VMware Cloud Community
emcclure
Enthusiast
Enthusiast
‎08-26-2019 04:26 PM
Jump to solution

Get user logon/logoff history

I saw this thread and didn't want to hijack it, especially since it's a couple years old: Get logon history

I tried running the commands listed, but when I do it just sits there for me (obviously changing server for my environment).  I'm not quite sure what I'm doing wrong, but the main idea is that we get an idea of when the user last logged in, their access and their permissions.  I was hoping this would work for at least the logon part, but I'm not sure what I'm doing wrong here.

0 Kudos
1 Solution

Accepted Solutions
LucD
Leadership
Leadership
‎08-27-2019 06:33 PM
Jump to solution

You could do something like this

$events = 'UserLogoutSessionEvent'

$start = (Get-Date).AddDays(-1)

$domain= 'MyDomain'


Get-VIEvent -Start $start -MaxSamples ([int]::MaxValue) |

where { $_ -is [VMware.Vim.UserLogoutSessionEvent] -and $_.UserName -match "^$domain"} |

Select UserName, IPAddress, LoginTime,

@{N = 'LogoutTime'; E = { [DateTime]($_.FullFormattedMessage -replace '.+login time: (.*), number.+', '$1') } }

---------------------------------------------------------------------------------------------------------

Was it helpful? Let us know by completing this short survey here.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

0 Kudos
6 Replies
LucD
Leadership
Leadership
‎08-26-2019 05:23 PM
Jump to solution

The Get-VIEvent cmdlet can take a long time, especially if you are going back relatively far in time.
I would suggest to start with a small interval (for example 1 day), to check that the code is working.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
emcclure
Enthusiast
Enthusiast
‎08-27-2019 10:59 AM
Jump to solution

Ok thanks for the tip.  So I would change this: $start = (Get-Date).AddMonths(-6) to something else? Is there an AddDays or something to use?

0 Kudos
LucD
Leadership
Leadership
‎08-27-2019 03:41 PM
Jump to solution

Yes, like this for example

$start = (Get-Date).AddDays(-1)


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
emcclure
Enthusiast
Enthusiast
‎08-27-2019 04:09 PM
Jump to solution

Sweet.  That made the script run a lot faster.  Wow it sure gets everyone that's logged in, whether it's a service account, dcui or a user.  Is there a way to filter it so it only grabs logon events from a particular domain only?

0 Kudos
LucD
Leadership
Leadership
‎08-27-2019 06:33 PM
Jump to solution

You could do something like this

$events = 'UserLogoutSessionEvent'

$start = (Get-Date).AddDays(-1)

$domain= 'MyDomain'


Get-VIEvent -Start $start -MaxSamples ([int]::MaxValue) |

where { $_ -is [VMware.Vim.UserLogoutSessionEvent] -and $_.UserName -match "^$domain"} |

Select UserName, IPAddress, LoginTime,

@{N = 'LogoutTime'; E = { [DateTime]($_.FullFormattedMessage -replace '.+login time: (.*), number.+', '$1') } }

---------------------------------------------------------------------------------------------------------

Was it helpful? Let us know by completing this short survey here.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
emcclure
Enthusiast
Enthusiast
‎08-29-2019 10:22 AM
Jump to solution

Awesome.  That works perfect.  Thanks so much.

0 Kudos