How to get access log of VM in Azure Cloud

Question

I'm very new to Azure Cloud. I have Windows VM in Azure Cloud and would like to set up remote access logs for Azure VM. There needs to be detailed logging of any access as well as any activities performed on the VM. Where should I configure to get access logs of VM. Can any one please let me know?

Answer 1

Azure

There are few options to collect Windows Event log in Azure:

• Azure Log Analytics - For collecting and querying logs inside Log Analytics Collect Windows event log data sources with Log Analytics agent

  You will need to install Log Analytics agent on VM

• Azure diagnostics extension - For collecting logs in Azure Storage Table (less expensive but much harder for querying) Collect data from Azure diagnostics extension to Azure Monitor Logs

  You will need to install Diagnostics Extension to Azure VM agent

• Use third party, like DataDog or Splunk (you will need to install their agents on your Azure VM)

Logs

RDP related logs could be found in Windows Event journal in:

• Operational: Applications and Services Logs -> Microsoft -> Windows -> TerminalServices-LocalSessionManager -> Operational
• Security: Windows -> Security

Access information represented by following entries in logs:

• Network Connection

  • Operational EventID 1149 - Remote Desktop Services: User authentication succeeded)

• Authentication

  • Operational EventID 4624 - An account was successfully logged on
  • Operational EventID 4625 - An account failed to log on;

• Logon

  • Operational EventID 21 - Remote Desktop Services: Session logon succeeded

• Session Disconnect/Reconnect

  Operational:

  • EventID 24 - Remote Desktop Services: Session has been disconnected
  • EventID 25 - Remote Desktop Services: Session reconnection succeeded
  • EventID 39 - Session has been disconnected by session
  • EventID 40 - Session has been disconnected, reason code

  Security:

  • EventID 4778 - A session was reconnected to a Window Station
  • EventID 4799 - A session was disconnected from a Window Station

• Logoff

  • Operational EventID 23 - Remote Desktop Services: Session logoff succeeded
  • Security EventID 4634 - An account was logged off

Source: Tracking and Analyzing Remote Desktop Activity Logs in Windows

For really detailed activities tracking on Windows you will need at least keylogger solution installed or use solutions like CYBERARC Privileged Session Manager which can record whole RDP session on video.