How to report and alert when RDP logons are attempted?

I need to have a report and alerts for when someone connects via RDP on my Windows 11 workstations. The Logon Activity reports are not showing RDP logins. I have the EventIDs that I want to track, but how do I create a report and alerts for this?

Hello Jeff, and welcome to the Netwrix Community!

I understand that you’d like to generate both reports and alerts when someone connects via RDP to your Windows 11 workstations.

Netwrix Auditor can absolutely help with this, though it isn’t handled through the Logon Activity module. Instead, this scenario is covered by our included tool called Event Log Manager (ELM). ELM contains several built-in activity record collections and alerts—one of which is specifically designed to track Remote Desktop Connections.

ELM is part of the Windows Server module. If you don’t currently have that module licensed, you may be able to start a trial by going to Settings → Licenses and selecting Start Trial next to the Windows Server option.

Once the module is active, you can launch Event Log Manager directly on the Netwrix Auditor server by navigating to:
Start → All Programs → Netwrix Auditor → Netwrix Auditor Event Log Manager

From there, you can create a new Monitoring Plan. The Remote Desktop Connection presets are available under Audit Archive Filters for standard collection. If you’d like to generate near real-time notifications, you can also create a custom alert in the Alerts section.

If you open Event Log Manager and would like help configuring it, just let me know—I’d be happy to get a support ticket started for you.

Michael Purdin
Manager, Technical Support Engineering

Thanks Michael! That put me on the right path! I may need a support ticket created.

The question I have is am I able to specify a logon type for Event ID 4624? I’d want to report and alert for logon type 10 which for RemoteInteractive logons (Terminal Services, Remote Desktop, or Remote Assistence) and ideally for Elevated Tokens, ie Admin access.

Jeff,

Since you are wanting to do an alert, you can add one manually with any Event ID you wish.

Here are some basic steps with this and if ‘d like us to go through this with in a Zoom session, just message me your email address via a direct message.

ELM-Custom Alert

1. In ELM, open the Monitoring Plan/Create a New Monitoring Plan

2. Fill out the details such as the Data Collection Account and the Name of the Monitoring Plan

3. In the “Monitored Computers” add the computers or O/U of the computers you want to monitor by clicking add

   

   CleanShot 2025-12-12 at 15.32.54656×176 4.25 KB

4. After saving the computers/OUs you wish to monitor, click “Configure” next to Alerts

   

   CleanShot 2025-12-12 at 15.33.31635×104 1.93 KB

5. There are only two Alerts by default, so click on “Add”

   

   CleanShot 2025-12-12 at 15.34.10645×312 8.46 KB

6. On the Alert Properties screen, fill in the data such as the name, descriptions and how many alerts you want per email. From there, click “Add” next to Event Filters.

   

   CleanShot 2025-12-12 at 15.35.15598×286 4.12 KB

7. On the Event Filters screen, fill out the name of the filter and click on Event Fields

   

   CleanShot 2025-12-12 at 15.35.49486×222 4.61 KB

8. On the Event Fields screen, you can narrow down your alert with as much details as you wish, or as in the screenshot below, you can simply collect all 4624 events

   

   CleanShot 2025-12-12 at 15.36.11486×551 6.32 KB

9. Once you fill out the details, click Ok until you get back to the main screen. Once you save the plan, this will create a Scheduled Task that will send you the alerts every 10 minutes. You can adjust this by updating the Scheduled Task in Windows.

Hopefully this helps but again, if you need any assistance, just message me and I’ll get a ticket open for you.

Michael Purdin
Manager, Technical Support Engineering