As you can see, the logs provide a username, a domain (in this case the Network Level Authentication is used if NLA is disabled, the event text looks differently) and the IP address of the computer, from which the RDP connection has been initiated. Then you will get an event list with the history of all RDP connections to this server. Enable the log filter for this event (right-click the log -> Filter Current Log -> EventId 1149). This log is located in “Applications and Services Logs -> Microsoft -> Windows -> Terminal-Services-RemoteConnectionManager > Operational”. If this event is found, it doesn’t mean that user authentication has been successful. It is the event with the EventID 1149 ( Remote Desktop Services: User authentication succeeded). Network Connection is the establishment of a network connection to a server from a user RDP client. We’ll look at the logs and events on the main stages of an RDP connection that may be of interest to the administrator: There are several different logs where you can find the information about Remote Desktop connections. When a user remotely connects to the remote desktop of RDS (RDP), a whole number of events appears in the Windows Event Viewer. Windows logs contain a lot of data, and it is quite difficult to find the event you need.
You can check the RDP connection logs using Windows Event Viewer ( eventvwr.msc). The article is applicable when analyzing RDP logs both in Windows Server 2008 R2, 2012/R2, 2016 and in desktop Windows editions (Windows 10, 8.1 and 7).
0 kommentar(er)
