AndrewPla/Parse-TOPdeskAccessLog.ps1

## Parse-TOPdeskAccessLog.ps1
<#
.Parameter Credential
Enter WEBdav creds for an account with the WEBDav Read permission
.Parameter TOPdeskURL
The URL of the topdesk instance. eg: Support.Company.com, company.topdesk.net
.Parameter OutputFolder
Folder where you want the logs to be downloaded to. If not provided, the files will be downloaded into your tmp folder and will be cleaned up at the end.
.Parameter MonthsBack
Select how many months back you want to go. Default select the current month. 1 would be for this month, 3 whereas 3 would be the last 3 months
.Parameter DaysBack
Specify how many days back you would like to return access logs for. Default is 7
#>
param(
    [Parameter(Mandatory)]
    [pscredential]$Credential,
    [Parameter(Mandatory)]
    [string]$TOPdeskURL,
    $OutputFolder,
    [int]$MonthsBack = 1,
    [int]$DaysBack = 7
)


# Use the provided outputfolder
if ($OutputFolder) {
    if (-not (Test-Path $OutputFolder)) { $null = mkdir $OutputFolder }
    $Directory = $OutputFolder
} else {
    # Create a temporary file, remove it, create it as a folder, then use it for our files!
    $Directory = New-TemporaryFile |
    ForEach-Object { Remove-Item $_; New-Item -ItemType Directory -Path $_ } |
    Select-Object -ExpandProperty FULLNAME
}

# Splat our parameters
$psDriveParams = @{
    PSProvider = 'FileSystem'
    Root       = "\\$TOPdeskURL@SSL\webdav"
    Credential = $Credential
    Name       = 'TOPdesk'
}

New-PSDrive @psDriveParams

# Lets select yesterdays access log
$Files = (Get-Childitem TOPdesk:\accesslogs\ -Directory |
    Sort-Object Name |
    Select-Object -Last $MonthsBack |
    Get-ChildItem -Filter 'access_log.*' |
    Sort-Object name |
    Select-Object -last $DaysBack)

# Copy File, save to variable so we can interact with our local file later
foreach ($file in $Files) {
    $newFile = Copy-Item $File.Fullname -Destination $Directory -Passthru

    Expand-Archive -Path $newfile.fullname -DestinationPath $Directory -Force

    Remove-Item $NewFile

    $LogFile = Get-Item -Path ($newfile.fullname).replace('.zip', '')

    $Content = Get-Content $LogFile

    foreach ($entry in $Content) {

        # ONly add entries that are relevant. Dont grab Handler/Provider registrations
        if ($entry -like '*AUTH] User:*') {

            # Logons and Logoffs have different formatting
            if ($entry -like '*logged out*') {
                $hash = @{ }

                $hash.'Action' = 'LoggedOut'

                # Grab the closing brace index
                $dateIndexEnd = $entry.IndexOf(']')

                $date = $entry[0..$dateIndexEnd] -join ''

                # get rid of the []'s
                $hash.Date = (($date).replace('[', '')).replace(']', '')


                # Determine where | [AUTH] User: is in the line
                # Add the lenght to the index to get the index of the first character
                # of the username
                $AuthUserStr = '[AUTH] user: '
                $index = $entry.indexOf($AuthUserStr) + $AuthUserStr.length

                # lets grab everything between the index and the space at the end of the username.
                $endUsernameIndex = ($entry.indexof(' ', $index)) - 1

                # add the Username to our Hashtable
                $username = $entry[$index..$endUsernameIndex] -join ''
                $hash.UserName = $username

                # Grab the realm /tas/secure (operators) or /tas/public (persons)

                $realmString = 'realm: '

                $realmIndexStart = $entry.IndexOf($realmString, $providerIndexEnd) + $realmString.Length
                $realmIndexEnd = $entry.IndexOf('from ', $realmIndexStart) - 1

                $realm = $entry[$realmIndexStart..$realmIndexEnd] -join ''

                $hash.Realm = $realm

                # Grab the Host IP

                $hostString = 'remote host: '

                $hostIndexStart = $entry.IndexOf($hostString, $realmIndexEnd) + $hostString.Length

                # we are at the end of the file so we can just grab it all!
                $hostIndexEnd = $hostIndexStart + 15

                # use hostValue instead of Host because host is reserved!
                $hostValue = $entry[$hostIndexStart..$hostIndexend] -join ''

                $hash.Host = $hostValue
            }
            if ($entry -like '*verified by*') {
                # We are going to add our properties to a hashtable
                $hash = @{ }

                $hash.Action = 'Verified'

