Last updated on May 20, 2022
RDP Logs Reporting: An Overview
Virtual desktop infrastructure (VDI) networks can run into all kinds of problems, from network connectivity to sluggish application delivery and functionality snags. End users are not usually interested in how the technology works—they are only concerned about performance. Therefore, businesses need to ensure they don’t get hit with downtime costs and that end users have a good virtual desktop experience.
The key to successfully designing, implementing, and maintaining a high-performance infrastructure lies in effectively monitoring the health and performance of the server. Remote Desktop Protocol (RDP) logs are essential. Businesses can maintain peak efficiencies by proactively identifying issues, maintaining RDP logs, and recommending solutions. Using the right reporting tools that show a correlated picture of both virtual and physical resources is key.
How do I find the RDP logs in Event Viewer?
RDP connection logs can be viewed in the Windows Event viewer (eventvwr.msc). Since these logs contain a variety of data, it can be difficult to find the exact event you need. The basic logs that particularly interest the administrator are:
1. Network Connection
| Purpose | Establishment of a network connection from RDP client to server |
| EventID | 1149 |
| Location | Applications and Services Logs -> Microsoft -> Windows -> Terminal-Services-RemoteConnectionManager > Operational |
| How to filter these logs | Right-click a network connection log and click Filter ->Current Log – > EventID 1149 |
| Some log contents | Username, Domain (if Network Level Authentication NLA is used), IP address of the client |
| Purpose | Indicates if a logon was attempted using explicit credentials |
| EventID | 4648 |
| Location | Windows -> Security |
| How to filter these logs | Right-click on a success audit log and click Filter -> Current Log -> EventID 4648 |
| Some log contents | Security ID, Account Name, Account Domain, Logon ID, Logon GUID, Target Server Name |
2. Authentication
| Purpose | Shows if an RDP client has successfully authenticated to the server |
| EventID | 4624 – Successful authentication 4625 – Failed authentication |
| Location | Windows -> Security |
| How to filter these logs | Right-click on an authentication log and click Filter ->Current Log – > EventID 4624 / 4625 |
| Some log contents | LogonType (10 for a new session, 7 for an existing RDP session), account name, source network address, workstation name |
3. Logon
| Purpose | Refers to an RDP logon, an event that appears after a user is successfully authenticated |
| EventID | 21 |
| Location | Applications and Services Logs -> Microsoft -> Windows -> TerminalServices-LocalSessionManager -> Operational |
| How to filter these logs | Right-click a logon log and click Filter ->Current Log – > EventID 21 |
| Some log contents | Source network address, Session ID |
4. Session Disconnect/Reconnect
| Purpose | Covers session connect/disconnect events due to system, network, or user events |
| EventID | 24 – Disconnected session
25 – Reconnection succeeded 39 – Disconnected by session 40 – Disconnected because of a reason 4778 – Session reconnected to Window Station 4799 – Session disconnected from window station |
| Location | 24, 25, 39, 40 – Applications and Services Logs -> Microsoft -> Windows -> TerminalServices-LocalSessionManager -> Operational
4778, 4799 – Windows – > Security |
| How to filter these logs | Right-click a session disconnect/reconnect log and click Filter ->Current Log – > EventID 24/25/39/40/4778/4799 |
| Some log contents | Source network address, Session ID |
5. Logoff
| Purpose | Covers events of a purposeful logoff |
| EventID | 23 – Remote Desktop Services session logoff succeeded
4634 – Account logged off 9009 – Desktop Window Manager has exited with code |
| Location | 23 – Applications and Services Logs -> Microsoft -> Windows -> TerminalServices-LocalSessionManager -> Operational
4634, 9009 – Windows – > Security |
| How to filter these logs | Right-click a session disconnect/reconnect log and click Filter ->Current Log – > EventID 23/4634/9009 |
| Some log contents | Client’s IP Address, Connection Time, Remote User Name |
6. ClientActiveX
| Purpose | Indicates if RDP ClientActiveX is trying to connect to a server |
| EventID | 1024 |
| Location | Windows -> TerminalServices-ClientActiveXCore -> Application and Services Logs |
| How to filter these logs | Right-click on an event log and click Filter-> Current Log -> EventID 1024 |
| Some log contents | Security ID, Logon GUID, Process ID, Process Name, Account Name, Account Domain |
Limitations of Out-of-the-Box RDP Logs
Comprehension Difficulty
Out-of-the-box RDP logs that are visible in Event Viewer are difficult to comprehend, even to the most technical people. Windows logs contain chunks of different types of data, making forensic analysis a difficult domain to conquer.
