Using Log Parser for Remote Desktop login attempts

gchq

2/18/23, 10:28 PM

I'm trying to find a way to return the top x number of IP addresses that are attempting to login to Remote Desktop on some Windows 2016 and 2019 boxes for event ID 140 on, say, Current Date.

Of course, I can see the IP address by clicking on the entry and reading the box below, but would really like to know who the persistent bad boys are rather that scroll through them all.

I've had some success using Log Parser against IIS logs but can't find any useful information online for returning data on the Events Log.

I do know there are some workarounds for Remote Desktop (limit the connecting IPs, internal network only, change the default port for Remote Desktop...) and internal network only is set for a lot of them, especially PCI compliant ones, but a few are using the default.

Any pointers would be appreciated :-)

0 + 0

logparser

windows-server-2019

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Using Log Parser for Remote Desktop login attempts

TH: การใช้ Log Parser สำหรับความพยายามในการเข้าสู่ระบบเดสก์ท็อประยะไกล

RO: Utilizarea Log Parser pentru încercările de conectare la Desktop la distanță

RU: Использование Log Parser для попыток входа в удаленный рабочий стол

VI: Sử dụng Trình phân tích cú pháp Nhật ký cho các lần thử đăng nhập Máy tính Từ xa

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.