andy_booth
asked on
Remote Desktop Logs
Does RDP log IP access?
Where are they if so?
How do I activate loggin if its off by default?
Where are they if so?
How do I activate loggin if its off by default?
I was curios as to who was logging on to what machine, when, and from what IP so I added the following to the users logon script:
:Logging
If Exist "\\Server\Logs\LogOns.Log" GoTo START
Echo Log File > "\\Server\Logs\LogOns.Log"
:START
Echo. >> "\\Server\Logs\LogOns.Log"
Echo -------------------------- ---------- ---------- -------- >> "\\Server\Logs\LogOns.Log"
Echo Log On: %USERNAME% %COMPUTERNAME% %Date:~0,12% %Time:~0,5% >> "\\Server\Logs\LogOns.Log"
netstat -an |find "3389" |find /I "established" >> "\\Server\Logs\LogOns.Log"
You need to create the folder \\Server\Logs (substituting your ServerName for "Server) and give all users write privileges. Then it will maintain a log with a typical entry similar to:
Log On: UserName ComputerName Fri 09/30/20 8:07
TCP 10.0.1.100:3389 10.0.33.100:4267 ESTABLISHED
{Where 10.0.1.100 is the computer IP and 10.0.33.100 is the remote user's IP}
:Logging
If Exist "\\Server\Logs\LogOns.Log"
Echo Log File > "\\Server\Logs\LogOns.Log"
:START
Echo. >> "\\Server\Logs\LogOns.Log"
Echo --------------------------
Echo Log On: %USERNAME% %COMPUTERNAME% %Date:~0,12% %Time:~0,5% >> "\\Server\Logs\LogOns.Log"
netstat -an |find "3389" |find /I "established" >> "\\Server\Logs\LogOns.Log"
You need to create the folder \\Server\Logs (substituting your ServerName for "Server) and give all users write privileges. Then it will maintain a log with a typical entry similar to:
Log On: UserName ComputerName Fri 09/30/20 8:07
TCP 10.0.1.100:3389 10.0.33.100:4267 ESTABLISHED
{Where 10.0.1.100 is the computer IP and 10.0.33.100 is the remote user's IP}
Hi Robwill,
Never thought of this one, looks pretty neet.. But are the rules aded to the file?? I always assumed the file would be overwritten.
Never thought of this one, looks pretty neet.. But are the rules aded to the file?? I always assumed the file would be overwritten.
ASKER
RobWill,
That looks like an excellent idea.
I am am a programmer rather than a system admin.
Our server doesnt run in AD, its an internet facing box in a datacentre.
Could I ask how I would implement that please?
(I have increased the points as I am asking for extra info)
That looks like an excellent idea.
I am am a programmer rather than a system admin.
Our server doesnt run in AD, its an internet facing box in a datacentre.
Could I ask how I would implement that please?
(I have increased the points as I am asking for extra info)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You can only do this by creating auditing events in policies.. I don't see any other way to do this.. Look at this link to get the polciy to be enabled...
http://theillustratednetwork.mvps.org/RemoteDesktop/RemoteDesktopSetupandTroubleshooting.html#Loggingz