On Windows servers, the Security.evtx file is used via Event Viewer to see when Remote Desktop (RDP) connections were made, who attempted them, or when the session was closed. Thanks to these logs, both successful and unsuccessful RDP attempts can be examined in detail.

Location of RDP Logs:

C:\Windows\System32\winevt\Logs\Security.evtx

This file contains all security-related logs. It is not a directly readable file and must be viewed with the Event Viewer application.

Review with Event Viewer:

Type eventvwr in the Start menu and run it.
In the left panel, open Windows Logs > Security.
Click Filter Current Log... in the right panel.
Enter the following Event IDs as a filter:

4624, 4625, 4778, 4779

Important Event IDs:

4624: Login Success
4625: Login Failed
4778: Remote session (RDP) started
4779: Remote session (RDP) closed

Displaying IP Addresses

The following fields should be examined in each event detail:

Network Information > Source Network Address: The IP address from which the connection came
Account Name and Logon Type fields also provide information about the user and connection type.

Short RDP Log Report with Powershell:

Get-WinEvent -LogName Security | Where-Object { $_.Id -eq 4624 -or $_.Id -eq 4625 -or $_.Id -eq 4778 -or $_.Id -eq 4779 } | Format-Table TimeCreated, Id, Message -AutoSize

This command lists RDP logins and logouts on the system.

Notes:

If the RDP port (default 3389) has been changed, System.evtx should also be checked in addition to the security logs to find attack logs.
Detailed analysis can be performed with time filter and user-based filtering via Event Viewer.

It is recommended to regularly check these logs for security and access control on Windows-based VPS or servers.