I am trying to detect RDP connection to a remote host. I read up some web post suggests looking for 4624 with logon type 10 event. I made an RDP to a remote host, however all 4624 evens I can see is logon type 3.
Then I realize 4624 events can be collected from 3 places
The workstation where the user phycially present
The AD: where the authentication takes place
The remote host: where the user wants to log in, which is the destination host.
I am wondering whether the logon type 10 events only occur on the remote host and on the AD log the 4624 event will have logon type 3 instead.
Anyone has come across this kind of situation before?