSCustomObject]@{
TimeCreated = $_.TimeCreated
User = $xml.Event.UserData.EventXML.User
SourceIP = $xml.Event.UserData.EventXML.Address
EventID = $_.Id
Message = if ($_.Id -eq 21) { "Session Logon" } else { "Session Reconnect" }
}
} | Format-Table -AutoSizeWas this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article