本文主要是介绍查看windows mstsc远程登陆日志(client ip),希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
最近有个需求,要看一下windows MSTSC的登陆日志。
测试环境:
win10
参考:
https://social.technet.microsoft.com/Forums/windows/en-US/efabde54-be5e-4be2-bf1b-b146934047e1/logging-ip-adderess-during-remote-desktop-connection?forum=winserverTS
Hi,You may view the Remote Desktop connection client ip address information in the following logs:Event Viewer\Applications and Services Logs\Microsoft\Windows\TerminalServices-LocalSessionManagerEvent Viewer\Applications and Services Logs\Microsoft\Windows\TerminalServices-RemoteConnectionManagerEvent Viewer\Windows Logs\Security (Event ID: 4624, Logon Type: 10)-TP
Event Viewer\Applications and Services Logs\Microsoft\Windows\TerminalServices-LocalSessionManagerEvent Viewer\Applications and Services Logs\Microsoft\Windows\TerminalServices-RemoteConnectionManagerEvent Viewer\Windows Logs\Security (Event ID: 4624, Logon Type: 10)-TP
powersherll:
找不到出处了,运行之后在当前目录生成登陆日志。
<#.SYNOPSIS This script reads the event log "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" from multiple servers and outputs the human-readable results to a CSV. This data is not filterable in the native Windows Event Viewer.Version: November 9, 2016.DESCRIPTIONThis script reads the event log "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" from multiple servers and outputs the human-readable results to a CSV. This data is not filterable in the native Windows Event Viewer.NOTE: Despite this log's name, it includes both RDP logins as well as regular console logins too.Author:Mike Crowleyhttps://BaselineTechnologies.com.EXAMPLE
?.\RDPConnectionParser.ps1 -ServersToQuery Server1, Server2 -StartTime "November 1".LINKhttps://MikeCrowley.us/tag/powershell#>Param([array]$ServersToQuery = (hostname),[datetime]$StartTime = "January 1, 1970"
)foreach ($Server in $ServersToQuery) {$LogFilter = @{LogName = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'ID = 21, 23, 24, 25StartTime = $StartTime}$AllEntries = Get-WinEvent -FilterHashtable $LogFilter -ComputerName $Server$AllEntries | Foreach { $entry = [xml]$_.ToXml()[array]$Output += New-Object PSObject -Property @{TimeCreated = $_.TimeCreatedUser = $entry.Event.UserData.EventXML.UserIPAddress = $entry.Event.UserData.EventXML.AddressEventID = $entry.Event.System.EventIDServerName = $Server} } }$FilteredOutput += $Output | Select TimeCreated, User, ServerName, IPAddress, @{Name='Action';Expression={if ($_.EventID -eq '21'){"logon"}if ($_.EventID -eq '22'){"Shell start"}if ($_.EventID -eq '23'){"logoff"}if ($_.EventID -eq '24'){"disconnected"}if ($_.EventID -eq '25'){"reconnection"}}}$Date = (Get-Date -Format s) -replace ":", "."$FilePath = "$env:USERPROFILE\Desktop\$Date`_RDP_Report.csv"$FilteredOutput | Sort TimeCreated | Export-Csv $FilePath -NoTypeInformationWrite-host "Writing File: $FilePath" -ForegroundColor Cyan
Write-host "Done!" -ForegroundColor Cyan#End
这篇关于查看windows mstsc远程登陆日志(client ip)的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!