leechristensen/ParseEwsExchangeLogs.ps1

## ParseEwsExchangeLogs.ps1
$EWSLogPath = "$($env:exchangeinstallpath)\Logging\EWS\"
$EWSLogPath = "."
$NumberOfLogs = 10
$RecentLogs = ls "$EWSLogPath\*.log" | sort LastWriteTime -Descending | select -First $NumberOfLogs -ExpandProperty FullName

$UserLogons = @()
foreach($Log in $RecentLogs)
{
    $LogFile = Get-Content $Log | select -Skip 5

    $EWSHeaders2010 = "DateTime","AuthenticationType","IsAuthenticated","AuthenticatedUser","Organization","UserAgent","ClientIpAddress","ServerHostName","SoapAction","HttpStatus","ErrorCode","ImpersonatedUser","Cookie","BeginBudgetConnections","EndBudgetConnections","BeginBudgetHangingConnections","EndBudgetHangingConnections","BeginBudgetAD","EndBudgetAD","BeginBudgetCAS","EndBudgetCAS","BeginBudgetRPC","EndBudgetRPC","BeginBudgetFindCount","EndBudgetFindCount","BeginBudgetSubscriptions","EndBudgetSubscriptions","DCResource","DCHealth","DCHistoricalLoad","MDBResource","MDBHealth","MDBHistoricalLoad","ThrottlingPolicy","ThrottlingDelay","ThrottlingRequestType","TotalDCRequestCount","TotalDCRequestLatency","TotalMBXRequestCount","TotalMBXRequestLatency","TotalRequestTime","GenericInfo","AuthenticationErrors","GenericErrors"
    $EWSHeaders2013 = "DateTime" ,"RequestId" ,"MajorVersion","MinorVersion","BuildVersion","RevisionVersion","ClientRequestId","AuthenticationType","IsAuthenticated","AuthenticatedUser","Organization","UserAgent","VersionInfo","ClientIpAddress","ServerHostName","FrontEndServer","SoapAction","HttpStatus","RequestSize","ResponseSize","ErrorCode","ImpersonatedUser","ProxyAsUser","ActAsUser","Cookie","CorrelationGuid","PrimaryOrProxyServer","TaskType","RemoteBackendCount","LocalMailboxCount","RemoteMailboxCount","LocalIdCount","RemoteIdCount","BeginBudgetConnections","EndBudgetConnections","BeginBudgetHangingConnections","EndBudgetHangingConnections","BeginBudgetAD","EndBudgetAD","BeginBudgetCAS","EndBudgetCAS","BeginBudgetRPC","EndBudgetRPC","BeginBudgetFindCount","EndBudgetFindCount","BeginBudgetSubscriptions","EndBudgetSubscriptions","MDBResource","MDBHealth","MDBHistoricalLoad","ThrottlingPolicy","ThrottlingDelay","ThrottlingRequestType","TotalDCRequestCount","TotalDCRequestLatency","TotalMBXRequestCount","TotalMBXRequestLatency","RecipientLookupLatency","ExchangePrincipalLatency","HttpPipelineLatency","CheckAccessCoreLatency","AuthModuleLatency","CallContextInitLatency","PreExecutionLatency","CoreExecutionLatency","TotalRequestTime","DetailedExchangePrincipalLatency","ClientStatistics","GenericInfo","AuthenticationErrors","GenericErrors"

    $CsvLog = ConvertFrom-Csv $LogFile -Header $EWSHeaders2013

    $LogonData = $CsvLog | select ImpersonatedUser,AuthenticatedUser,ClientIPAddress | ?{
        ($_.ImpersonatedUser -or $_.AuthenticatedUser) `
        -and $_.ClientIPAddress -notmatch '127.0.0.1|::1|^fe80:'
    }

    $UserLogons += $LogonData
}

$UserLogons | sort -Unique -Property ImpersonatedUser,AuthenticatedUser,ClientIPAddress
	$EWSLogPath = "$($env:exchangeinstallpath)\Logging\EWS\"
	$EWSLogPath = "."
	$NumberOfLogs = 10
	$RecentLogs = ls "$EWSLogPath\*.log" \| sort LastWriteTime -Descending \| select -First $NumberOfLogs -ExpandProperty FullName

	$UserLogons = @()
	foreach($Log in $RecentLogs)
	{
	$LogFile = Get-Content $Log \| select -Skip 5

	$EWSHeaders2010 = "DateTime","AuthenticationType","IsAuthenticated","AuthenticatedUser","Organization","UserAgent","ClientIpAddress","ServerHostName","SoapAction","HttpStatus","ErrorCode","ImpersonatedUser","Cookie","BeginBudgetConnections","EndBudgetConnections","BeginBudgetHangingConnections","EndBudgetHangingConnections","BeginBudgetAD","EndBudgetAD","BeginBudgetCAS","EndBudgetCAS","BeginBudgetRPC","EndBudgetRPC","BeginBudgetFindCount","EndBudgetFindCount","BeginBudgetSubscriptions","EndBudgetSubscriptions","DCResource","DCHealth","DCHistoricalLoad","MDBResource","MDBHealth","MDBHistoricalLoad","ThrottlingPolicy","ThrottlingDelay","ThrottlingRequestType","TotalDCRequestCount","TotalDCRequestLatency","TotalMBXRequestCount","TotalMBXRequestLatency","TotalRequestTime","GenericInfo","AuthenticationErrors","GenericErrors"
	$EWSHeaders2013 = "DateTime" ,"RequestId" ,"MajorVersion","MinorVersion","BuildVersion","RevisionVersion","ClientRequestId","AuthenticationType","IsAuthenticated","AuthenticatedUser","Organization","UserAgent","VersionInfo","ClientIpAddress","ServerHostName","FrontEndServer","SoapAction","HttpStatus","RequestSize","ResponseSize","ErrorCode","ImpersonatedUser","ProxyAsUser","ActAsUser","Cookie","CorrelationGuid","PrimaryOrProxyServer","TaskType","RemoteBackendCount","LocalMailboxCount","RemoteMailboxCount","LocalIdCount","RemoteIdCount","BeginBudgetConnections","EndBudgetConnections","BeginBudgetHangingConnections","EndBudgetHangingConnections","BeginBudgetAD","EndBudgetAD","BeginBudgetCAS","EndBudgetCAS","BeginBudgetRPC","EndBudgetRPC","BeginBudgetFindCount","EndBudgetFindCount","BeginBudgetSubscriptions","EndBudgetSubscriptions","MDBResource","MDBHealth","MDBHistoricalLoad","ThrottlingPolicy","ThrottlingDelay","ThrottlingRequestType","TotalDCRequestCount","TotalDCRequestLatency","TotalMBXRequestCount","TotalMBXRequestLatency","RecipientLookupLatency","ExchangePrincipalLatency","HttpPipelineLatency","CheckAccessCoreLatency","AuthModuleLatency","CallContextInitLatency","PreExecutionLatency","CoreExecutionLatency","TotalRequestTime","DetailedExchangePrincipalLatency","ClientStatistics","GenericInfo","AuthenticationErrors","GenericErrors"

	$CsvLog = ConvertFrom-Csv $LogFile -Header $EWSHeaders2013

	$LogonData = $CsvLog \| select ImpersonatedUser,AuthenticatedUser,ClientIPAddress \| ?{
	($_.ImpersonatedUser -or $_.AuthenticatedUser) `
	-and $_.ClientIPAddress -notmatch '127.0.0.1\|::1\|^fe80:'
	}

	$UserLogons += $LogonData
	}

	$UserLogons \| sort -Unique -Property ImpersonatedUser,AuthenticatedUser,ClientIPAddress