Event Log Managment

Logs .. Logs and More Logs

Tracking RDP Logons

Earlier this week a customer asked me the following question:

We came across a scenario where one of our sessions that we need to track events on, recorded only 683 events (rdp logoff) but zero 682 events (rdp logon).

I put together a detailed email explaining to him why/what was really happening and thought it would be good to share.

I want to clarify event id 682 for you, it’s not a RDP Logon event, it’s a Session Reconnected event.  That’s why you see 683 events without any 682 events.

 If you want to track when someone logs onto a system via RDP you need to look for event id 528 with a logon type of 10.

 So here is what you can expect to see in the logs (all of these events are in the Security log on the system SERVER1):

 At 9:22 am Isaac remotes into Server1:

Event ID: 528

 Successful Logon:
  User Name: isaac
  Domain: XXXXXXXX
  Logon ID: (0x0,0x2505AC69)
  Logon Type: 10
  Logon Process: User32
  Authentication Package: Negotiate
  Workstation Name: SERVER1
  Logon GUID: {f9c49597-2dcc-19cb-32cb-89a0e776ec9c}
  Caller User Name: SERVER1$
  Caller Domain: XXXXXXXX
  Caller Logon ID: (0x0,0x3E7)
  Caller Process ID: 2380
  Transited Services: –
  Source Network Address: xxx.xxx.xxx.145
  Source Port: 18573

 Then at 9:42:06 am Isaac clicks the “X” in the upper corner of the RDP session (does not logout, but disconnects)

Event ID: 683

 Session disconnected from winstation:
  User Name: isaac
  Domain: XXXXXXXX
  Logon ID: (0x0,0x2505AC69)
  Session Name: RDP-Tcp#1
  Client Name: Workstation1
  Client Address: xxx.xxx.xxx.145

 Then at 9:42:37 am Isaac re-connects to the RDP session on Server1

Event ID: 682

 Session reconnected to winstation:
  User Name: isaac
  Domain: XXXXXXXX
  Logon ID: (0x0,0x2505AC69)
  Session Name: RDP-Tcp#2
  Client Name: Workstation1
  Client Address: xxx.xxx.xxx.145

 Then at 11:56 am Isaac logs off the RDP session

Event ID: 551

 User initiated logoff:
  User Name: isaac
  Domain: XXXXXXXX
  Logon ID: (0x0,0x2505ac69)

 Now let’s analyze how we tie all these together.  The 1st event the 528 tells us how the connection was established, Logon Type: 10 (highlighted in yellow) which is a RemoteInteractive (aka RDP or Terminal Session) (for other logon types see this list).  This event also confirms that the RDP session was done to a system called Server1 (noted in the Workstation Name line), it also tells us from which system the RDP session was done xxx.xxx.xxx.145 (the Source Network Address line).  We also get the Logon ID which is a HEX code (highlighted in blue).  This Logon ID allows us to connect all of the activity that Isaac does while the RDP session is active (with the right auditing turned on), we can track what files/folders were touched, what processes were launched, etc.  It also allows us to tell if he disconnects (683) or logs off (551) the RDP session.  If he disconnects we can then also track when he reconnects (682).

Hope this helps.

Advertisements

December 1, 2009 - Posted by | Audit Logon/Logoff, Log Management | , ,

7 Comments »

  1. What would be the proper setup of the Eventtriggers module so that an e-mail alert is sent out when a user connects/disconnects through RDP?

    Very nice blog by the way.

    Comment by Mirand | May 30, 2011 | Reply

    • Thank you for the comment.

      Your question is a very good one that I get asked quite a bit. So I’m going to answer it via a blog post later today.

      Comment by ithompson | May 31, 2011 | Reply

      • I have posted the new blog that should answer your question.

        Comment by ithompson | May 31, 2011

  2. Are these events logged / enabled by default? Can you turn logging off for these events? I have a system admin who is telling me events 683 and 528 are not logged.

    Comment by Colleen Farmer | October 3, 2013 | Reply

  3. Colleen, the logging for these events is not on by default. You will need to enable Audit Logon Events via a GPO or the Local Security Policy. The event ids that I listed are for Windows 2003 and older; for Vista or newer you will be looking for 4624 (successful logon), 4778 (Session connected from winstation) or 4779 (Session disconnected from winstation).

    Comment by ithompson | October 3, 2013 | Reply

  4. can we get a detailed information about a user like the number of hours/minutes the user was active/disconnected/idle on a particular server .We need to get the ouput of each user who logs on to the server on a daily basis.Please suggest how can we capture this user session.

    Comment by Debasish | December 9, 2013 | Reply


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: