Solved: Get-VIEvent question

mchunger · ‎01-12-2012

I'm trying to generate a list of all users who have logged in. I have that command and it's working, but I'd like to exclude 1 or more users from that list, i.e. "root".

Here's the command I'm using.

$events = Get-VIEvent -MaxSamples 1000

foreach ($event in $events) {if ($event.fullFormattedMessage -match "User (.*)@\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b logged in") {Write-Host ("User " + $matches[1] + " logged in at:" + $event.createdTime)} }

admin · ‎01-12-2012

Hi, mchunger,

This should work for you if you know the names you wish to exclude:

$excl = @( "root","admin","dcui" )

foreach ($event in $events) {if ($excl -notcontains $event.username) { if ($event.fullFormattedMessage -match "User (.*)@\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b logged in") {Write-Host ("User " + $matches[1] + " logged in at:" + $event.createdTime)} }}

Regards,

Ogniana

View solution in original post

admin · ‎01-12-2012

Hi, mchunger,

This should work for you if you know the names you wish to exclude:

$excl = @( "root","admin","dcui" )

foreach ($event in $events) {if ($excl -notcontains $event.username) { if ($event.fullFormattedMessage -match "User (.*)@\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b logged in") {Write-Host ("User " + $matches[1] + " logged in at:" + $event.createdTime)} }}

Regards,

Ogniana

mchunger · ‎01-12-2012

I do know who I want to exclude, so that works PERFECTLY! Thank you orainova.

mchunger · ‎01-12-2012

Some what of a tag along as i've found out that my requirements have changed.

list ALL events between two dates excluding several users.

thanks!

LucD · ‎01-12-2012

Can't you just use the Start and Finish parameters on the Get-VIEvent cmdlet ?

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

admin · ‎01-13-2012

If for some reason LucD's suggestion doesn't work for you, you can also add parameters to your query like this:

$startDt = '2011.12.01'

$endDt = '2012.01.01'

and then just use in the if statement we added for the users:

foreach ($event in $events) {if (($event.CreatedTime -gt $startDt) -and ($event.CreatedTime -lt $endDt) -and ($excl -notcontains $event.username)) { if ($event.fullFormattedMessage -match "User (.*)@\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b logged in") {Write-Host ("User " + $matches[1] + " logged in at:" + $event.createdTime)} }}

--

Ogniana

mchunger · ‎01-13-2012

Thanks to LucD and Orainova, that worked for the date stipulation.

I noticed other log entries showing users logging in or at least accessing consoles. The FullFormattedMessage starts with the text "Remote console connected ..."

How can I add that to the script in addition to the "user logged in" filter.

If you havn't guess by now, I'm a beginner with regards to the scripting and I just copied the script from the VMware website not fully understanding all the variables and syntax invovled but luckily it was close to what i needed to do. (i.e. i have no idea what this means of does "(.*)@\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b" )

Thank you both very much.

admin · ‎01-16-2012

Hi, mchunger,

Sorry for the late answer.

The "(.*)@\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b" is a regular expression (see http://www.regular-expressions.info/powershell.html for short info on matching in Powershell) that matches the <user>@<host> part in messages of the type "User Administrator@10.23.80.99 logged in". I'd rewrite your script like this:

foreach ($event in $events) {if (($event.CreatedTime -gt $startDt) -and ($event.CreatedTime -lt $endDt) -and ($excl -notcontains $event.username)) { if ($event.fullFormattedMessage -match "User (.*)@\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b logged in|Remote console connected") {Write-Host ("User " + $event.username + " logged in at:" + $event.createdTime)} }}

Regards,

Ogniana

All

Get-VIEvent question