I am looking to get desktop (domain user) interactive and RDP logons from Domain Controller logs. I don't know if this is possible. I have looked up and down splunk>answers and found similar questions answered, but none definitively answer my question in particular. So when a domain user logs on to a desktop PC anywhere in the domain, I want that to show up on my search.
So far I am searching for (EventCode=528 OR EventCode=540 OR EventCode=552 OR EventCode=4624 OR EventCode=4648). Really only 4624 gets results, and the only results I am seeing are for Logon Type 3 which correspond to mapped network drives and printers, etc. Not the stuff I'm interesting in. I'm interested in Logon Type 2, 7, and 10 mostly. The list of Logon Types can be found at https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4624
If I look at the Event Viewer on a client PC, I do see Event Code 4624 with the Logon Types I want (3, 7, 10), but these don't appear on domain controller logs. Am I missing something? I'm trying to avoid installing the UF and TA on each workstation as it would likely make me go over my license. Is there a way for me to tell if a user performed an interactive/remote logon or unlock from my domain controller logs?
Thanks for your help.
... View more