RDP Logs – Where Are They? How Do I Monitor RDP Activity?

Pro Tip: Your Log Management / IT Search Software Isn’t Going To Help You Generate RDP Reports

Having now had several years of conversations with customers and evaluators, we’ve learned that there is a mistaken assumption among admins that you can glean decent report samples regarding RDP (Remote Desktop Protocol) activity from the Windows event logs themselves. Unfortunately, that’s just not the case.

The Amount Of RDP Logging Data Stored in the Windows Event Log Is Minimal

Sure, you can look for Logon Failures and Successful Logons in the Windows Security Log (Event IDs 4625 and 4624 respectively) with a Logon Type of 10, like so:

An account was successfully logged on.

Subject:
Security ID: SYSTEM
Account Name: COMPUTER$
Account Domain: DOMAIN
Logon ID: 0x3e7

Logon Type: 10

New Logon:
Security ID: DOMAIN\User
Account Name: User
Account Domain: DOMAIN
Logon ID: 0x2c906b2c
Logon GUID: {fda9b3a8-1d42-3d9b-712a-ad2cb6a35f92}

You can also turn on Process Tracking auditing to see which users run what applications. However, this will not distinguish between what programs are run in RDP sessions versus traditional console sessions – unless your log management software can correlate Logon IDs.

There are also diagnostic Windows Event Log channels, such as TerminalServices-LocalSessionManager, that can tell you when sessions disconnect and reconnect. However, just like successful logon and failed logon data, this basic information is relatively useless when it comes to reconstructing a comprehensive history of what users do in their sessions.

Terminal Server Diagnostic Channels in the Event Viewer have some additional information, but not much...
Terminal Server Diagnostic Channels in the Event Viewer have some additional information, but not much…

Let RDPSoft Do The Heavy Lifting For You – For Only $9 Per Server Per Month

Our Remote Desktop Commander Suite software continually gathers the live session state data from all of your Citrix and Remote Desktop Servers on a recurring basis (e.g. whether or not a user is idle, how long they’ve been idle, how much RDP bandwidth they’ve consumed, the quality of their connection (RDP latency), etc), and stores that data into a central SQL database. By doing so, we are able to generate dozens of reports and dashboards that show you exactly what users were doing in their sessions, their individual performance impact on the servers, and so much more.

Your time as a network admin is worth a lot on an hourly basis. Therefore, we think spending only $9 per server per month for quality RDP logging and reporting is quite a bargain. So, please review our sample reports, demonstration videos, and feature listing now. Then, consider starting your subscription with us. With a 30-day money back guarantee and free initial support, you have absolutely nothing to lose.