or you can use the SIEM collector without doing the pre mentioned KB.
But I think you can relate to the Windows Event ID 4624 by looking for Logon Type = 10 ?
Thank you for your reply.
So I followed the KB81367 and was able to get my wmi receiver to see the rdp log, but it will not pull the logs with wmi even though it pulls other logs from the same server.
I have tried to use the SIEM collector without much success.
I tried to search for windows event id 4624 logon type 10 and I come up with nothing. I have enabled these under the advanced audit configuration for my servers.
Audit Account Lockout - Success
Audit Logoff - Success
Audit Login - Success, Failure
Audit Other Login/Logoff Events - Success, Failure.