Use LogParser to Audit Remote Desktop Access

I’ve been working with LogParser for a few days and really find it useful.  There are some minor annoyances (lack of JOIN) with it but for the most part, I can get done what I need to get done pretty quickly using LogParser.

This post outlines reading the Security event log of a remote computer, in my case a 2008 Remote Desktop Session Host server.

Requirements

  • LogParser
  • RemoteRegistry Enabled on target server
  • Administrative privileges

In order to run this script, you must be administrator to access the Security event log.

Special Note

This script is intended to run against Vista/7/2008 systems.  XP/2003 use a different event ID for logon/logoff.  This could be adapted to work with those if you wanted to — feel free.  =)

rdp_audit.bat

This is the batch script that does the magic. Make sure to set LOGPARSER variable in the script.

@echo off
REM Rich Kreider
set LOGPARSER=logparser.exe
set TARGET=%1
set TEMPPATH=%SystemRoot%Temp
@cls
IF NOT EXIST "%SystemRoot%Temp" set TEMPPATH=%TEMP%
IF "%1"=="" (
set TARGET=%COMPUTERNAME%
@echo Note: You can specify a remote target on the command:
@echo.
@echo rdp_audit.cmd ^<computername^>
@echo.
@echo I am going to use this system to check for RDP activity.
@echo.
@echo.
)
@echo collecting logoffs
"%LOGPARSER%" -q:ON -i:EVT "select timegenerated, EXTRACT_TOKEN(Strings,1,'|') AS UserName, 'Logoff' as Action, EXTRACT_TOKEN(Strings,18,'|') AS IPAddress, EXTRACT_TOKEN(Strings,3,'|') AS LogonID into %TEMPPATH%rdp_audit_logoffs.csv from "%TARGET%security" where eventid='4634' and EXTRACT_TOKEN(Strings,4,'|')='10'" 2>NUL
IF NOT %ERRORLEVEL%==0 (
@echo Problem collecting logoffs.  Check to see if RemoteRegistry is enabled.
goto err_collection
)
@echo collecting logons
"%LOGPARSER%" -q:ON -i:EVT "select timegenerated, EXTRACT_TOKEN(Strings,5,'|') AS UserName, 'Logon' as Action, EXTRACT_TOKEN(Strings,18,'|') AS IPAddress, EXTRACT_TOKEN(Strings,7,'|') AS LogonID into %TEMPPATH%rdp_audit_logins.csv from "%TARGET%security" where eventid='4624' and EXTRACT_TOKEN(Strings,8,'|')='10'"
@echo generating output
"%LOGPARSER%" -q:ON -i:CSV "select timegenerated, username, action, ipaddress, logonid into activity.html from %TEMPPATH%rdp_audit*.csv order by username, timegenerated, logonid desc" -o:TPL -tpl:output.tpl 2>NUL
IF NOT %ERRORLEVEL%==0 (
@echo No activity found.
goto eof
)
@echo.
@echo Collection complete.  Please view activity.html for details.
@echo.
goto eof
:err_collection
@echo.
@echo Try to enable RemoteRegistry on %TARGET%:  sc %TARGET% start RemoteRegistry
@echo.
@echo To enable it to start the service at bootup:  sc %TARGET% config RemoteRegistry start= auto
@echo.
:eof
@echo.

output.tpl

This is the file that is used to create the HTML output. Modify to your liking.

<LPHEADER>
<HTML>
<HEAD><TITLE></TITLE></HEAD>
<BODY BGCOLOR="#EFEFFF">
<TABLE BORDER="1" CELLPADDING="2" CELLSPACING="2">
<TR>
 <TH COLSPAN="5" ALIGN="CENTER">Remote Desktop Activity</TH>
</TR>
<TR>
 <TH>Date/Time</TH>
 <TH>Username</TH>
 <TH>Action</TH>
 <TH>IPAddress</TH>
 <TH>LogonID</TH>
</TR>
</LPHEADER>
<LPBODY>
<TR>
 <TD>%TimeGenerated%</TD>
 <TD>%UserName%</TD>
 <TD>%Action%</TD>
 <TD>%IPAddress%</TD>
 <TD>%LogonID%</TD>
</TR>
</LPBODY>
<LPFOOTER>
</TABLE>
</BODY>
</HTML>
</LPFOOTER>

Published by

Rich

Just another IT guy.

Leave a Reply

Your email address will not be published. Required fields are marked *