RDP Logs

Remote Desktop Canary v3 Is Almost Here!

April 28, 2021 By admin Leave a Comment

Hello RDPSoft friends and customers!

After a lot of work this Spring, we’re excited to announce that Remote Desktop Canary v3 is almost available! Before its official launch, however, we are seeking beta testers to put it through its paces, as Version 3 represents a major overhaul regarding how Remote Desktop Canary works. Read on to learn why this is, and then follow the link below to sign up to be a beta tester.

Major New Features in Remote Desktop Canary v3

Remote Desktop Canary Now Functions as a Windows Service!

We’ve finally turned Remote Desktop Canary into a Windows service!

You define the credentials of a user account under which all Remote Desktop Canary testing sessions will run, and the Remote Desktop Canary Service will make sure that user session is always running and performing tests according to your desired schedule.

One of the major limitations of previous versions of Remote Desktop Canary was that it ran in an interactive user session while doing its testing. This meant that if the server running Remote Desktop Canary rebooted, you’d have to depend on the Remote Desktop Canary Kickstarter, running on a different VM, to relaunch the user session used for testing on that server.

Fortunately, after a lot of R&D, we found a way for a local Windows service to orchestrate the creation and teardown of a user testing session to run Remote Desktop Canary’s tests. By doing so, we’ve completely eliminated the need for the Remote Desktop Canary Kickstarter applet. More importantly, the service itself will resume testing operations after a system restart for any reason.

*This also means that Remote Desktop Canary can now test RDS/WVD environments that have login banners enabled, and bypass them with synthetic input, without needing the Kickstarter tool enabled or a user session running unlocked.*

You Can Now Schedule Different Workflow Tests At Different Times During the Day

Schedule different times of tests, during different parts of the day, and carve out “no testing” times when you need to do updates or restart your infrastructure.

With the creation of the new Remote Desktop Canary Service as mentioned above, Remote Desktop Canary v3 can now schedule specific workflow tests at different times. All you need to do is build the testing routines you need and save them to separate workflow files. Then, you can schedule each workflow file to run during specific times of the day. Remote Desktop Canary will do the rest for you.

For example, you may want to do a sanity check early every morning and have Remote Desktop Canary test all of your RDS session hosts or WVD hosts after your nightly reboot, to make sure they are responding properly and that logins can proceed successfully all the way to a desktop, with no hiccups related to loading group policies or FSLogix / UPDs. Then, you may want Canary to start a recurring test the rest of the day for each of your RDS collections through the connection broker. Finally, since you schedule nightly reboots of your hosts (or shut your WVD hosts down at 1am to save money), you may want to have a period of time each evening when Remote Desktop Canary is not doing any testing at all.

Remote Desktop Canary Can Now Automatically Retrieve Relevant Event Log Information From Session Hosts Having Problems, And Include That Information In Its Automated Alert Emails.

Is a session host taking too long to respond, or is a user’s desktop not loading? Automatic diagnostic event log information from the problem host can now be included in your alerts.

In previous versions of Remote Desktop Canary, you would receive basic alerts if a connection broker or session host was not responding or it was taking to long to log in and reach a desktop. In version 3 of Remote Desktop Canary, you can configure *internal* workflows (e.g. tests running inside your network) to automatically gather errors and warning events from many different Windows event logs that may be diagnostically relevant to the problem at hand.

For instance, if FSLogix is taking a long time to load a user’s profile, if group policies are causing login delays, etc, Remote Desktop Canary will automatically include event log information that was logged around the time of the issue inside the alert email it sends to you. This will give you immediate context as to the true problem, and should shorten the time it takes you to fix the issue.

Ready To Participate In the Beta?

Please follow this link to signup. The beta has now gone live as of May 12th, 2021.

WVD Is Not All Its Cracked Up To Be. Staying On Classic RDS May Be The Better Move For Your Organization

Our CEO, Andy Milford, just completed his 4 part blog series at PureRDS on some fundamental issues with WVD, which can lead to cost overruns, less reliable service availability, and many other issues compared to staying on classic Remote Desktop Services. Please click here to become enlightened about all of WVD’s potential gotchas before leaping towards a migration away from RDS.

