Capture Event ID 100, Source ScreenConnect | Voters

Capture Event ID 100, Source ScreenConnect

Jennifer King

EventID 100 in the application log with the source of ScreenConnect contains connection information when an admin or user connects to a system with ScreenConnect. The details include the name of the user that made the connection and would be helpful to capture in SIEM.

May 28, 2025

Adam Palmer

From the endpoint SIEM logs perspective:
I agree that logging event ID 100 from provider 'ScreenConnect' and channel 'Application' is critical to be able to tell who connected to what device.  That would let us pull this data from the endpoint's perspective.  When I search our SIEM today I see a few 100 events that are not from the ScreenConnect provider, and support confirmed that they are filtered out.  MVP for this view would be to include who connected or disconnected.
From the ScreenConnect SaaS / on-prem server's perspective:
If I point our ScreenConnect to one of our syslog collectors then I do see event details, but the message is truncated before it tells you who connected or disconnected and to which device.  When troubleshooting a potential security incident this is critical information to have.  I would love a full blown ScreenConnect integration, but as an MVP I really just need the username that connected or disconnected and to which device.