Introduction

Remote Desktop Protocol (RDP) logs help administrators monitor login activity on Windows servers. By enabling audit policies, you can track successful and failed RDP login attempts through the Windows Event Viewer.

Prerequisites

Before proceeding, ensure:

  • Administrative access to the Windows server
  • Remote Desktop enabled
  • Access to Local Group Policy Editor (gpedit.msc)

Enable RDP Audit Logs

Step 1: Open Run

Press:

Windows + R

Step 2: Open Group Policy Editor

Type:

gpedit.msc

and press Enter.

Step 3: Navigate to Audit Policies

Go to:

Local Computer Policy→ Computer Configuration→ Windows Settings→ Security Settings→ Local Policies→ Audit Policies→ Audit logon events

Step 4: Configure Audit Policy

  • Right-click Audit logon events
  • Click Properties
  • Enable:
    • Success
    • Failure
  • Click OK

Note

Logging failed login attempts may rapidly fill the security logs if accounts without passwords exist on the server. Using accounts without passwords is also a major security risk.

View RDP Login Logs

Step 1: Open Administrative Tools

Navigate to:

Start→ Control Panel→ Performance and Maintenance→ Administrative Tools

Step 2: Open Event Viewer

Click:

Event Viewer

Step 3: Check Security Logs

Open:

Windows Logs → Security

Look for:

  • Event ID 528 (older Windows versions)
  • Logon Type: 10

Logon Type 10 indicates an RDP login session.

Conclusion

Enabling RDP audit logging in Windows helps administrators monitor remote login activity, troubleshoot access issues, and improve server security through centralised event tracking.

Post Views: 57

Leave a Reply