                # Grab the closing brace index
                $dateIndexEnd = $entry.IndexOf(']')

                $date = $entry[0..$dateIndexEnd] -join ''

                # get rid of the []'s
                $hash.Date = (($date).replace('[', '')).replace(']', '')

                # Determine where | [AUTH] User: is in the line
                # Add the lenght to the index to get the index of the first character
                # of the username
                $AuthUserStr = '| [AUTH] User: '
                $index = $entry.indexOf($AuthUserStr) + $AuthUserStr.length


                # lets grab everything between the index and the space at the end of the username.
                $endUsernameIndex = ($entry.indexof(' ', $index)) - 1

                # add the Username to our Hashtable
                $username = $entry[$index..$endUsernameIndex] -join ''
                $hash.UserName = $username

                # Grab the Provider
                $verifiedString = 'verified by '
                $providerIndexStart = $entry.IndexOf($verifiedString, $endUsernameIndex) + $verifiedString.Length
                $providerIndexEnd = $entry.IndexOf(' ', $providerIndexStart) - 1

                $provider = $entry[$providerIndexStart..$providerIndexEnd] -join ''

                $hash.Provider = $provider

                # Grab the realm /tas/secure (operators) or /tas/public (persons)

                $realmString = 'in the '

                $realmIndexStart = $entry.IndexOf($realmString, $providerIndexEnd) + $realmString.Length
                $realmIndexEnd = $entry.IndexOf(' ', $realmIndexStart) - 1

                $realm = $entry[$realmIndexStart..$realmIndexEnd] -join ''

                $hash.Realm = $realm

                # Grab the Host IP

                $hostString = 'remote host '

                $hostIndexStart = $entry.IndexOf($hostString, $realmIndexEnd) + $hostString.Length

                # we are at the end of the file so we can just grab it all!
                $hostIndexEnd = $hostIndexStart + 15

                # use hostValue instead of Host because host is reserved!
                $hostValue = $entry[$hostIndexStart..$hostIndexend] -join ''

                $hash.Host = $hostValue
            }

            # Convert our hash to a pscustomobject and output it!
            [PSCustomObject]$hash
        }
    }
}

if (-not $OutputFolder) {
    Write-Verbose "Removing directory holding log files. Specify an outputfolder if you want to keep a copy of the log files."
    Remove-Item $Directory -Recurse
}
	<#
	.Parameter Credential
	Enter WEBdav creds for an account with the WEBDav Read permission
	.Parameter TOPdeskURL
	The URL of the topdesk instance. eg: Support.Company.com, company.topdesk.net
	.Parameter OutputFolder
	Folder where you want the logs to be downloaded to. If not provided, the files will be downloaded into your tmp folder and will be cleaned up at the end.
	.Parameter MonthsBack
	Select how many months back you want to go. Default select the current month. 1 would be for this month, 3 whereas 3 would be the last 3 months
	.Parameter DaysBack
	Specify how many days back you would like to return access logs for. Default is 7
	#>
	param(
	[Parameter(Mandatory)]
	[pscredential]$Credential,
	[Parameter(Mandatory)]
	[string]$TOPdeskURL,
	$OutputFolder,
	[int]$MonthsBack = 1,
	[int]$DaysBack = 7
	)


	# Use the provided outputfolder
	if ($OutputFolder) {
	if (-not (Test-Path $OutputFolder)) { $null = mkdir $OutputFolder }
	$Directory = $OutputFolder
	} else {
	# Create a temporary file, remove it, create it as a folder, then use it for our files!
	$Directory = New-TemporaryFile \|
	ForEach-Object { Remove-Item $_; New-Item -ItemType Directory -Path $_ } \|
	Select-Object -ExpandProperty FULLNAME
	}

	# Splat our parameters
	$psDriveParams = @{
	PSProvider = 'FileSystem'
	Root = "\\$TOPdeskURL@SSL\webdav"
	Credential = $Credential
	Name = 'TOPdesk'
	}

	New-PSDrive @psDriveParams

	# Lets select yesterdays access log
	$Files = (Get-Childitem TOPdesk:\accesslogs\ -Directory \|
	Sort-Object Name \|
	Select-Object -Last $MonthsBack \|
	Get-ChildItem -Filter 'access_log.*' \|
	Sort-Object name \|
	Select-Object -last $DaysBack)

	# Copy File, save to variable so we can interact with our local file later
	foreach ($file in $Files) {
	$newFile = Copy-Item $File.Fullname -Destination $Directory -Passthru

	Expand-Archive -Path $newfile.fullname -DestinationPath $Directory -Force

	Remove-Item $NewFile

	$LogFile = Get-Item -Path ($newfile.fullname).replace('.zip', '')

