cancel
Showing results for 
Search instead for 
Did you mean: 
dvanderham
Level 7

RDP Events

I was wondering on how someone else might have setup to alert on RDP events that shows who connected to what server without getting the Service Logs?

0 Kudos
2 Replies
abanaru
Level 11

Re: RDP Events

McAfee Corporate KB - You are unable to add additional Windows event logs to a WMI datasource KB8136...

or you can use the SIEM collector without doing the pre mentioned KB.

But I think you can relate to the Windows Event ID 4624 by looking for Logon Type = 10 ?

0 Kudos
dvanderham
Level 7

Re: RDP Events

Thank you for your reply.

So I followed the KB81367 and was able to get my wmi receiver to see the rdp log, but it will not pull the logs with wmi even though it pulls other logs from the same server.

I have tried to use the SIEM collector without much success.

I tried to search for windows event id 4624 logon type 10 and I come up with nothing. I have enabled these under the advanced audit configuration for my servers.

Audit Account Lockout - Success

Audit Logoff - Success

Audit Login - Success, Failure

Audit Other Login/Logoff Events - Success, Failure.

0 Kudos