BACKGROUND: I have a system where users have an RDP file that sends them to an RDS server - which in turn sends them to a host server in a collection. These users will signin/out of these servers several times a day.
QUESTION: Is there an event/s somewhere in the RDS server that will link me specifically with the session or ActivityID that is created for the user on the Host? I need a more reliable way to take a users rdp event and get all the events in the Host server
PREVIOUS ~WORKING(mostly)~ ATTEMPT: When we need to debug connection issues I go to the RDS server to view the following logs the System/Correlation/ActivityID that I get from a search of a users name/aproximate time/EventID=1307
Microsoft-Windows-TerminalServices-SessionBroker-Client/Operational
Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
I grab the users ip from Param3 in the related EventId=1149
I then go to the Host that the user was sent to and look for EventID=131 and Message -like <client's ip> around that time
From that I grab the System/Correlation/ActivityID, then filter the following logs for that.
Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin
I actually have a monster of a PowerShell script to do this, but it is too big and ugly to post here and fundamentally it relies on 'guesswork' around the time/ip
Another issue is that the Event logs are small and managed by a GPO that I have no control over - so they are overwritten quickly