i'm trying to get the logon,logoff,connect, disconnect info from the above log.  Here is what i have so far:

 Get-WinEvent -logname "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" | where {($_.Id -eq "21" -OR $_.Id -eq "24" -OR $_.Id -eq "25"  -OR $_.Id -eq "23")} | Export-Csv C:\RDS.csv

Then I just wanted these columns and i put them in a diff csv:

Import-Csv C:\RDS.csv | select Message,TimeCreated | Export-Csv -Path c:\FixedRDS.csv NoTypeInformation

Now i have two columns:

Message TimeCreated

Message consists of multi-line, and Timcreated is just a single.

There's probably a better way that two diff .csv files to get to this point, but i'm just starting out here.  The objective is to parse out the Message line into muliple columns: I'd like the first column to be Message and the value in the above example to be "Sesseion has been disconnected" I suppose that could just say "disconnected", but eitherway that value.  The next column would be "User", then I don't need the "Session ID" or "Source Network Address" (though this doesn't eve show up on each record). The last column would be "TimeCreated" like this:

The end result of this is to insert into a SQL server table. Maybe there is even a better way of doing all of that in one shot. 

Thanks

There are probably better ways to do this, but this should work for you:

$Events = Get-WinEvent -logname "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" | where {($_.Id -eq "21" -OR $_.Id -eq "24" -OR $_.Id -eq "25"  -OR $_.Id -eq "23")}
Foreach ($Event in $Events) {
  $Result = "" | Select Message,User,TimeCreated
  $Result.TimeCreated = $Event.TimeCreated
  Foreach ($MsgElement in ($Event.Message -split "`n")) {
    $Element = $MsgElement -split ":"
    If ($Element[0] -like "User") {$Result.User = $Element[1].Trim(" ")}
    If ($Element[0] -like "Remote Desktop*") {$Result.Message = $Element[1].Trim(" ")}
  }
  $Result
} | Select Message,User,TimeCreated | Export-Csv C:\RDS.csv

The message has a newline character between the bits that you're looking for, so I split that at the newline, represented by `n.  The backtick is an escape character so that powershell treats special characters literally.  But it also indicates a special character when used with n (newline), t (tab), and r ( carriage return), and probably others I haven't used yet.

I then loop through all of those elements, split them at the :, and check for the first element to determine if the 2nd element is important.  No 2nd file needed.

Hi, thanks so much for your help!

A couple of things, the last pipe said it was an empty pipe, so i took it out and the code runs great.  The results in the main window look correct, however the output in the .csv is blank.  I've messed around with it a little, but i can't figure out why it's not outputting any results to the .csv.

Sorry, try it like this instead:

$Events = Get-WinEvent -logname "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" | where {($_.Id -eq "21" -OR $_.Id -eq "24" -OR $_.Id -eq "25"  -OR $_.Id -eq "23")}
$Results = Foreach ($Event in $Events) {
  $Result = "" | Select Message,User,TimeCreated
  $Result.TimeCreated = $Event.TimeCreated
  Foreach ($MsgElement in ($Event.Message -split "`n")) {
    $Element = $MsgElement -split ":"
    If ($Element[0] -like "User") {$Result.User = $Element[1].Trim(" ")}
    If ($Element[0] -like "Remote Desktop*") {$Result.Message = $Element[1].Trim(" ")}
  }
  $Result
} 
$Results | Select Message,User,TimeCreated | Export-Csv C:\RDS.csv -NoType

Rhys,

This worked perfectly! Thanks again for all your help!  This is not required, but do you know how i could put that data directly into SQL Server as opposed to outputting to .csv?  Obviously i will create a job that will grab that file to import if not, but just wondering if you can circumvent that step as well.

Here's a link that could be helpful.  

http://irisclasson.com/2013/10/16/how-do-i-query-a-sql-server-db-using-powershell-and-how-do-i-filter-format-and-output-to-a-file-stupid-question-251-255/

There will probably be tons of scripts you can use here:

http://gallery.technet.microsoft.com/site/search?f%5B0%5D.Type=RootCategory&f%5B0%5D.Value=databases&f%5B0%5D.Text=Databases&f%5B1%5D.Type=SubCategory&f%5B1%5D.Value=sqlserver&f%5B1%5D.Text=SQL%20Server

That's the TechNet Gallery for DB related scripts, and scripts for just about anything else you might want to do.

This worked perfectly for me as well. Great work and perfect timing!

Rhys W Edwards is da man. I have tried many links but no one can provide straight answer. This solve my problem. Thanks Edward.