Main window

The main window is divided in four sections:

• Input: You must select a folder that contains the Event Logs or a destination folder.
• Filters: You can filter by Event IDs, by IP addresses (presence and type), by Dates, or by searching some keywords.
• Report options: Choose the report format and types of details that will be included in the final report.
• Footer: The footer that contains information about the state of the process and buttons: Process, Settings, Documentation and About.

Input

You must select a folder that contains the Event Logs or a destination folder where the Event Logs from the current running system will be copied. To Copy Event Logs from current running system, you must start the tool as admin.

Filters

You have four types of filters:

• Event IDs: Without this filter, all event IDs that may be related to RDP activities will be parsed. For the most recent log format, that includes:
  
  For the old format, that includes:
  
• IP addresses: With this filter, only event that contain an IP address will be selected. You can choose to include private IP addresses or not.
• Dates: Choose the date or the period (based on your timezone).
• Keyword(s): List of terms that will be searched. If you use more that one keyword, they must be separated by semi-colons (ex.: keyword1;my keyword2;keyword3)

Report options

In this section, you can choose the report format and the type of details that will be included in the final report.

• Report path and format: Available formats are XLSX, TXT and HTML. With XLSX or HTML format, the final report can include stats.
• Columns: You can select which columns will be included. That includes:
  
  • With IPs only in data option, all data in event that contains an IP addresses will be removed, except the IP address. Example with XLSX report format:
    
  • With Data on a single line option, the event data lines will be all printed on the same line (separated by vertical bar, "|").
• Timezone: Select the timezone to use in datetime objects.
• Others:
  • Add stats to the report: Available with XLSX and HTML format only. With this option, details about the system and the log will be included in the final report. Details may include: Computer name, based on the Computer column; System, this information is only available if the system.evtx have been parsed and if at least one 6009 event have been found; for each event log, the date and time of the first entry, the date and time of the last entry and the number of entries.
  • Open report when finished: The report will be opened with the default application when the process will be finished.

Example of report:

Settings

There are a few parameters that can be set in RDP-Parser.

General

In Tool section, we have the following functions and options:

• Export Lang.ini: Use this function to translate RDP-Parser GUI. See Translation for help about this functionality.
• Open user dir: This is the directory where settings are saved. Copy the content of this directory if you want to backup your settings.
• Check Update: Check on le-tools.com if a tool update is available.
• Check for update at startup: When RDP-Parser starts, check on website for available update of the tool.

Logging

In Logging section, we have the following options:

• Enable logging: If checked, errors and activities are logged in a text file (RDP-Parser.log). You must select a directory where the log file will be created:
  • Use default folder: If you used the installer, the default folder is AppData. Otherwise, it's the same folder than the program.
  • Use this folder: Enter the folder where you want the log file to be saved.