Absence of Reports
Windows Event Viewer does not have the ability to provide RDP reports that can be used for forensic analysis.
If an event occurs, you need to go through each log to point out every situation, wasting vast amounts of time and expertise.
Getting Remote Desktop Login History with PowerShell
A Quick PowerShell Script that Provides the History of All RDP Connections for the Current Day
The connection time, the client’s IP address (DNS computername), and the remote username are all displayed in the table (if necessary, you can include other LogonTypes in the report too).
Get-EventLog -LogName Security -after (Get-date -hour 0 -minute 0 -second 0)| ?{(4624,4778) -contains $_.EventID -and $_.Message -match 'logon type:\s+(10)\s'}| %{
(new-object -Type PSObject -Property @{
TimeGenerated = $_.TimeGenerated
ClientIP = $_.Message -replace '(?smi).*Source Network Address:\s+([^\s]+)\s+.*','$1'
UserName = $_.Message -replace '(?smi).*\s\sAccount Name:\s+([^\s]+)\s+.*','$1'
UserDomain = $_.Message -replace '(?smi).*\s\sAccount Domain:\s+([^\s]+)\s+.*','$1'
LogonType = $_.Message -replace '(?smi).*Logon Type:\s+([^\s]+)\s+.*','$1'
})
} | sort TimeGenerated -Descending | Select TimeGenerated, ClientIP `
, @{N='Username';E={'{0}\{1}' -f $_.UserDomain,$_.UserName}} `
, @{N='LogType';E={
switch ($_.LogonType) {
2 {'Interactive - local logon'}
3 {'Network connection to shared folder)'}
4 {'Batch'}
5 {'Service'}
7 {'Unlock (after screensaver)'}
8 {'NetworkCleartext'}
9 {'NewCredentials (local impersonation process under existing connection)'}
10 {'RDP'}
11 {'CachedInteractive'}
default {"LogType Not Recognised: $($_.LogonType)"}
}
}}
On a solo RDSH server, you may use this approach to gather and interpret RDP connection logs. If your RDS farm has numerous servers, you may use this script to query each of them or use the Remote Desktop Connection Broker role to receive logs from a management server.
Parallels RAS Leverages MS SQL Reporting Services
Parallels® Remote Application Server (RAS) offers a comprehensive platform to effectively monitor and manage VDI networks from anywhere, at any time. To provide analytics for better decision-making, Parallels has introduced a reporting engine. By leveraging Microsoft SQL Reporting Services, Parallels RAS provides critical insights for administrators to identify and remove bottlenecks while improving the performance and efficiency of the system.
Reporting describes important end-user activity through Parallels RAS, including apps used, how long they were used, which devices were used to access published resources, and times when users accessed resources. By analyzing these RDP logs, you can gain a wealth of information, enabling you to provide a rich VDI experience.
To generate reports, Parallels Reporting Service and Microsoft SQL have to be installed and configured on the same machine or on a system running in the same network. Parallels RAS is then configured to communicate with the SQL Server. Using the step-by-step wizard, you can quickly install and configure Parallels Reporting Service to monitor RDP logs.
Parallels Reports: RDP Logs
Parallels RAS, the one-stop-shop for RDP logs, provides 14 types of reports that are categorized into five groups:
- User Reports provide insights into how end-users interact with Parallels RAS. They show the sessions, devices, and operating systems used by all users globally as well as individually.
- Group Reports provide insights into how each group interacts with Parallels RAS. This information includes sessions, devices, and operating systems used by each group.
- Devices Reports provide insights into how devices are connected to the system. This information includes the model, manufacturer, and the number of devices used by each system. In addition, it shows the operating system and the RDP client version.
- Server Reports provide insights into how server components interact with Parallels RAS. They include a server health and performance report.
- Application Reports provide insights into application usage. This information includes the name of the application, usage time, and the number of times used.
There are several virtualization tools in the market, but Parallels RAS is the only solution that provides this powerful reporting engine within the standard license. Parallels RAS is a comprehensive virtual desktop and application delivery solution that enables you to effectively monitor and manage the entire infrastructure.
Check out Parallels RAS and how its reporting capabilities can be ideal for your network!
