User authentication can be successful or unsuccessful on the server. EventID 1149 output Authentication Events As you can see, the log file contains the username, domain (When Network Level Authentication (NLA) authentication is used), and IP address of the computer from which the RDP connection is made. The result is a list with the history of all network RDP connections to this server. You can filter this log by right clicking on Operational log ⇒ Selecting “Filter Current Log” and type in EventID 1149. This log can be found at Applications and Services Logs ⇒ Microsoft ⇒ Windows ⇒ Terminal-Services-RemoteConnectionManager ⇒ Operational. The presence of this event does not indicate successful user authentication. That logs EventID – 1149 (Remote Desktop Services: User authentication succeeded). Network Connection connects user’s RDP client with the Windows server. When a user remotely connects to a Windows server, many events are generated in the Windows logs. The Windows logs contain a lot of information, but it can be difficult to find the right event quickly. Like other events, the Windows RDP connection logs are stored in the event logs. Typically, it is useful when investigating various incidents on Windows servers when a system administrator is required to provide information about what users logged on to the server, when he logged on and off, and from which device (name or IP address) the RDP user was connecting. In this article we will take a look at the features of Remote Desktop Protocol (RDP) connection auditing and log analysis in Windows.
How to View RDP Connection Logs in Windows
0 kommentar(er)
