How to Monitor and Retrieve RDP Session Logs in Windows Server 2008 R2


1 views

html

When users connect via Remote Desktop Protocol (RDP) to a Windows Server 2008 R2 machine, several event logs are generated across different subsystems. These logs provide valuable information about connection attempts, session activities, and potential security events.

The primary logs you'll want to examine are:

  • Security Event Log (Event ID 4624 for successful logons)
  • RemoteDesktopServices-RDPCoreTS/Operational (Detailed RDP session logs)
  • Microsoft-Windows-TerminalServices-LocalSessionManager/Operational

The easiest way to view these logs is through Event Viewer:

1. Open Event Viewer (eventvwr.msc)
2. Navigate to: 
   Applications and Services Logs > Microsoft > Windows > TerminalServices
3. Check these subcategories:
   - RemoteConnectionManager
   - LocalSessionManager
   - RDPCoreTS

For automated monitoring, PowerShell provides powerful query capabilities. Here's a script to extract recent RDP connections:

# Get successful RDP logon events
Get-WinEvent -LogName "Security" -FilterXPath "*[System[EventID=4624]]" | 
Where-Object { $_.Properties[8].Value -eq 10 } | 
Format-Table TimeCreated, @{Label='User';Expression={$_.Properties[5].Value}}, 
@{Label='Source IP';Expression={$_.Properties[18].Value}} -AutoSize

# Get Terminal Services session events
Get-WinEvent -LogName "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" | 
Where-Object { $_.Id -in (21,22,23,24,25) } | 
Format-Table TimeCreated, Id, Message -AutoSize

To enhance logging, configure these audit policies via Group Policy or Local Security Policy:

1. Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy
2. Enable:
   - Audit logon events (Success/Failure)
   - Audit account logon events (Success/Failure)
   - Audit process tracking (optional)
3. For detailed RDP logging, enable Terminal Services logging in:
   Computer Configuration > Administrative Templates > Windows Components > Terminal Services

For developers needing to process logs programmatically, here's a C# example:

using System;
using System.Diagnostics;

class RDPLogParser {
    static void Main() {
        EventLog log = new EventLog("Security");
        var entries = log.Entries;
        
        foreach (EventLogEntry entry in entries) {
            if (entry.InstanceId == 4624) { // Logon event
                if (entry.ReplacementStrings[8] == "10") { // RDP logon
                    Console.WriteLine($"RDP Connection: {entry.TimeGenerated}");
                    Console.WriteLine($"User: {entry.ReplacementStrings[5]}");
                    Console.WriteLine($"Source IP: {entry.ReplacementStrings[18]}");
                }
            }
        }
    }
}

For enterprise environments, consider these tools:

  • SolarWinds Log & Event Manager
  • ManageEngine EventLog Analyzer
  • PRTG Network Monitor with RDP sensors

Windows Server 2008 R2 maintains several logs that track RDP activity. The primary locations are:

1. Event Viewer -> Windows Logs -> Security (Event ID 4624 for successful logons)
2. Event Viewer -> Applications and Services Logs -> Microsoft -> Windows -> TerminalServices
3. %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

Here's a practical PowerShell script to query recent RDP connections:

# Get all RDP logon events from last 7 days
$Events = Get-WinEvent -LogName "Security" -FilterXPath "*[System[EventID=4624 and TimeCreated[timediff(@SystemTime) <= 604800000]]] and *[EventData[Data[@Name='LogonType']='10']]"

# Display formatted results
$Events | ForEach-Object {
    $xml = [xml]$_.ToXml()
    $output = New-Object PSObject -Property @{
        Time = $_.TimeCreated
        User = $xml.Event.EventData.Data | Where-Object {$_.Name -eq "TargetUserName"} | Select-Object -ExpandProperty "#text"
        IP = $xml.Event.EventData.Data | Where-Object {$_.Name -eq "IpAddress"} | Select-Object -ExpandProperty "#text"
        SessionID = $xml.Event.EventData.Data | Where-Object {$_.Name -eq "TargetLogonId"} | Select-Object -ExpandProperty "#text"
    }
    $output
} | Format-Table -AutoSize

To enhance RDP tracking, enable these Group Policy settings:

Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy:
- Audit logon events (Success and Failure)
- Audit account logon events (Success and Failure)
- Audit process tracking (Optional for detailed session activity)

The Terminal Services logs contain session-specific details. This command filters relevant events:

Get-WinEvent -LogName "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" | 
Where-Object {$_.Id -in (21,22,23,24,25)} | 
Select-Object TimeCreated,Id,Message | 
Format-Table -AutoSize -Wrap

For more comprehensive monitoring, consider:

  • SolarWinds RDP Monitor
  • ManageEngine ADAudit Plus
  • EventSentry (lightweight solution)

Create a scheduled task to archive logs daily:

$LogPath = "C:\RDP_Logs\$(Get-Date -Format 'yyyyMMdd').evtx"
wevtutil epl Security $LogPath "/q:*[System[(EventID=4624 or EventID=4634)]]"