RDP Logs Reporting: An Overview

Virtual desktop infrastructure (VDI) networks can run into all kinds of problems, from network connectivity to sluggish application delivery and functionality snags. End users are not usually interested in how the technology works—they are only concerned about performance. Therefore, businesses need to ensure they don’t get hit with downtime costs and that end users have a good virtual desktop experience.

The key to successfully designing, implementing, and maintaining a high-performance infrastructure lies in effectively monitoring the health and performance of the server. Remote Desktop Protocol (RDP) logs are essential. Businesses can maintain peak efficiencies by proactively identifying issues, maintaining RDP logs, and recommending solutions. Using the right reporting tools that show a correlated picture of both virtual and physical resources is key.

How do I find the RDP logs in Event Viewer?

RDP connection logs can be viewed in the Windows Event viewer (eventvwr.msc). Since these logs contain a variety of data, it can be difficult to find the exact event you need. The basic logs that particularly interest the administrator are:

1. Network Connection

Purpose Establishment of a network connection from RDP client to server
EventID 1149
Location Applications and Services Logs -> Microsoft -> Windows -> Terminal-Services-RemoteConnectionManager > Operational
How to filter these logs Right-click a network connection log and click Filter ->Current Log – > EventID 1149
Some log contents Username, Domain (if Network Level Authentication NLA is used), IP address of the client
Purpose Indicates if a logon was attempted using explicit credentials
EventID 4648
Location Windows -> Security
How to filter these logs Right-click on a success audit log and click Filter -> Current Log -> EventID 4648
Some log contents Security ID, Account Name, Account Domain, Logon ID, Logon GUID, Target Server Name

2. Authentication

Purpose Shows if an RDP client has successfully authenticated to the server
EventID 4624 – Successful authentication
4625 – Failed authentication
Location Windows -> Security
How to filter these logs Right-click on an authentication log and click Filter ->Current Log – > EventID 4624 / 4625
Some log contents LogonType (10 for a new session, 7 for an existing RDP session), account name, source network address, workstation name

3. Logon

Purpose Refers to an RDP logon, an event that appears after a user is successfully authenticated
EventID 21
Location Applications and Services Logs -> Microsoft -> Windows -> TerminalServices-LocalSessionManager -> Operational
How to filter these logs Right-click a logon log and click Filter ->Current Log – > EventID 21
Some log contents Source network address, Session ID

4. Session Disconnect/Reconnect

Purpose Covers session connect/disconnect events due to system, network, or user events
EventID 24 – Disconnected session

25 – Reconnection succeeded

39 – Disconnected by session

40 – Disconnected because of a reason 4778 – Session reconnected to Window Station

4799 – Session disconnected from window station

Location 24, 25, 39, 40 – Applications and Services Logs -> Microsoft -> Windows -> TerminalServices-LocalSessionManager -> Operational

4778, 4799 – Windows – > Security

How to filter these logs Right-click a session disconnect/reconnect log and click Filter ->Current Log – > EventID 24/25/39/40/4778/4799
Some log contents Source network address, Session ID

5. Logoff

Purpose Covers events of a purposeful logoff
EventID 23 – Remote Desktop Services session logoff succeeded

4634 – Account logged off

9009 – Desktop Window Manager has exited with code

Location 23 – Applications and Services Logs -> Microsoft -> Windows -> TerminalServices-LocalSessionManager -> Operational

4634, 9009 – Windows – > Security

How to filter these logs Right-click a session disconnect/reconnect log and click Filter ->Current Log – > EventID 23/4634/9009
Some log contents Client’s IP Address, Connection Time, Remote User Name

6. ClientActiveX

Purpose Indicates if RDP ClientActiveX is trying to connect to a server
EventID 1024
Location Windows -> TerminalServices-ClientActiveXCore -> Application and Services Logs
How to filter these logs Right-click on an event log and click Filter-> Current Log -> EventID 1024
Some log contents Security ID, Logon GUID, Process ID, Process Name, Account Name, Account Domain

Limitations of Out-of-the-Box RDP Logs

Comprehension Difficulty

Out-of-the-box RDP logs that are visible in Event Viewer are difficult to comprehend, even to the most technical people. Windows logs contain chunks of different types of data, making forensic analysis a difficult domain to conquer.

