New Free RDS Log Viewer Tool Released!

UPDATE October 2018: We just released Version 2.0 of the RDS Log Viewer. Click here to read more details on the new Remote Desktop Gateway features and to get the download link.

For those who may have missed it, RDPSoft released a new FREE RDS Log Viewer tool at the end of March.


This tool (currently in beta) displays both logon failures and successful logons from RDS session hosts. It has many features to assist you in finding the user account of an logon failure and then locating the attacker’s source IP, including:

-displaying traditional “security log only” RDS failures when the Security Layer is RDP
-correlating logon failures with NLA when the Security Layer is TLS/SSL

In addition, there are other features such as:

-showing all successful RDS authentifications
-the ability to export the results to comma-delimited text
-the ability to geolocate the attacker’s IP address

You can read more and download the tool for FREE HERE

RDP Logs – Where Are They? How Do I Monitor RDP Activity?

Pro Tip: Your Log Management / IT Search Software Isn’t Going To Help You Generate RDP Reports

Having now had several years of conversations with customers and evaluators, we’ve learned that there is a mistaken assumption among admins that you can glean decent report samples regarding RDP (Remote Desktop Protocol) activity from the Windows event logs themselves. Unfortunately, that’s just not the case.

The Amount Of RDP Logging Data Stored in the Windows Event Log Is Minimal

Sure, you can look for Logon Failures and Successful Logons in the Windows Security Log (Event IDs 4625 and 4624 respectively) with a Logon Type of 10, like so:

An account was successfully logged on.

Security ID: SYSTEM
Account Name: COMPUTER$
Account Domain: DOMAIN
Logon ID: 0x3e7

Logon Type: 10

New Logon:
Security ID: DOMAIN\User
Account Name: User
Account Domain: DOMAIN
Logon ID: 0x2c906b2c
Logon GUID: {fda9b3a8-1d42-3d9b-712a-ad2cb6a35f92}

You can also turn on Process Tracking auditing to see which users run what applications. However, this will not distinguish between what programs are run in RDP sessions versus traditional console sessions – unless your log management software can correlate Logon IDs.

There are also diagnostic Windows Event Log channels, such as TerminalServices-LocalSessionManager, that can tell you when sessions disconnect and reconnect. However, just like successful logon and failed logon data, this basic information is relatively useless when it comes to reconstructing a comprehensive history of what users do in their sessions.

Terminal Server Diagnostic Channels in the Event Viewer have some additional information, but not much...
Terminal Server Diagnostic Channels in the Event Viewer have some additional information, but not much…

Let RDPSoft Do The Heavy Lifting For You – For Only $9 Per Server Per Month

Our Remote Desktop Commander Suite software continually gathers the live session state data from all of your Citrix and Remote Desktop Servers on a recurring basis (e.g. whether or not a user is idle, how long they’ve been idle, how much RDP bandwidth they’ve consumed, the quality of their connection (RDP latency), etc), and stores that data into a central SQL database. By doing so, we are able to generate dozens of reports and dashboards that show you exactly what users were doing in their sessions, their individual performance impact on the servers, and so much more.

Your time as a network admin is worth a lot on an hourly basis. Therefore, we think spending only $9 per server per month for quality RDP logging and reporting is quite a bargain. So, please review our sample reports, demonstration videos, and feature listing now. Then, consider starting your subscription with us. With a 30-day money back guarantee and free initial support, you have absolutely nothing to lose.