Are there any RDP activity logs? - Windows Server 2008 R2

security windows windows-server-2008 remote-desktop logging

a few users have logged into a server through RDP.

I would like to monitor activity, but do not know my way round Windows Server that well.

I am hoping there are logs of some kind around that I can consult.

Any ideas? :)


A few options..

  1. Basic windows logging using the policy setting "Audit Logon Events" should cover your needs.
  2. You can also use a Remote Desktop Gateway and configure auditing that logs which users are accessing which internal resources via RDP. Some additional information is available here.

  1. Open Event Viewer (eventvwr.msc)
  2. Go to to Applications and Services Logs -> Microsoft -> Windows -> TerminalServices-LocalSessionManager
  3. Open Admin or Operational

You will see the sessions list. Date/Timestamped/IP/UserName etc. You can also look under Applications and Services Logs\Microsoft\Windows\TerminalServices-RemoteConnectionManager


Here's a solution in PowerShell:

Get-EventLog -LogName Security | ?{(4624,4778) -contains $_.EventID} | %{
    (new-object -Type PSObject -Property @{
        TimeGenerated = $_.TimeGenerated
        ClientIP = $_.Message -replace '(?smi).*Source Network Address:\s+([^\s]+)\s+.*','$1'
        UserName = $_.Message -replace '(?smi).*Account Name:\s+([^\s]+)\s+.*','$1'
        UserDomain = $_.Message -replace '(?smi).*Account Domain:\s+([^\s]+)\s+.*','$1'
        LogonType = $_.Message -replace '(?smi).*Logon Type:\s+([^\s]+)\s+.*','$1'
    })
} | sort TimeGenerated -Descending | Select TimeGenerated, ClientIP `
, @{N='Username';E={'{0}\{1}' -f $_.UserDomain,$_.UserName}} `
, @{N='LogType';E={
    switch ($_.LogonType) {
        2   {'Interactive (logon at keyboard and screen of system)'}
        3   {'Network (i.e. connection to shared folder)'}
        4   {'Batch (i.e. scheduled task)'}
        5   {'Service (i.e. service start)'}
        7   {'Unlock (i.e. post screensaver)'}
        8   {'NetworkCleartext (i.e. IIS)'}
        9   {'NewCredentials (i.e. local impersonation process under existing connection)'}
        10  {'RemoteInteractive (i.e. RDP)'}
        11  {'CachedInteractive (i.e. interactive, but without network connection to validate against AD)'}   
        default {"LogType Not Recognised: $($_.LogonType)"}     
    }
}}

Information on the related EventIds we're filtering on can be found here:

  • Successful Logon: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4624
  • Reconnected Session: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4778

For RDP connections you're specifically interested in LogType 10; RemoteInteractive; here I've not filtered in case the other types are of use; but it's trivial to add another filter if required.

You'll also need to ensure these logs are created; to do that:

  • Click Start
  • Select Control Panel
  • Select Administrative Tools
  • Open Local Security Policy
  • Navigate Security Settings > Advanced Audit Policy Configuration > System Audit Policies - Local Group Policy Object > Logon/Logoff
  • Amend Audit Logon to Success

Related

How do I use curl in a cron job?
Why would a heavily disk intensive application run faster on a SAN than on a Physical Disk?
puppet: force service restart after configuration file was modified
How to clean up an unprocessed orphan inode list?
Parse an RPM name into its components
What is Time Machine doing?
"Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile]" error
Is it possible to tell whether two IP addresses belong to the same server?
Best practices for backup checking?
Why is Nginx more popular than lighttpd?
DNS: Subdomains that Require Both an MX Record and a CNAME
Launch Nginx on startup