PowerShell version 1 script to parse a log file that documents logon and logoff events. From the log file the script outputs user sessions. Each session is defined by the name of the computer and the name of the user, so a user can have more than one session at a time on different computers. The script outputs the session (computername\username), the logon datetime, the logoff datetime, and the duration of the logon session in days.hours:minutes:seconds. The log file is created by logon and logoff scripts configured in Group Policy. Each of these scripts appends a line to a shared log file. The logon script can be as simple as the following batch file:
@echo off
echo Logon,%date%,%time%,%computername%,%username%>> \\Server\Share\Events.log
The logoff script can be similar to the following batch file:
@echo off
echo Logoff,%date%,%time%,%computername%,%username%>> \\Server\Share\Events.log
This PowerShell script assumes that the fields in the resulting log file are comma delimited. There can be more than 5 fields, but the first 5 should be:
"logon" or "logoff",date,time,computer name, user name
The script will add a header line to the beginning of the log file if there is no header line, so there is no need for you to do this. The script needs write access to the log file to add the header line. For example, two lines of the log file could be similar to:
Logon,Mon 11/23/2015,14:34:57.66,WKSTA03,jsmith
Logoff,Wed 11/25/2015, 9:21:44.60,WKSTA03,jsmith
The output from the script for these two events would be similar to:
WKSTA03\jsmith,11/23/2015 14:34:57,11/25/2015 09:21:44,1.18:46:47
This script accepts a log file name (and optional path) as a parameter, or the script will prompt for the log file name. The script output is displayed at the console in comma delimited format. The output can be redirected to a text file, which can then be opened in Excel for analysis. Errors and warning messages are written to the console, but will not be redirected to the text file. The command to run this script at a PowerShell prompt could be similar to:
.\ParseLogons.ps1 Events.log > .\Output.txt
The logon sessions would be redirected to the file Output.txt. If there are error messages or warnings, they are displayed at the console, but are not redirected to the file. If there are no errors that abort the script, the script outputs information similar to the following at the console:
ParseLogons.ps1
Date: 11/25/2015 14:32:56
Log File: Events.log
Totals:
Lines read in the log file: 1,207
Bad lines skipped: 0
Warnings: 0
Sessions with no logoff: 1
Sessions with no logon: 3
Sessions still logged on: 4
Total Sessions: 983
"Sessions with no logoff" means that a user logged onto a computer, then later logged on again without an intervening logoff event on the computer. Either the computer crashed or the user logged off when the computer was disconnected from the network, so the logoff script could not append an event to the log file. "Sessions with no logon" means the log file has a logoff event, but the corresponding logon event is missing. Either the logon script could not append the logon event to the log file, or the logon occurred before the logon script was implemented. "Sessions still logged on" means the user was still logged on when the script ran, or the logoff event was not found in the log file. Lines in the log file are skipped if any fields are missing or the date and time raise an error when converted into a datetime value.
Warning messages are displayed at the console for the following conditions:
The following errors cause the script to abort:
Comments in the script document where accomodations had to be made to support PowerShell versions 1 and 2, as well as the .NET Framework classes that are not suppported on Windows RT 8.1.
ParseLogons.txt <<-- Click here to view or download the program