Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Log RDP sessions on Workstation

Posted on 2011-10-25
12
Medium Priority
?
563 Views
Last Modified: 2012-05-12
Hi

I run a small IT support company and use a variety of tools to access client servers remotely however I mainly use RDP.
Is there a way sessions can be logged on my workstation so I can keep a log of all the remote sessions I handle for billing purposes.

I've tried many different remote access tools which do log, but none work as well as RDP and I'm not disciplined enough to log every session into a 3rd party app.

All suggestions are welcome !
0
Comment
Question by:niesmann
  • 6
  • 4
  • 2
12 Comments
 
LVL 19

Expert Comment

by:Miguel Angel Perez Muñoz
ID: 37023613
You can audit logon events on this workstation and filter by logon type. For RDP logon type is 10.
0
 

Author Comment

by:niesmann
ID: 37023626
Thanks for your prompt response, will that also show the name or IP Address of the machine I connected to ?
0
 

Author Comment

by:niesmann
ID: 37023719
That does not seem to work.

I need to monitor sessions on the client PC not the servers I connect to, not sure if I made that clear.

Thanks again
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 19

Expert Comment

by:Miguel Angel Perez Muñoz
ID: 37023804
It´s perfectly clear. Log on events of logon to domain or workstation. When you logon workstation RDP or console way, you can log this events. On event appears: type of logon and workstation. You can do on two ways:

Put the log on Domain controllers
Put the log on workstation.
0
 

Author Comment

by:niesmann
ID: 37023946
OK

So I've opened secpol.msc gone to local policies \ audit policy \ Audit logon events and set it to sucess

But when I logon via RDP to a server nothing is logged in the security or any other log, I'm obviously missing something somewhere.

Your help is much appreciated  
0
 
LVL 19

Expert Comment

by:Miguel Angel Perez Muñoz
ID: 37024257
Sorry, I forget a clarification:

Make policy on domain controllers if its a domain account
Make policy on workstation if its a user account.

0
 

Author Comment

by:niesmann
ID: 37024460
This Windows 7 machine is not on a domain so therefore I've created it on the local machine, but it's still not logging.

Is there anything else you can think of that needs to be enabled in order for it to work ?
0
 
LVL 19

Expert Comment

by:Miguel Angel Perez Muñoz
ID: 37024628
Where are you looking for this events? this must be stored on System events. Have you enfonrced refresh policies?
0
 
LVL 78

Accepted Solution

by:
Rob Williams earned 1500 total points
ID: 37024638
I posted the following a whle back which was for a domain/server environment but it could easily be impemented as a local logon script and saved localy:

You can enable detailed auditing and within the configuration, you can configure the systems and successful and/or failed events you wish to audit. Following articles outline how to enable and analyze the results:
http://support.microsoft.com/kb/814595/
http://www.windowsecurity.com/articles/Understanding_Windows_Logging.html
http://207.46.19.60/technet/prodtechnol/windows2000serv/maintain/monitor/logevnts.mspx

However using auditing can be time consuming to filter and extract.

Another option is to add the lines below to each users logon and log off script to create a log file. It would give you UserName, ComputerName, date and time, in a simple single line, followed by the IP from which they connected, if needed. If you wish to know logoff times as well, you can add the same lines to a log off script in group policy (if you don't already have one: User Configuration | Windows settings | Scripts | Logoff). You likely won’t need the last line (IP address) in the log off script.

As written below it will create the log/text file in \\Server\Logs\LogOns.Log and the entries will look like:
Log File

Log On:  jdoe SERVER1  Tue 1/1/2007   9:01
  TCP    10.0.1.100:3389        66.66.123.123:1234        ESTABLISHED

Log Off: jdoe SERVER1  Tue 1/1/2007   9:31

Log On:  jsmith SERVER2  Tue 1/1/2007   11:00
  TCP    10.0.1.200:3389        66.66.123.124:1234        ESTABLISHED

Log Off: jsmith SERVER1  Tue 1/1/2007   11:30
---------------------------------------------------------------------------

:Logging
If Exist "\\Server\Logs\LogOns.Log" GoTo START
Echo Log File > "\\Server\Logs\LogOns.Log"
:START
Echo. >> "\\Server\Logs\LogOns.Log"
Echo Log On:  %USERNAME% %COMPUTERNAME%  %Date:~0,16%  %Time:~0,5% >> "\\Server\Logs\LogOns.Log"
netstat  -an  |find  "3389"  |find  /I  "established"  >> "\\Server\Logs\LogOns.Log"

---------------------------------------------------------------------------
Note the users will need to have read/write and execute permissions for the \\Server\Logs\LogOns.Log  file.
0
 

Author Comment

by:niesmann
ID: 37024815
Many thanks for that RobWill

I've one workstation connecting to 40+ servers If I put the script on this one machine will that write a log entry for any connection to those servers on that one machine ?

Sorry to sound so dull but I've been trying to sort this for a couple of days and my brain is spinning a bit !

Drashiel:
I can't find an entry in any of the logs I must have something wrong somewhere I'll keep trying many thanks once again.

0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 37025186
>>"If I put the script on this one machine will that write a log entry for any connection to those servers on that one machine ?"
No it will only log the date, time, IP, and username when the RDP session to the workstation starts and ends.
As to what they connect to from there I am doubtful you can log in anyway unless you want to use something like Desktop Scout that will log all activity o the PC. Keeping in mind that can be considered an invasion of privacy.
http://www.globalpatrol.net/desktopscout/
0
 

Author Closing Comment

by:niesmann
ID: 37025571
Thanks for your help guys much appreciated
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Exchange database can often fail to mount thereby halting the work of all users connected to it. Finding out why database isn’t mounting is crucial and getting the server back online. Stellar Phoenix Mailbox Exchange Recovery is a champion product t…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question