VPN Log Files Windows

6

1

I have a friend who is quitting their job. He is owed overtime, but the workplace has been casual about recording hours. He regularly signs out a work laptop, and will work from home via VPN.

Is there a way to retrieve log files for this person, despite the fact they use a different computer for the majority of the time that he could copy as an aid to his claim for overtime hours?

Normally, if it was a everyday computer, I would check some common log files, eventvwr.msi etc.

Thoughts?

Mark

Posted 2015-04-02T00:54:35.957

Reputation: 175

1This is better asked at SuperUser - I flagged for migration. – schroeder – 2015-04-02T02:51:25.330

Answers

4

There are relevant log files in \WINDOWS\system32\LogFiles that may help. There is also system information available from the Event Viewer (Run > eventvwr.exe OR Control Panel > Admin Tools > Event Viewer) and look for System logs.

However, both these locations could be empty depending on local settings.

One can configure Windows firewall to log VPN connections but that is not a default. Check Control Panel > Windows Firewall > [Advanced tab], the default location is C:\WINDOWS\pfirewall.log for the log file.

Specific applications used may have preserved log data. If you know the IP address connected too you could do a general search for files containing that IP address (but that wouldn't find compressed logs or non-ASCII log data).

pbhj

Posted 2015-04-02T00:54:35.957

Reputation: 76

5

Expanding on @pbhj's answer, I successfully found logs following these instructions, summarized here:

  1. Navigate through the Start menu to get to the event Viewer: Start > Control Panels > Administrative Tools > Event Viewer.

  2. In the Actions pane, select Create Custom View or Filter Current Customer View.

  3. Select the event severities (e.g., Critical, Warning, Error, Information, etc.) listed under the Event level option.

  4. Click the Event sources pull-down menu and select the event sources that you would like to see, for example: VPN Client - vpnagent, vpnui; DHCP - DHCP-Client; Native VPN - RasMan, RasClient, Remote Access.
  5. Save the filter to Custom View.
  6. Select the log event in the event browser page (top).
  7. Event Properties in the middle pane has the log details for an event. Double-click an event to bring up a new Event Properties window in addition to the Event Properties pane.

I used specifically "RasClient", and found this Error level log in the Custom view:

CoId={53F1C7C6-B011-4453-B2D5-C0F82ED8E590}: The user {domain}{username} dialed a connection named {target VPN connection} which has failed. The error code returned on failure is 789.

(Note I was looking for logs because my VPN errored, not because I wanted to see my VPN history as in OP's question)

The Red Pea

Posted 2015-04-02T00:54:35.957

Reputation: 197

Asked: 2015-04-02T00:54:35.957

Viewed: 46 813 times

Active: 2017-05-18T17:31:42.937