How to collect RDP access logs for my windows machine?

Question

HI,
I have production windows server and have one more Jump box which is used to log on to Production server. Without jumpbox no one can log on to the production machine. My case, I have created more than 3 administrator user in jump box server. Now i would like to collect RDP access logs from Azure portal. Is this possible to collect Remote access logs of all users from Azure VM portal. Can any one please advice on this?

Answer 1

Hi @Lakshmi Narayanan

You can check RDP access logs on the windows machine can't from azure portal.

Network Connection is the establishment of a network connection to a server from a user RDP client. It is the event with the EventID 1149 (Remote Desktop Services: User authentication succeeded). If this event is found, it doesn’t mean that user authentication has been successful. This log is located in “Applications and Services Logs -> Microsoft -> Windows -> Terminal-Services-RemoteConnectionManager > Operational”

Authentication shows whether an RDP user has been successfully authenticated on the server or not. The log is located in “Windows -> Security”. So you may be interested in the events with the EventID 4624 (An account was successfully logged on) or 4625

Logon refers to an RDP logon to the system, an event that appears after a user has been successfully authenticated. It is an event with the EventID 21 (Remote Desktop Services: Session logon succeeded). This events are located in the “Applications and Services Logs -> Microsoft -> Windows -> TerminalServices-LocalSessionManager -> Operational”

You can get the list of events related to successful RDP authentication (EventID 4624) using this PowerShell command:

Get-EventLog security -after (Get-date -hour 0 -minute 0 -second 0) | ?{$_.eventid -eq 4624 -and $_.Message -match 'logon type:\s+(10)\s'} | Out-GridView  

Here is a short PowerShell script that lists the history of all RDP connections for the current day from the terminal RDS server logs. The resulting table shows the connection time, the client’s IP address and the remote user name (if necessary, you can include other LogonTypes to the report).

Get-EventLog -LogName Security -after (Get-date -hour 0 -minute 0 -second 0)| ?{(4624,4778) -contains $_.EventID -and $_.Message -match 'logon type:\s+(10)\s'}| %{  
(new-object -Type PSObject -Property @{  
TimeGenerated = $_.TimeGenerated  
ClientIP = $_.Message -replace '(?smi).*Source Network Address:\s+([^\s]+)\s+.*','$1'  
UserName = $_.Message -replace '(?smi).*Account Name:\s+([^\s]+)\s+.*','$1'  
UserDomain = $_.Message -replace '(?smi).*Account Domain:\s+([^\s]+)\s+.*','$1'  
LogonType = $_.Message -replace '(?smi).*Logon Type:\s+([^\s]+)\s+.*','$1'  
})  
} | sort TimeGenerated -Descending | Select TimeGenerated, ClientIP `  
, @{N='Username';E={'{0}\{1}' -f $_.UserDomain,$_.UserName}} `  
, @{N='LogType';E={  
switch ($_.LogonType) {  
2 {'Interactive - local logon'}  
3 {'Network connection to shared folder)'}  
4 {'Batch'}  
5 {'Service'}  
7 {'Unlock (after screensaver)'}  
8 {'NetworkCleartext'}  
9 {'NewCredentials (local impersonation process under existing connection)'}  
10 {'RDP'}  
11 {'CachedInteractive'}  
default {"LogType Not Recognised: $($_.LogonType)"}  
}  
}}  

refer - http://woshub.com/rdp-connection-logs-forensics-windows/

If the Answer is helpful, please click Accept Answer and up-vote, this can be beneficial to other community members.