RDP Logs Reporting – The One Stop Shop

From network connectivity to sluggish application delivery and functionality snags, virtual desktop infrastructure (VDI) networks can run into all kinds of problems. End users are not usually interested in how the technology works—they are only concerned about performance. Therefore, businesses need to ensure that end users have a good virtual desktop experience. Moreover, according to Information Technology Intelligence Consulting, downtime costs now range between $1 and $5 million per hour for 40% of businesses, excluding legal fees and penalties.

The key to successfully designing, implementing, and maintaining a high-performance infrastructure lies in effectively monitoring the health and performance of the server. Thus, Remote Desktop Protocol (RDP) logs are essential. By proactively identifying issues, maintaining RDP logs, and recommending solutions, businesses can maintain peak efficiencies. Using the right reporting tools that show a correlated picture of both virtual and physical resources is key.

How do I find the RDP logs in Event Viewer?

RDP connection logs can be viewed in the Windows Event viewer (eventvwr.msc). Since these logs contain a variety of data, it can be difficult to find the exact event you need. The basic logs that particularly interest the administrator are:

1. Network Connection

Purpose Establishment of a network connection from RDP client to server
EventID 1149
Location Applications and Services Logs -> Microsoft -> Windows -> Terminal-Services-RemoteConnectionManager > Operational 
How to filter these logs Right-click a network connection log and click Filter ->Current Log – > EventID 1149
Some log contents Username, Domain (if Network Level Authentication NLA is used), IP address of the client
Purpose Indicates if a logon was attempted using explicit
credentials
EventID 4648
Location Windows -> Security
How to filter these logs Right-click on a success audit log and click Filter->
Current Log -> EventID 4648
Some log contents Security ID, Account Name, Account Domain, Logon ID, Logon
GUID, Target Server Name

2. Authentication

Purpose Shows if an RDP client has successfully authenticated to the server
EventID 4624 – Successful authentication
4625 – Failed authentication
Location Windows -> Security
How to filter these logs Right-click on an authentication log and click Filter ->Current Log – > EventID 4624 / 4625
Some log contents LogonType (10 for a new session, 7 for existing RDP session), account name, source network address, workstation name

3. Logon

Purpose Refers to an RDP logon, an event that appears after a user is successfully authenticated
EventID 21
Location Applications and Services Logs -> Microsoft -> Windows -> TerminalServices-LocalSessionManager -> Operational
How to filter these logs Right-click a logon log and click Filter ->Current Log – > EventID 21
Some log contents Source network address, Session ID

4. Session Disconnect/Reconnect

Purpose Covers session connect/disconnect events due to system, network, or user events
EventID 24 – Disconnected session

25 – Reconnection succeeded

39 – Disconnected by session

40 – Disconnected because of a reason 4778 – Session reconnected to Window Station

4799 – Session disconnected from window station

Location 24, 25, 39, 40 – Applications and Services Logs -> Microsoft -> Windows -> TerminalServices-LocalSessionManager -> Operational

4778, 4799 – Windows – > Security

How to filter these logs Right-click a session disconnect/reconnect log and click Filter ->Current Log – > EventID 24/25/39/40/4778/4799
Some log contents Source network address, Session ID

5. Logoff

Purpose Covers events of a purposeful logoff
EventID 23 – Remote Desktop Services session logoff succeeded

4634 – Account logged off

9009 – Desktop Window Manager has exited with code

Location 23 – Applications and Services Logs -> Microsoft -> Windows -> TerminalServices-LocalSessionManager -> Operational

4634, 9009 – Windows – > Security

How to filter these logs Right-click a session disconnect/reconnect log and click Filter ->Current Log – > EventID 23/4634/9009
Some log contents Client’s IP Address, Connection Time, Remote User Name

6. ClientActiveX

Purpose Indicates if RDP ClientActiveX is trying to connect to a
server
EventID 1024
Location Windows -> TerminalServices-ClientActiveXCore ->
Application and Services Logs
How to filter these logs Right-click on an event log and click Filter-> Current
Log -> EventID 1024
Some log contents Security ID, Logon GUID, Process ID, Process Name, Account
Name, Account Domain

Limitations of out-of-the-box RDP logs

1. Comprehension difficulty

Out-of-the-box RDP logs that are visible in Event Viewer are difficult to comprehend, even to the most technical people. Windows logs contain chunks of different types of data, making forensic analysis a difficult domain to conquer.

2. Absence of reports

Windows Event Viewer does not have the ability of providing RDP reports that can be used for forensic analysis.

If an event occurs, you need to go through each log to point out every situation, wasting vast amounts of time and expertise.

Parallels RAS Leverages MS SQL Reporting Services

Parallels® Remote Application Server (RAS) offers a comprehensive platform to effectively monitor and manage VDI networks from anywhere, at any time. To provide analytics for better decision-making, Parallels has introduced a reporting engine. By leveraging Microsoft SQL Reporting Services, Parallels RAS provides critical insights for administrators to identify and remove bottlenecks while improving the performance and efficiency of the system.

Reporting describes important end-user activity through Parallels RAS, including apps used, how long they were used for, which devices were used to access published resources and times when users accessed resources. By analyzing these RDP logs, you can gain a wealth of information, enabling you to provide a rich VDI experience.

To generate reports, Parallels Reporting Service and Microsoft SQL have to be installed and configured on the same machine or on a system running in the same network. Parallels RAS is then configured to communicate with the SQL Server. Using the step-by-step wizard, you can quickly install and configure Parallels Reporting Service to monitor RDP logs.

Parallels Reports – RDP Logs

Parallels RAS, the one-stop-shop for RDP logs, provides 14 types of reports that are categorized into five groups:

There are several virtualization tools in the market, but Parallels RAS is the only solution that provides this powerful reporting engine within the standard license. Parallels RAS is a comprehensive virtual desktop and application delivery solution that enables you to monitor and manage the entire infrastructure effectively.

Check out Parallels RAS and how its microsegmentation capabilities can be ideal for your network by downloading your 30-day Parallels RAS trial.

References:
technet.microsoft.com
stackoverflow.com
techtarget.com