How to log the IP that connects from outside of company to terminal server?

windows-event-log terminal-server

We have users RDP to company's terminal servers. Is there a way that I can track the ip address outside of company where users connect from?

I know there are logs avaliable under under terminal services in event log, but I dont see any public ip address in there for remote connection from outside of company.

Any idea?


Your question do not provide information about how users connects to your terminal server from outside. I suppose that there is gateway in your company, that redirect requests from the internet to terminal server. If so, you can get this information in gateway log.

If however your terminal server is connected to the Internet directly and have public IP for some reasons, perhaps, this is what can help you:

<#

Features:
    1) This script reads the event log "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" from multiple servers and outputs the human-readable results to a CSV.

Instructions:
    1) Before you run, edit this line to include one or several of your own servers.

Requirements:
    1) TBD


April 8 2015 - Version 0.2
Mike Crowley

http://BaselineTechnologies.com

#>


$SessionHosts = @('Server2', 'Server3', 'Server4', 'Server5')

foreach ($Server in $SessionHosts) {

    $LogFilter = @{
        LogName = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
        ID = 21, 23, 24, 25
        }

    $AllEntries = Get-WinEvent -FilterHashtable $LogFilter -ComputerName $Server

    $AllEntries | Foreach { 
           $entry = [xml]$_.ToXml()
        [array]$Output += New-Object PSObject -Property @{
            TimeCreated = $_.TimeCreated
            User = $entry.Event.UserData.EventXML.User
            IPAddress = $entry.Event.UserData.EventXML.Address
            EventID = $entry.Event.System.EventID
            ServerName = $Server
            }        
           } 

}

$FilteredOutput += $Output | Select TimeCreated, User, ServerName, IPAddress, @{Name='Action';Expression={
            if ($_.EventID -eq '21'){"logon"}
            if ($_.EventID -eq '22'){"Shell start"}
            if ($_.EventID -eq '23'){"logoff"}
            if ($_.EventID -eq '24'){"disconnected"}
            if ($_.EventID -eq '25'){"reconnection"}
            }
        }

$Date = (Get-Date -Format s) -replace ":", "."
$FilteredOutput | Sort TimeCreated | Export-Csv $env:USERPROFILE\Desktop\$Date`_RDP_Report.csv -NoTypeInformation


#End

This powershell script from the Microsoft Technet website parses eventlogs about RDP sessions information, including client IPs, and outputs the human-readable results to a CSV.


If anybody is looking for IP addresses of failed RDP connection attempts (e.g. in case of brute force attacks against your web server), the Windows event log is Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational and the event ID is 140 (logged as a warning):

A connection from the client computer with an IP address of 123.123.123.123 failed because the user name or password is not correct.

You could then write a script that lets the firewall block IP addresses with multiple failed attempts.

Related

Is it safe to symlink complete /var directory
How to query Oracle VM REST API with curl?
Use `chsh` on GCP VM in order to change from bash to zshell, default password is unknown
Basic auth Apache and multiple IP conditions
Is the ppa:ondrej/php repository safe?
Non-Systemd Based Linux Services
Postfix change "From: " address when redirecting received email
"nf_conntrack: table full, dropping packet" even though nf_conntrack_count is much less than nf_conntrack_max
mysqldump create database if not exist
What's a "Xerox word"?
Term for a trademarked word that is used as a synonym for the item it represents [duplicate]
Proper use of comma in a sentence