Netop Portal Audit Logging Events

This article provides complete information which will help you understating and auditing the log reports available in the Netop Portal.

The generated log report will contain the following details (columns):

Report column

Description

Source

The module generating the log event. Currently, the possible values are portal and HOST.

Session

  • If Source is “portal”, a unique identifier of the user session, useful to group log events for a specific user session, or empty if the action is not in the context of a user session.
  • If Source is “HOST”, a unique identifier of the remote session, if the action is in the context of a Guest-Host connection, or empty otherwise.

User Id

  • If Source is “portal”, the internal ID of the logged in Portal user. If the action is performed by the Portal rather than the actual user, the logged value is SYSTEM.
  • If Source is “HOST”, the internal ID of the Portal user, if Portal authentication was used for a remote session operation, or an empty value if any other authentication method was used.

User Name

  • If Source is “portal”, the username of the logged in Portal user. If the action is performed by the Portal rather than the actual user, there will be no logged value in this column.
  • If Source is “HOST”:
    •  the username of the currently logged in Windows user (if the action is not in the context of a Guest-Host connection)
    • the username that the Guest used for authenticating to the Host (depending on the Host's access settings).
    • If the Host is set up to request a simple password (no username), this field is empty.

Account Id

The internal ID of the account that the logged in Portal user belongs to.

Entity Type

The type of the entity involved in the current log event. For the complete list of entity types, please refer to the next section of this article.

Action

The action executed by the entity. For the complete list of actions each entity can perform, please refer to the next section of this article.

Entity Id

The internal ID of the entity involved in the current log event.

Entity Name

The name of the entity involved in the current log event.

Result Code

Indicates whether the action performed by the entity was successful or not. Normally, 0 means that the action has been successful, anything greater than 0 means that an error has occurred.

Data

Contains different data based on the action performed by the entity, as follows:

  • If the current action is CREATE, UPDATE or DELETE, it will contain raw data with the entity updates.
  • If the current action is LOGIN, it will contain raw data of the authenticated user, the public IP of the user performing the action and the User Agent.
  • If the current action is PORTAL_CONNECTION_STARTED or PORTAL_CONNECTION_STOPPED, it will contain general information about the Host; if the current action is NRC_SESSION_STARTED or NRC_SESSION_STOPPED, if will also contain general information about the Guest that initiated the connection.
  • If the current action is FILE_SENT, FILE_RECEIVED, RUN_PROGRAM, EXECUTE_COMMAND, HELP_REQUEST_SENT, GATEWAY LOGIN, GUEST_ACCESS_METHOD_CHANGED, LOGIN_FAILED, WEB_UPDATE_DOWNLOAD, WEB_UPDATE_FAILED or WEB_UPDATE_CHECK, it will contain action specific information. For details, please refer to the table below.
  • In all the other cases, it will contain raw data for the corresponding entity.

 

Action timestamp

The Linux timestamp of the current log event.

Action date

The UTC date and time of the current log event.

Environment

The environment generating the log event. Currently, the only possible value is live.

Below is the complete list of actions that can be performed on the Portal entity types and the description of the events logged in the audit trails.

Note: The Host events will be logged in the Portal only when a Netop Portal profile exists on the Host, is active (connected to the Portal), and Portal Logging is enabled for the account the Host belongs to.

In case the Portal profile goes temporarily offline (after having been connected before), events will be retained by the Host until the Portal profile goes back online, or until the Host is closed. When the Portal profile goes back online, if logging is still enabled in the Portal for the Host's account, all retained events will be logged. If logging has meanwhile been disabled for the account, or the Host is closed before the Portal profile re-establishes the connection, all retained events will be discarded.

In case no Portal profile is defined or active, no events will be logged.

Entity Type

Action

Event Description

ACCOUNT

CREATE

An event is logged when the superadmin creates an account. It is the first event logged for any account.

UPDATE

An event is logged in one of the following situations:

  • An account owner updates the account details.
  • An account owner or account admin updates the account security settings.
  • The superadmin updates the account.

ACCOUNT_AUTH_METHOD

CREATE

An event is logged when a new authentication method is created.

UPDATE

An event is logged when an existing authentication method has been updated.

DELETE

An event is logged when an existing authentication method has been deleted.

BROWSE_GROUPS

An event is logged when a user browse for LDAP User Groups in the Portal.