	$Content = Get-Content $LogFile

	foreach ($entry in $Content) {

	# ONly add entries that are relevant. Dont grab Handler/Provider registrations
	if ($entry -like 'AUTH] User:') {

	# Logons and Logoffs have different formatting
	if ($entry -like 'logged out') {
	$hash = @{ }

	$hash.'Action' = 'LoggedOut'

	# Grab the closing brace index
	$dateIndexEnd = $entry.IndexOf(']')

	$date = $entry[0..$dateIndexEnd] -join ''

	# get rid of the []'s
	$hash.Date = (($date).replace('[', '')).replace(']', '')



	# Determine where \| [AUTH] User: is in the line
	# Add the lenght to the index to get the index of the first character
	# of the username
	$AuthUserStr = '[AUTH] user: '
	$index = $entry.indexOf($AuthUserStr) + $AuthUserStr.length

	# lets grab everything between the index and the space at the end of the username.
	$endUsernameIndex = ($entry.indexof(' ', $index)) - 1

	# add the Username to our Hashtable
	$username = $entry[$index..$endUsernameIndex] -join ''
	$hash.UserName = $username

	# Grab the realm /tas/secure (operators) or /tas/public (persons)

	$realmString = 'realm: '

	$realmIndexStart = $entry.IndexOf($realmString, $providerIndexEnd) + $realmString.Length
	$realmIndexEnd = $entry.IndexOf('from ', $realmIndexStart) - 1

	$realm = $entry[$realmIndexStart..$realmIndexEnd] -join ''

	$hash.Realm = $realm

	# Grab the Host IP

	$hostString = 'remote host: '

	$hostIndexStart = $entry.IndexOf($hostString, $realmIndexEnd) + $hostString.Length

	# we are at the end of the file so we can just grab it all!
	$hostIndexEnd = $hostIndexStart + 15

	# use hostValue instead of Host because host is reserved!
	$hostValue = $entry[$hostIndexStart..$hostIndexend] -join ''

	$hash.Host = $hostValue
	}
	if ($entry -like 'verified by') {
	# We are going to add our properties to a hashtable
	$hash = @{ }

	$hash.Action = 'Verified'

	# Grab the closing brace index
	$dateIndexEnd = $entry.IndexOf(']')

	$date = $entry[0..$dateIndexEnd] -join ''

	# get rid of the []'s
	$hash.Date = (($date).replace('[', '')).replace(']', '')

	# Determine where \| [AUTH] User: is in the line
	# Add the lenght to the index to get the index of the first character
	# of the username
	$AuthUserStr = '\| [AUTH] User: '
	$index = $entry.indexOf($AuthUserStr) + $AuthUserStr.length


	# lets grab everything between the index and the space at the end of the username.
	$endUsernameIndex = ($entry.indexof(' ', $index)) - 1

	# add the Username to our Hashtable
	$username = $entry[$index..$endUsernameIndex] -join ''
	$hash.UserName = $username

	# Grab the Provider
	$verifiedString = 'verified by '
	$providerIndexStart = $entry.IndexOf($verifiedString, $endUsernameIndex) + $verifiedString.Length
	$providerIndexEnd = $entry.IndexOf(' ', $providerIndexStart) - 1

	$provider = $entry[$providerIndexStart..$providerIndexEnd] -join ''

	$hash.Provider = $provider

	# Grab the realm /tas/secure (operators) or /tas/public (persons)

	$realmString = 'in the '

	$realmIndexStart = $entry.IndexOf($realmString, $providerIndexEnd) + $realmString.Length
	$realmIndexEnd = $entry.IndexOf(' ', $realmIndexStart) - 1

	$realm = $entry[$realmIndexStart..$realmIndexEnd] -join ''

	$hash.Realm = $realm

	# Grab the Host IP

	$hostString = 'remote host '

	$hostIndexStart = $entry.IndexOf($hostString, $realmIndexEnd) + $hostString.Length

	# we are at the end of the file so we can just grab it all!
	$hostIndexEnd = $hostIndexStart + 15

	# use hostValue instead of Host because host is reserved!
	$hostValue = $entry[$hostIndexStart..$hostIndexend] -join ''

	$hash.Host = $hostValue
	}

	# Convert our hash to a pscustomobject and output it!
	[PSCustomObject]$hash
	}
	}
	}

	if (-not $OutputFolder) {
	Write-Verbose "Removing directory holding log files. Specify an outputfolder if you want to keep a copy of the log files."
	Remove-Item $Directory -Recurse
	}