How to Add Terminal Servers as Application Sources in EventLog Analyzer

How to Add Terminal Servers as Application Sources in EventLog Analyzer

Objective

This article provides detailed steps on how to add Terminal Servers as application log sources in EventLog Analyzer. By adding Terminal Servers, you can collect, monitor, and analyze event logs generated from remote desktop sessions and related activities, helping you track user logins, session duration, and potential security events within your network environment.
It includes steps to configure devices, enable logging, and ensure the logs are properly collected for analysis and reporting.

Prerequisites

  • Administrator access to EventLog Analyzer.  
  • Access to the Terminal Server system.  
  • Ensure that the Event Viewer and registry editor (regedit) can be accessed on the target machine.  
  • License requirement:
    • For Build below 13000, you need an Application license to audit Terminal server application logs. If you have added the log source as Windows device, you need both Windows server and Application license to audit the log source completely.
    • For Build 13000 and above, you need a Log Source license to audit both Windows server and Applications hosted in them.

Steps to follow

Step 1: Add the Windows log source in EventLog Analyzer/Log360.
Refer Adding Windows device 
Note: To collect all events from the server, you must add it as a Windows log source. However, if you wish to audit only Terminal Service events and exclude other Application, Security, and System logs, you can skip to Step 2 and manually add the log source.

Step 2: Add Application Source in EventLog Analyzer
  1. Navigate to Settings → Log Source Configuration → Applications → General Applications 
  2. Under General Application, click Add General Applications button from the top-right corner of the Home page.
  3. Choose the Log Source Type as Terminal.
  4. Choose + icon of Log Source, to obtain the list.
  1. Choose from the following list:
    • All log sources - This category offered "Configured Log Sources" option that contains the list of log sources that are added in EventLog Analyzer.
    • Domains : This category offers the list of domains that are added in the Domains and Accounts settings. Once you choose a domain, you can get the option to select the computer accounts that are available in your domain.
    • Workgroup : This category offers that list of Workgroup servers that are added in the Domains and Accounts settings. Once you choose a Workgroup server, you can get the option to select the computer accounts in them.
    • Configure Manually : This option offers you a capabilities to add the log source manually.
 
  1. To add a device manually:
    1.    - Click Configure Manually and enter the Log Source Hostname or IP Address.  
    2.    - For a Syslog device, enable the Add as Syslog device option.  
    3.    - For a Windows device, enter the Username and Password, then click Verify Credentials.  
  2. Click Select and Add to add the log source.
Step 2: Enable Terminal Server Logging
  1. On the Terminal Server, open Event Viewer.  
  2. Navigate to:  Applications and Services Logs → Microsoft → Windows → TerminalServices-Gateway → Operational
  3. Right-click on Operational and select Enable Log.  
This enables logging for the corresponding Gateway or Operational processes.

Step 3: Configure Registry for 64-bit Windows Systems or Configure Event Source File:
For 64-bit Windows OS (Vista or later): Registry configuration:
  1. Open regedit (Registry Editor) on the Terminal Server.  
  2. Navigate to: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\
  3. Right-click on Eventlog, select New → Key.  
  4. Name the new key as:  Microsoft-Windows-TerminalServices-Gateway/Operational
This converts the log type to Administrative, enabling searches and report generation.  
Note: This registry configuration is not required for 32-bit Windows OS systems.

Configuring Event Source File:
This step can be performed when you have added the log source for windows log collection and if you want to enable registry key using user interface.
  1. Navigate to Settings >> Log Source Configuration >> Windows device >> (search for the device) >> click Configure event source files
  2. Search for the Event Source file name as "Microsoft-Windows-TerminalServices-Gateway/Operational".
  3. Enable check box the event source file and Click Configure.

    NOTE: Configuring event source file will offer log collection for the respective event source and will be synced with agents(if deployed) for log collection.

Validation and confirmation

  • Check Event Viewer to confirm that the Terminal Services Gateway logs are being generated.  
  • In EventLog Analyzer, verify that the terminal server appears under Applications
  • Run a test search or generate a report to confirm log ingestion.

Tips

  1. Always verify the correct permissions before adding domain or workgroup devices.  
  2. For 64-bit systems, ensure the registry key is created accurately to avoid log indexing issues.  
  1. Adding Application Sources in EventLog Analyzer
  2. Terminal Server - Microsoft document
  3. Enhance terminal server security and auditing with EventLog Analyzer: A comprehensive guide

FAQ

  1. What are the reports that are available for Terminal Server?
Answer: EventLog Analyzer/Log360 offers Terminal Server reports such as
  • Terminal Server Gateway Logons
    • Successful user disconnections from the resource based on clients
    • Successful user disconnections from the resource based on administrators
    • Successful user connections to the resource
    • Failed user connections to the resource
    • Successful connection authorizations
    • Failed connection authorizations
    • Successful resource authorizations
    • Failed resource authorizations
  • Terminal Server Gateway Communications
    • Top Byte transferred
    • Top Byte received
    • Session Duration
    • Top activities based on states
  • Terminal Server Gateway Top Reports
    • Top Gateway Users
    • Top Clients
    • Top Resources
You can also create custom reports as per requirement once the event is collected in the product.
  1. Why are Terminal Server logs not collected in EventLog Analyzer?
Answer: The log type for TerminalServices may still be set as Operational. Convert it to Administrative by creating the following registry key:
Example : For Event Source: TerminalServices-RDPClient
Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Microsoft-Windows-TerminalServices-RDPClient/Operational
  1. Where can I find official help resources of EventLog Analyzer/Log360?
Answer: Refer Adding Terminal Servers for more details.

How to reach support

If you encounter issues adding or collecting Terminal Server logs, contact ManageEngine Support for assistance.  
 
 


      New to M365 Manager Plus?
      New to M365 Manager Plus?
        New to RecoveryManager Plus?
        New to RecoveryManager Plus?
          New to Exchange Reporter Plus?
          New to Exchange Reporter Plus?
            New to SharePoint Manager Plus?
            New to SharePoint Manager Plus?
                See all integrations
                New to ADManager Plus?
                See all integrations
                New to ADManager Plus?

                  New to ADSelfService Plus?

                  Start your free trial
                  Start your free trial

                    • Related Articles

                    • How to add F5 device in EventLog Analyzer

                      Objective EventLog Analyzer collects logs from F5 devices using the Syslog protocol. Syslog services has to be configured in F5 Devices to have the logs forwarded to EventLog Analyzer. This article offers you step by step instructions to add F5 ...

                    • How to add a print server in EventLog Analyzer

                      Objective This document outlines the procedure for integrating a print server with ManageEngine EventLog Analyzer. Monitoring print servers is essential for maintaining operational efficiency and safeguarding against unauthorized data access. By ...

                    • Introduction to EventLog Analyzer

                      What is log management?  An enterprise network consists of different entities—perimeter devices, workstations, servers, applications, and more. Each entity records every activity that unfolds within it in the form of logs. These logs hold information ...

                    • Disk Space Alert: EventLog Analyzer Installation Drive Reaching Capacity Threshold

                      Issue description This document provides a technical overview, possible causes, recommended resolution steps, and best practices for handling the "Disk Space Alert: EventLog Analyzer Installation Drive Reaching Capacity Threshold" notification. This ...

                    • How to configure log collection filters in EventLog Analyzer/Log360

                      Objective EventLog Analyzer offers log filtering capabilities, so that you can filter/remove/exclude unwanted events being collected or collect only the logs you actually need, by avoiding noisy events being collected. Filters let you include or ...

                      Related Products