Azure Bastion RDP session auditing

Question

Azure Bastion RDP session auditing

David@WMC 21

Hi there,
Is it possible to record all the activities for the Azure Bastion RDP session for audit purpose. According to Microsoft official documentation, I knew the Azure Bastion SSH session could record a audit log for the actions have been taken in the VM to some extent. However, it seems there's no audit trail for RDP session. Is there any solution for that purpose?

KapilAnanth-MSFT 15,031 Reputation points Microsoft Employee

2022-11-07T16:01:02.903+00:00

Hi @David@WMC ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you would like to audit the Bastion sessions.

I see @Michael Durkan has shared the logging/monitoring feature supported as of now.

Kindly let us know if you require additional details on this.
If not, request you to Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread.

Thanks,
Kapil

KapilAnanth-MSFT 15,031 Reputation points Microsoft Employee

2022-11-07T16:01:02.903+00:00

Hi @David@WMC ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you would like to audit the Bastion sessions.

I see @Michael Durkan has shared the logging/monitoring feature supported as of now.

Kindly let us know if you require additional details on this.
If not, request you to Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread.

Thanks,
Kapil

Answer 1

Michael Durkan 9,926 MVP

Hi

you can enable diagnostic logging using Log Analytics which will record all remote session activity:

https://learn.microsoft.com/en-us/azure/bastion/diagnostic-logs

Thanks

Michael Durkan

If the reply was helpful please upvote and/or accept as answer as this helps others in the community with similar questions. Thanks!

David@WMC 21 Reputation points

2022-11-07T17:26:21.5+00:00

Can Log Analytics log GUI activities(Windows RDP session) as well? I knew the Azure Bastion can log the CLI activities for the Linux SSH session. Just double-check the capabilities of logging RDP session. Thanks!

Answer 2

KapilAnanth-MSFT 15,031 Microsoft Employee

Hi @David@WMC ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you would like to audit the Bastion sessions.

I see you have a follow-up question with @Michael Durkan 's answer.

Can Azure Bastion Log Analytics log GUI activities(Windows RDP session) ?

As of now, Azure Bastion cannot log OS related activities.
Bastion works at the platform level and has a limited visibility to the OS logs/errors

If you wish, you may vote in the below forums requesting this feature. All the feedback shared in these forums are monitored and reviewed by the Microsoft engineering teams responsible for building Azure

Feedback Hub

Cheers,
Kapil

----------------------------------------------------------------------------------------------------------------

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

David@WMC 21 Reputation points

2022-11-14T19:06:57.383+00:00

I'm not asking that if Azure Bastion has the visibility to the OS logs/errors. I'm asking can Bastion record all the activities that the remote user has done in the VM. Base on my past experience in AWS, AWS SSM can log all commands the remote user inputs and system returns. So, how about Bastion? And can Bastion records all activities initiated from the remote user in Windows VM server? I believe the audit function is very important features for a Bastion/Jumpbox system, isn't it? Please clarify to what extent Azure Bastion can do user behavior auditing. Thanks!
KapilAnanth-MSFT 15,031 Reputation points Microsoft Employee

2022-11-16T16:28:41.207+00:00

Hi @David@WMC ,

Thanks for your feedback.

As of now, Azure Bastion does not provide any auditing for the activities done by the remote user.

Bastion can log successful and non-successful login attempts.
This would log client IP, client Port, protocol used, timestamp and user email

Refer: Enable and work with Bastion resource logs

However, as mentioned earlier, request you to please leverage our Feedback Hub to add your suggestions to Azure Bastion Product Group

Cheers,
Kapil

----------------------------------------------------------------------------------------------------------------

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Azure Bastion RDP session auditing

1 additional answer

Activity