Log analytics on prem RDS query for current logged on users

%3CLINGO-SUB%20id%3D%22lingo-sub-2594778%22%20slang%3D%22en-US%22%3ELog%20analytics%20on%20prem%20RDS%20query%20for%20current%20logged%20on%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2594778%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20currently%20have%20the%20log%20analytics%20agent%20installed%20on%20our%20on%20prem%20servers%20(RDS%20farm).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20was%20hoping%20I%20could%20create%20a%20query%20that%20would%20display%20-%20user%20and%20server%20logged%20on%20to.%20Logged%20on%20since%20what%20time%20and%20if%20the%20session%20is%20disconnected%20or%20active.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWVD%20has%20the%20following%3C%2FP%3E%3CP%3E%2F%2F%20Session%20duration%3C%2FP%3E%3CP%3E%2F%2F%20Lists%20users%20by%20session%20duration%20in%20the%20last%2024%20hours.%3C%2FP%3E%3CP%3E%2F%2F%20The%20%22State%22%20provides%20information%20on%20the%20connection%20stage%20of%20an%20actitivity.%3C%2FP%3E%3CP%3E%2F%2F%20The%20delta%20between%20%22Connected%22%20and%20%22Completed%22%20provides%20the%20connection%20time%20for%20a%20specific%20connection.%3C%2FP%3E%3CP%3EWVDConnections%3C%2FP%3E%3CP%3E%7C%20where%20TimeGenerated%20%26gt%3B%20ago(24h)%3C%2FP%3E%3CP%3E%7C%20where%20State%20%3D%3D%20%22Connected%22%26nbsp%3B%3C%2FP%3E%3CP%3E%7C%20project%20CorrelationId%20%2C%20UserName%2C%20ConnectionType%20%2C%20StartTime%3DTimeGenerated%26nbsp%3B%3C%2FP%3E%3CP%3E%7C%20join%20(WVDConnections%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7C%20where%20State%20%3D%3D%20%22Completed%22%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7C%20project%20EndTime%3DTimeGenerated%2C%20CorrelationId)%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20on%20CorrelationId%26nbsp%3B%3C%2FP%3E%3CP%3E%7C%20project%20Duration%20%3D%20EndTime%20-%20StartTime%2C%20ConnectionType%2C%20UserName%26nbsp%3B%3C%2FP%3E%3CP%3E%7C%20sort%20by%20Duration%20desc%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20something%20similar%20for%20RDS%20on%20prem%3F%20Where%20would%20be%20the%20best%20place%20to%20start%20looking%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

 

I currently have the log analytics agent installed on our on prem servers (RDS farm).

 

I was hoping I could create a query that would display - user and server logged on to. Logged on since what time and if the session is disconnected or active.

 

 

WVD has the following

// Session duration

// Lists users by session duration in the last 24 hours.

// The "State" provides information on the connection stage of an actitivity.

// The delta between "Connected" and "Completed" provides the connection time for a specific connection.

WVDConnections

| where TimeGenerated > ago(24h)

| where State == "Connected" 

| project CorrelationId , UserName, ConnectionType , StartTime=TimeGenerated 

| join (WVDConnections 

    | where State == "Completed" 

    | project EndTime=TimeGenerated, CorrelationId) 

    on CorrelationId 

| project Duration = EndTime - StartTime, ConnectionType, UserName 

| sort by Duration desc

 

 

Is there something similar for RDS on prem? Where would be the best place to start looking?

 

Thanks

1 Reply
Hi,
Please see if http://woshub.com/rdp-connection-logs-forensics-windows/ and help you. Once you have identified the events you are interested in, you can collect them with Azure Monitor and use Kusto to visualize the data, the same way you do today.
Also, look for a performance counter that shows the number of connected users.