remote desktop logoff event 6734 in Windows server 2016

Question

I made several test to trace logon and to logoff, by RDP client, to Windows Server 2016 but I can't see event 6734 (LOGOFF) with logon type = 10 (which represents remote desktop session) in vent viewer, security section; I see only 6724 event with logon type = 10 which represents LOGON event.
Where is hidden this LOGOFF event ? I need to trace it.

Answer 1

The right events are 4624 (LOGON) and 4634(LOGOFF).
If you need to see the type 10, you must enable enable the ‘Audit Logon Events’ and ‘Audit Account Logon Events’ trought a GPO.
Enable them for example on the "Default Domain Policy", do a refresh from your DC (open a CMD with admin rights and do REPADMIN /Syncall /AdeP ) .

You will see the 4624

A good guide about them : event-4624

Answer 2

Hello,

Thank you for your question and reaching out.

Logon refers to an RDP logon to the system, an event that appears after a user has been successfully authenticated. It is an event with the EventID 21 (Remote Desktop Services: Session logon succeeded). This events are located in the “Applications and Services Logs -> Microsoft -> Windows -> TerminalServices-LocalSessionManager -> Operational”

You can get the list of events related to successful RDP authentication (EventID 4624) using this PowerShell command:

Get-EventLog security -after (Get-date -hour 0 -minute 0 -second 0) | ?{$.eventid -eq 4624 -and $.Message -match 'logon type:\s+(10)\s'} | Out-GridView

---

--If the reply is helpful, please Upvote and Accept as answer--