Are there any RDP activity logs? - Windows Server 2008 R2

windows security logging windows-server-2008 remote-desktop
209,652

Solution 1

A few options..

  1. Basic windows logging using the policy setting "Audit Logon Events" should cover your needs.
  2. You can also use a Remote Desktop Gateway and configure auditing that logs which users are accessing which internal resources via RDP. Some additional information is available here.

Solution 2

  1. Open Event Viewer (eventvwr.msc)
  2. Go to to Applications and Services Logs -> Microsoft -> Windows -> TerminalServices-LocalSessionManager
  3. Open Admin or Operational

You will see the sessions list. Date/Timestamped/IP/UserName etc. You can also look under Applications and Services Logs\Microsoft\Windows\TerminalServices-RemoteConnectionManager

Solution 3

Here's a solution in PowerShell:

Get-EventLog -LogName Security | ?{(4624,4778) -contains $_.EventID} | %{
    (new-object -Type PSObject -Property @{
        TimeGenerated = $_.TimeGenerated
        ClientIP = $_.Message -replace '(?smi).*Source Network Address:\s+([^\s]+)\s+.*','$1'
        UserName = $_.Message -replace '(?smi).*Account Name:\s+([^\s]+)\s+.*','$1'
        UserDomain = $_.Message -replace '(?smi).*Account Domain:\s+([^\s]+)\s+.*','$1'
        LogonType = $_.Message -replace '(?smi).*Logon Type:\s+([^\s]+)\s+.*','$1'
    })
} | sort TimeGenerated -Descending | Select TimeGenerated, ClientIP `
, @{N='Username';E={'{0}\{1}' -f $_.UserDomain,$_.UserName}} `
, @{N='LogType';E={
    switch ($_.LogonType) {
        2   {'Interactive (logon at keyboard and screen of system)'}
        3   {'Network (i.e. connection to shared folder)'}
        4   {'Batch (i.e. scheduled task)'}
        5   {'Service (i.e. service start)'}
        7   {'Unlock (i.e. post screensaver)'}
        8   {'NetworkCleartext (i.e. IIS)'}
        9   {'NewCredentials (i.e. local impersonation process under existing connection)'}
        10  {'RemoteInteractive (i.e. RDP)'}
        11  {'CachedInteractive (i.e. interactive, but without network connection to validate against AD)'}   
        default {"LogType Not Recognised: $($_.LogonType)"}     
    }
}}

Information on the related EventIds we're filtering on can be found here:

For RDP connections you're specifically interested in LogType 10; RemoteInteractive; here I've not filtered in case the other types are of use; but it's trivial to add another filter if required.

You'll also need to ensure these logs are created; to do that:

  • Click Start
  • Select Control Panel
  • Select Administrative Tools
  • Open Local Security Policy
  • Navigate Security Settings > Advanced Audit Policy Configuration > System Audit Policies - Local Group Policy Object > Logon/Logoff
  • Amend Audit Logon to Success

Solution 4

Other than combing through the event logs, looking for Logon Type 10 (Remote Desktop) in the Security Log, or looking at the TerminalServices channel event logs, you'll need to use third party software.

In addition to TSL mentioned above, here is one other I've used with success in the past - Remote Desktop Reporter

http://www.rdpsoft.com/products

If you go third party, make sure you evaluate several and get price quotes from each vendor ... there is a huge discrepancy in price - some vendors price per named user, some per concurrent user, and some simply by server. Make sure also that the solution comes with its own database or a lite version of SQL - otherwise you'll get hit with database license costs as well.

Share:
209,652

Related videos on Youtube

MrKosherno
Author by

MrKosherno

hello! :)

Updated on September 17, 2022

Comments

  • MrKosherno
    MrKosherno over 1 year

    a few users have logged into a server through RDP.

    I would like to monitor activity, but do not know my way round Windows Server that well.

    I am hoping there are logs of some kind around that I can consult.

    Any ideas? :)

    • not_a_friend
      not_a_friend almost 4 years
      the windows log file does not show unsuccesful attempts, by the way. Use a firewall to show unsuccessful attempts to RDP. Just saying.
  • Sacha K
    Sacha K over 9 years
    The client IP (Source Network Address) is blank for me on Windows Server 2012. How do you enable it?
  • nGX
    nGX over 8 years
    I wrote up a tool that parses the Event viewer for you and shows you a history of logins. You can grab the tool from my blog: uglyvpn.com/2015/09/25/…
  • kasperd
    kasperd over 7 years
    I can't see what exactly is the start and end of the file path. Some markup would make this answer a lot more readable.
  • Steve Yakovenko
    Steve Yakovenko almost 6 years
    KPS, you posted deadlink

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Teamviewer multi-user mode
Can't edit Local Security Policy
Prevent cut and paste from/to RDP client
Full permissions on folder when remoted in, but read only through the network
RDP log files location in Windows 7 or 8
Creating a self-signed cert and trusting it for windows RDP (no domain)
Windows Server 2012 R2 - Change RDP Port
How to recover forgotten remote windows RDP password?
Remote Desktop Connection: Access Denied
Windows 2008 R2 network traffic logging