question

Iltexanomontano-7520 avatar image
0 Votes"
Iltexanomontano-7520 asked LimitlessTechnology-2700 answered

remote desktop logoff event 6734 in Windows server 2016

I made several test to trace logon and to logoff, by RDP client, to Windows Server 2016 but I can't see event 6734 (LOGOFF) with logon type = 10 (which represents remote desktop session) in vent viewer, security section; I see only 6724 event with logon type = 10 which represents LOGON event.
Where is hidden this LOGOFF event ? I need to trace it.

windows-serverwindows-server-2016
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

mschiavon avatar image
0 Votes"
mschiavon answered mschiavon edited

The right events are 4624 (LOGON) and 4634(LOGOFF).
If you need to see the type 10, you must enable enable the ‘Audit Logon Events’ and ‘Audit Account Logon Events’ trought a GPO.
Enable them for example on the "Default Domain Policy", do a refresh from your DC (open a CMD with admin rights and do REPADMIN /Syncall /AdeP ) .
137211-screenshot-2021-10-03-at-16-57-58.jpg
You will see the 4624

A good guide about them : event-4624



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hello,

Thank you for your question and reaching out.

Logon refers to an RDP logon to the system, an event that appears after a user has been successfully authenticated. It is an event with the EventID 21 (Remote Desktop Services: Session logon succeeded). This events are located in the “Applications and Services Logs -> Microsoft -> Windows -> TerminalServices-LocalSessionManager -> Operational”

You can get the list of events related to successful RDP authentication (EventID 4624) using this PowerShell command:

Get-EventLog security -after (Get-date -hour 0 -minute 0 -second 0) | ?{$.eventid -eq 4624 -and $.Message -match 'logon type:\s+(10)\s'} | Out-GridView



--If the reply is helpful, please Upvote and Accept as answer--

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.