My custom inventory rule:

 

ShellCommandTextReturn(cmd /c powershell.exe -nologo -executionpolicy bypass -noprofile -file "\\10.86.28.238\client\logonactivityajs.ps1")\\

 

Script:

 

# Variables

# Path for HTML file output

$htmlfile = ".\LogonActivity.html"

 

# Table Creation

$LogonActivityTable = New-Object system.Data.DataTable “Logon/Logoff Activity”

 

# Create Columns

$date = New-Object system.Data.DataColumn "Date",([string])

$type = New-Object system.Data.DataColumn "Type",([string])

$status = New-Object system.Data.DataColumn "Status",([string])

$user = New-Object system.Data.DataColumn "User",([string])

$ipaddress = New-Object system.Data.DataColumn "IPAddress",([string])

 

# Add Columns to Table

$LogonActivityTable.columns.add($date)

$LogonActivityTable.columns.add($type)

$LogonActivityTable.columns.add($status)

$LogonActivityTable.columns.add($user)

$LogonActivityTable.columns.add($ipaddress)

 

$hostname = $env:computername

 

$startDate = "1/1/2000"

 

$endDate = get-date

$scope = "N"

# Writes a line with all the parameters selected for report

write-host "Hostname: "$hostname "`tStart: "$startDate "`tEnd: "$endDate "`tOnly Failed Logins: "$scope "`n"

# Store each event from the Security Log with the specificed dates and computer in an array

$log = Get-Eventlog -LogName Security -ComputerName $hostname -after $startDate -before $endDate

 

# Loop through each security event, print only failed login attempts

if ($scope -match "Y"){

    foreach ($i in $log){

        # Logon Failure Events

        # Local

        if (($i.EventID -eq 4625 ) -and ($i.ReplacementStrings[10] -eq 2)){

            # Create a Row

            $row = $LogonActivityTable.NewRow()

 

            # Enter Data into the Row

            $row.date =  $i.TimeGenerated

            $row.type =  "Logon - Local"

            $row.status =  "Failure"

            $row.user =  $i.ReplacementStrings[5]

            $row.ipaddress = ""

 

            # Add the Row to the Table

            $LogonActivityTable.Rows.Add($row)

        }

        # Remote

        if (($i.EventID -eq 4625 ) -and ($i.ReplacementStrings[10] -eq 10)){

            # Create a Row

            $row = $LogonActivityTable.NewRow()

 

            # Enter Data into the Row

            $row.date =  $i.TimeGenerated

            $row.type =  "Logon - Remote"

            $row.status =  "Failure"

            $row.user =  $i.ReplacementStrings[5]

            $row.ipaddress = $i.ReplacementStrings[19]

 

            # Add the Row to the Table

            $LogonActivityTable.Rows.Add($row)

        }

    }        

}

# Loop through each security event, print all login/logoffs with type, date/time, status, account name, and IP address if remote

else{

    foreach ($i in $log){

        # Logon Successful Events

        # Local (Logon Type 2)

        if (($i.EventID -eq 4624 ) -and ($i.ReplacementStrings[8] -eq 2)){

            # Create a Row

            $row = $LogonActivityTable.NewRow()

 

            # Enter Data into the Row

            $row.date =  $i.TimeGenerated

            $row.type =  "Logon - Local"

            $row.status =  "Success"

            $row.user =  $i.ReplacementStrings[5]

            $row.ipaddress = ""

 

            # Add the Row to the Table

            $LogonActivityTable.Rows.Add($row)

        }

        # Remote (Logon Type 10)

        if (($i.EventID -eq 4624 ) -and ($i.ReplacementStrings[8] -eq 10)){

            # Create a Row

            $row = $LogonActivityTable.NewRow()

 

            # Enter Data into the Row

            $row.date =  $i.TimeGenerated

            $row.type =  "Logon - Remote"

            $row.status =  "Success"

            $row.user =  $i.ReplacementStrings[5]

            $row.ipaddress = $i.ReplacementStrings[18]

 

            # Add the Row to the Table

            $LogonActivityTable.Rows.Add($row)

        }

         

        # Logon Failure Events

        # Local

        if (($i.EventID -eq 4625 ) -and ($i.ReplacementStrings[10] -eq 2)){

            # Create a Row

            $row = $LogonActivityTable.NewRow()

 

            # Enter Data into the Row

            $row.date =  $i.TimeGenerated

            $row.type =  "Logon - Local"

            $row.status =  "Failure"

            $row.user =  $i.ReplacementStrings[5]

            $row.ipaddress = ""

 

            # Add the Row to the Table

            $LogonActivityTable.Rows.Add($row)

        }

        # Remote

        if (($i.EventID -eq 4625 ) -and ($i.ReplacementStrings[10] -eq 10)){

            # Create a Row

            $row = $LogonActivityTable.NewRow()

 

            # Enter Data into the Row

            $row.date =  $i.TimeGenerated

            $row.type =  "Logon - Remote"

            $row.status =  "Failure"

            $row.user =  $i.ReplacementStrings[5]

            $row.ipaddress = $i.ReplacementStrings[19]

 

            # Add the Row to the Table

            $LogonActivityTable.Rows.Add($row)

        }

         

        # Logoff Events

        if ($i.EventID -eq 4647 ){

            # Create a Row

            $row = $LogonActivityTable.NewRow()

 

            # Enter Data into the Row

            $row.date =  $i.TimeGenerated

            $row.type =  "Logoff"

            $row.status =  "Success"

            $row.user =  $i.ReplacementStrings[1]

            $row.ipaddress = ""

 

            # Add the Row to the Table

            $LogonActivityTable.Rows.Add($row)

        } 

    }

}

 

# Outputs

# Table

if ($output -match "T"){

    $LogonActivityTable | Format-Table

}

 

# HTML

elseif ($output -match "H"){

    # HTML Styles

    $style = "<style>"

    $style = $style + "BODY{background-color:#F2F2F2;}"

    $style = $style + "TABLE{border-width: 1px;border-style: solid;border-color: black;}"

    $style = $style + "TH{border-width: 1px;padding: 0px;border-style: solid;border-color: black;background-color:#BDBDBD}"

    $style = $style + "TD{border-width: 1px;padding: 5px;border-style: solid;border-color: black;background-color:#D8D8D8}"

    $style = $style + "</style>"

 

    $LogonActivityTable | Select-Object Date, Type, Status, User, IPAddress | ConvertTo-Html -head $style -body "<h2>Logon Activity:</h2>" | Out-File $htmlfile

    Invoke-Expression $htmlfile

}

 

# Grid View

elseif ($output -match "G"){

    $LogonActivityTable | Out-GridView -Title "Logon Activity"

}

 

# Default output, returns the table object in list form by default

else{

    $LogonActivityTable

}