Are there any RDP activity logs? - Windows Server 2008 R2

Solution 1:

  1. Open Event Viewer (eventvwr.msc)
  2. Go to to Applications and Services Logs -> Microsoft -> Windows -> TerminalServices-LocalSessionManager
  3. Open Admin or Operational

You will see the sessions list. Date/Timestamped/IP/UserName etc. You can also look under Applications and Services Logs\Microsoft\Windows\TerminalServices-RemoteConnectionManager

Solution 2:

A few options..

  1. Basic windows logging using the policy setting "Audit Logon Events" should cover your needs.
  2. You can also use a Remote Desktop Gateway and configure auditing that logs which users are accessing which internal resources via RDP. Some additional information is available here.

Solution 3:

Here's a solution in PowerShell:

Get-EventLog -LogName Security | ?{(4624,4778) -contains $_.EventID} | %{
    (new-object -Type PSObject -Property @{
        TimeGenerated = $_.TimeGenerated
        ClientIP = $_.Message -replace '(?smi).*Source Network Address:\s+([^\s]+)\s+.*','$1'
        UserName = $_.Message -replace '(?smi).*Account Name:\s+([^\s]+)\s+.*','$1'
        UserDomain = $_.Message -replace '(?smi).*Account Domain:\s+([^\s]+)\s+.*','$1'
        LogonType = $_.Message -replace '(?smi).*Logon Type:\s+([^\s]+)\s+.*','$1'
    })
} | sort TimeGenerated -Descending | Select TimeGenerated, ClientIP `
, @{N='Username';E={'{0}\{1}' -f $_.UserDomain,$_.UserName}} `
, @{N='LogType';E={
    switch ($_.LogonType) {
        2   {'Interactive (logon at keyboard and screen of system)'}
        3   {'Network (i.e. connection to shared folder)'}
        4   {'Batch (i.e. scheduled task)'}
        5   {'Service (i.e. service start)'}
        7   {'Unlock (i.e. post screensaver)'}
        8   {'NetworkCleartext (i.e. IIS)'}
        9   {'NewCredentials (i.e. local impersonation process under existing connection)'}
        10  {'RemoteInteractive (i.e. RDP)'}
        11  {'CachedInteractive (i.e. interactive, but without network connection to validate against AD)'}   
        default {"LogType Not Recognised: $($_.LogonType)"}     
    }
}} 

Information on the related EventIds we're filtering on can be found here:

  • Successful Logon: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4624
  • Reconnected Session: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4778

For RDP connections you're specifically interested in LogType 10; RemoteInteractive; here I've not filtered in case the other types are of use; but it's trivial to add another filter if required.

You'll also need to ensure these logs are created; to do that:

  • Click Start
  • Select Control Panel
  • Select Administrative Tools
  • Open Local Security Policy
  • Navigate Security Settings > Advanced Audit Policy Configuration > System Audit Policies - Local Group Policy Object > Logon/Logoff
  • Amend Audit Logon to Success

Solution 4:

Other than combing through the event logs, looking for Logon Type 10 (Remote Desktop) in the Security Log, or looking at the TerminalServices channel event logs, you'll need to use third party software.

In addition to TSL mentioned above, here is one other I've used with success in the past - Remote Desktop Reporter

http://www.rdpsoft.com/products

If you go third party, make sure you evaluate several and get price quotes from each vendor ... there is a huge discrepancy in price - some vendors price per named user, some per concurrent user, and some simply by server. Make sure also that the solution comes with its own database or a lite version of SQL - otherwise you'll get hit with database license costs as well.