VPN Log Files Windows

Solution 1

There are relevant log files in \WINDOWS\system32\LogFiles that may help. There is also system information available from the Event Viewer (Run > eventvwr.exe OR Control Panel > Admin Tools > Event Viewer) and look for System logs.

However, both these locations could be empty depending on local settings.

One can configure Windows firewall to log VPN connections but that is not a default. Check Control Panel > Windows Firewall > [Advanced tab], the default location is C:\WINDOWS\pfirewall.log for the log file.

Specific applications used may have preserved log data. If you know the IP address connected too you could do a general search for files containing that IP address (but that wouldn't find compressed logs or non-ASCII log data).

Solution 2

Expanding on @pbhj's answer, I successfully found logs following these instructions, summarized here:

1. Navigate through the Start menu to get to the event Viewer: Start > Control Panels > Administrative Tools > Event Viewer.

2. In the Actions pane, select Create Custom View or Filter Current Customer View.

3. Select the event severities (e.g., Critical, Warning, Error, Information, etc.) listed under the Event level option.

4. Click the Event sources pull-down menu and select the event sources that you would like to see, for example: VPN Client - vpnagent, vpnui; DHCP - DHCP-Client; Native VPN - RasMan, RasClient, Remote Access.

5. Save the filter to Custom View.

6. Select the log event in the event browser page (top).

7. Event Properties in the middle pane has the log details for an event. Double-click an event to bring up a new Event Properties window in addition to the Event Properties pane.

I used specifically "RasClient", and found this Error level log in the Custom view:

CoId={53F1C7C6-B011-4453-B2D5-C0F82ED8E590}: The user {domain}{username} dialed a connection named {target VPN connection} which has failed. The error code returned on failure is 789.

(Note I was looking for logs because my VPN errored, not because I wanted to see my VPN history as in OP's question)

Solution 3

I found these event IDs:

• Connect Event: RasMan 20267
• Disconnect Event: RasMan 20268
• General Details: "RasClient" logging

You can use several tools to filter for these events.

Try FullEventLogView

Try Nirsoft's fulleventlogview.exe. It will show connect/disconnect events.

1. Open Advanced Options
2. OPTIONAL: Show only events from the last... 1 Days (or however many you want)
3. Show only the specified providers (comma-delimited list, wildcard allowed): RasClient,RasMan

Or try Custom View

Do to the same thing inside the regular Windows Event Viewer do this.

1. Save this text here as eventvwr.custom-view.RAS.xml:

<ViewerConfig>
    <QueryConfig>
        <QueryParams>
            <Simple>
                <Channel>Application,System</Channel>
                <RelativeTimeInfo>0</RelativeTimeInfo>
                <Source>RasClient,Rasman</Source>
                <BySource>True</BySource>
            </Simple>
        </QueryParams>
        <QueryNode>
            <Name>RAS</Name>
            <QueryList>
                <Query Id="0" Path="Application">
                    <Select Path="Application">*[System[Provider[@Name='RasClient' or @Name='Rasman']]]</Select>
                    <Select Path="System">*[System[Provider[@Name='RasClient' or @Name='Rasman']]]</Select>
                </Query>
            </QueryList>
        </QueryNode>
    </QueryConfig>
</ViewerConfig>

2. Start => Run... => eventvwr.msc Enter
3. Event Viewer (Local) => Custom Views => right-click => Import Custom View...

Related videos on Youtube