Absence of Reports

Windows Event Viewer does not have the ability to provide RDP reports that can be used for forensic analysis.

If an event occurs, you need to go through each log to point out every situation, wasting vast amounts of time and expertise.

Getting Remote Desktop Login History with PowerShell

A Quick PowerShell Script that Provides the History of All RDP Connections for the Current Day

The connection time, the client’s IP address (DNS computername), and the remote username are all displayed in the table (if necessary, you can include other LogonTypes in the report too).

Get-EventLog -LogName Security -after (Get-date -hour 0 -minute 0 -second 0)| ?{(4624,4778) -contains $_.EventID -and $_.Message -match 'logon type:\s+(10)\s'}| %{
(new-object -Type PSObject -Property @{
TimeGenerated = $_.TimeGenerated
ClientIP = $_.Message -replace '(?smi).*Source Network Address:\s+([^\s]+)\s+.*','$1'
UserName = $_.Message -replace '(?smi).*\s\sAccount Name:\s+([^\s]+)\s+.*','$1'
UserDomain = $_.Message -replace '(?smi).*\s\sAccount Domain:\s+([^\s]+)\s+.*','$1'
LogonType = $_.Message -replace '(?smi).*Logon Type:\s+([^\s]+)\s+.*','$1'
} | sort TimeGenerated -Descending | Select TimeGenerated, ClientIP `
, @{N='Username';E={'{0}\{1}' -f $_.UserDomain,$_.UserName}} `
, @{N='LogType';E={
switch ($_.LogonType) {
2 {'Interactive - local logon'}
3 {'Network connection to shared folder)'}
4 {'Batch'}
5 {'Service'}
7 {'Unlock (after screensaver)'}
8 {'NetworkCleartext'}
9 {'NewCredentials (local impersonation process under existing connection)'}
10 {'RDP'}
11 {'CachedInteractive'}
default {"LogType Not Recognised: $($_.LogonType)"}

On a solo RDSH server, you may use this approach to gather and interpret RDP connection logs. If your RDS farm has numerous servers, you may use this script to query each of them or use the Remote Desktop Connection Broker role to receive logs from a management server.

Parallels RAS Leverages MS SQL Reporting Services

Parallels® Remote Application Server (RAS) offers a comprehensive platform to effectively monitor and manage VDI networks from anywhere, at any time. To provide analytics for better decision-making, Parallels has introduced a reporting engine. By leveraging Microsoft SQL Reporting Services, Parallels RAS provides critical insights for administrators to identify and remove bottlenecks while improving the performance and efficiency of the system.

Reporting describes important end-user activity through Parallels RAS, including apps used, how long they were used, which devices were used to access published resources, and times when users accessed resources. By analyzing these RDP logs, you can gain a wealth of information, enabling you to provide a rich VDI experience.

To generate reports, Parallels Reporting Service and Microsoft SQL have to be installed and configured on the same machine or on a system running in the same network. Parallels RAS is then configured to communicate with the SQL Server. Using the step-by-step wizard, you can quickly install and configure Parallels Reporting Service to monitor RDP logs.

Parallels Reports: RDP Logs

Parallels RAS, the one-stop-shop for RDP logs, provides 14 types of reports that are categorized into five groups:

There are several virtualization tools in the market, but Parallels RAS is the only solution that provides this powerful reporting engine within the standard license. Parallels RAS is a comprehensive virtual desktop and application delivery solution that enables you to effectively monitor and manage the entire infrastructure.

Check out Parallels RAS and how its reporting capabilities can be ideal for your network!

Download the Trial