Is there way to check public source IP in IIS logs to find who attempted to login to https://remote.example.com/RDWeb and what user account?
Event viewer will have those logs. I just did this today but I can’t remember which one. You are looking for the TerminalServices logs under Applications and Services > Microsoft > Windows > TerminalServices
There are multiple entries and one of those has the public IP + username login logs.
If you have NATed ports via firewall then there will be no public IP as this intended purpose of NAT.
Ok checking thanks for the information.
So it’s kinda weird. The users I know for sure connected to RDS or RDWeb today. I see their login logs but couple months back none from today. So far I checked TerminalServices-Gateway\Operational logs. Checking other Terminal folders too.
Just checked mine.
TerminalServices-LocalSessionManager\Operational. Event ID 21. That shows me Source Network Address
TerminalServices-Gateway\Operational is the correct one, you should look for the event id 300
Yeah I see that too, but was interested to find source Public IP address with username rather than private IP address. Let me know if you find a way to do that?
Public IP for me shows in the operational logs like you were saying weren’t there.
I would double check your auditing settings.