A Remote Desktop Log Viewer Tool . . . For Free

April 13, 2018 By admin Leave a Comment

It has been around a while, but if you’ve missed it, RDPSoft released a free Remote Desktop log viewer tool quite sometime ago called RDS Log Viewer. And since this post was first written in April of 2018, it’s been updated. So, the later versions are even better now.

For more information, you can see the details on the Remote Desktop Gateway features and get the download link.

But first, here’s a screenshot of it in action . . .

To summarize the features very briefly, this tool displays both logon failures and successful logons from RDS session hosts. It has many features to assist you in finding the user account of an logon failure and then locating the attacker’s source IP, including:

Displaying traditional “security log only” RDS failures when the Security Layer is RDP
Correlating logon failures with NLA when the Security Layer is TLS/SSL

In addition, there are other features such as:

Showing all successful RDS authentifications
Ability to export the results to comma-delimited text
Ability to geolocate the attacker’s IP address

. . . And of course, there is much more now.

Updated: October 2020.

RDP Logs – Where Are They? How Do I Monitor RDP Activity?

December 15, 2015 By admin Leave a Comment

Having now had years of conversations with customers and evaluators, we’ve learned that there is a mistaken assumption among admins that you can glean decent report samples regarding RDP (Remote Desktop Protocol) activity from the Windows event logs themselves.

Unfortunately, that’s just not the case.

Pro Tip: Your Log Management / IT Search Software Isn’t Going To Help You Generate RDP Reports

Many set out with the general goal of accessing RDP logs and making sense of the data – maybe specifically monitoring RDP activity. Therefore, they first look to the event log. And, using an event log management or IT search software seems like it would work, right? Nope.

The Amount Of RDP Logging Data Stored in the Windows Event Log Is Minimal

Sure, you can look for Logon Failures and Successful Logons in the Windows Security Log (Event IDs 4625 and 4624 respectively) with a Logon Type of 10, like so:

An account was successfully logged on.

Subject:
Security ID: SYSTEM
Account Name: COMPUTER$
Account Domain: DOMAIN
Logon ID: 0x3e7

Logon Type: 10

New Logon:
Security ID: DOMAIN\User
Account Name: User
Account Domain: DOMAIN
Logon ID: 0x2c906b2c
Logon GUID: {fda9b3a8-1d42-3d9b-712a-ad2cb6a35f92}

You can also turn on Process Tracking auditing to see which users run what applications. However, this will not distinguish between what programs are run in RDP sessions versus traditional console sessions – unless your log management software can correlate Logon IDs.

There are also diagnostic Windows Event Log channels, such as TerminalServices-LocalSessionManager, that can tell you when sessions disconnect and reconnect. However, just like successful logon and failed logon data, this basic information is relatively useless when it comes to reconstructing a comprehensive history of what users do in their sessions.

Terminal Server Diagnostic Channels in the Event Viewer have some additional information, but not much... — Terminal Server Diagnostic Channels in the Event Viewer have some additional information, but not much…

Let RDPSoft Do The Heavy Lifting For You – For Only $9 Per Server Per Month

Our Remote Desktop Commander Suite software continually gathers the live session state data from all of your Citrix and Remote Desktop Servers on a recurring basis (e.g. whether or not a user is idle, how long they’ve been idle, how much RDP bandwidth they’ve consumed, the quality of their connection (RDP latency), etc), and stores that data into a central SQL database.

By doing so, we are able to generate dozens of reports and dashboards that show you exactly what users were doing in their sessions, their individual performance impact on the servers, and so much more.

Your time as a network admin is worth a lot on an hourly basis. Therefore, we think spending only $9 per server per month for quality RDP logging and reporting is quite a bargain. So, please review our sample reports, demonstration videos, and feature listing now. Then, consider starting your subscription with us. With a 30-day money back guarantee and free initial support, you have absolutely nothing to lose.

Updated: October 2020.

A Remote Desktop Log Viewer Tool . . . For Free

RDP Logs – Where Are They? How Do I Monitor RDP Activity?

Pro Tip: Your Log Management / IT Search Software Isn’t Going To Help You Generate RDP Reports

The Amount Of RDP Logging Data Stored in the Windows Event Log Is Minimal

Let RDPSoft Do The Heavy Lifting For You – For Only $9 Per Server Per Month

From the RDPSoft Blog

We Do “Single Pane of Glass” Monitoring and Management for RDS

Reach Out