DEVICE

CREATE

An event is logged when a device is created in the Portal through the enrollment process available with the Netop Host version 12.65 or above or when registering previous versions of the Netop Host.

UPDATE

An event is logged in one of the following situations:

  • The device details are updated in the Portal, including the device updated its status (going online/offline)).
  • The Enrollment State is updated, that is, the device is enrolled in the Portal by clicking the Enroll button.

ATTACH_TO_GROUP

An event is logged when a device is attached to a Device Group.

DETACH_FROM_GROUP

An event is logged when a device is removed from a Device Group.

DELETE

An event is logged when a Portal user deletes the device.

REVOKE

An event is logged when a deployment package is revoked from the Portal and subsequently revokes all its associated devices.

CONNECT

An event is logged when the Portal user connects to the device via the Browser-based Support Console.

AUTHORIZE

An event is logged when a device requests and receives the list of permissions for a specific user requesting access.

REGISTER

An event is logged when a Netop Host changes its status (online/offline), having an earlier version than 12.65.

ENROLL

An event is logged when a Host enrolls to the Portal.

RE_ENROLL

An event is logged when a Host reenrolls to the Portal following a conflict (e.g., the Host or its machine was cloned). For information on device identity conflicts and workarounds, see this article.

GET_ACCESS

An event is logged whenever a Host tries to authorize itself for accessing the Portal.

UPGRADE

An event is logged when a Netop Host having an earlier version than 12.65 first tries to authenticate into the Portal and is migrated from a user/password configuration to an enrollment key configuration.

DEVICE_CONFLICTS

CREATE

An event is logged after a Netop Host starts and detects a conflict with another online Host. For information on device identity conflicts and workarounds, see this article.

UPDATE

An event is logged as part of the conflict solving process from the conflicting Netop Host. For information on device identity conflicts and workarounds, see this article.

DEPLOYMENT_PACKAGE

CREATE

An event is logged when a deployment package is created in the Portal.

UPDATE

An event is logged in one of the following situations:

  • A deployment package is updated in the Portal.
  • A new Host enrolls in the Portal.
  • A Host is deleted from the Portal.

DELETE

An event is logged when a deployment package is deleted from the Portal.

REVOKE

An event is logged when a deployment package is revoked in the Portal.

GET_DOWNLOAD_URL

An event is logged when a user initiates the download of the Host online installer from the Portal.

GET_PUBLIC_DOWNLOAD_URL

An event is logged when a user initiates the download of the online installer following an email received with the link from the Portal.

UPLOAD_MSI

An event is logged when a user successfully uploads a MSI file for a specific deployment package in the Portal.

UPLOAD_MST

An event is logged when a user successfully uploads a MST file for a specific deployment package in the Portal.

DOWNLOAD_EXE

An event is logged when a user successfully downloads the online installer from the Portal.

PUBLIC_DOWNLOAD_EXE

An event is logged when a user successfully downloads the online installer following an email received with the link from the Portal.

DOWNLOAD_MSI

An event is logged when the online installer successfully downloads the needed MSI file from the Portal.

DOWNLOAD_MST

An event is logged when the online installer successfully downloads the needed MST file from the Portal.

USER_GROUP

CREATE

An event is logged when a user creates a User Group in the Portal.

UPDATE

An event is logged when a user updates a User Group in the Portal.

DELETE

An event is logged when a user deletes a User Group in the Portal.

 

DEVICE_GROUP

 

CREATE

An event is logged when a user creates a Device Group in the Portal.

UPDATE

An event is logged when a user updates a Device Group in the Portal.

DELETE

An event is logged when a user deletes a Device Group in the Portal.

GUEST

GET_DOWNLOAD_URL

An event is logged when a user initiates the download of the Guest online installer from the Portal.

LDAP_GROUP

CREATE

An event is logged when a user creates a LDAP User Group in the Portal.

UPDATE An event is logged when a user updates a LDAP User Group in the Portal.
DELETE An event is logged when a user deletes a LDAP User Group from the Portal.

LOG_REPORT

CREATE

An event is logged when a user starts generating a log report. Usually, this log event is followed by an UPDATE event, when the log report is successfully generated.

UPDATE

An event is logged when a log report is updated; usually this happens when the log report is generated successfully.

DELETE

An event is logged when a user deletes a log report in the Portal.

ROLE_ASSIGNMENT

CREATE

An event is logged when a user creates a Role Assignment in the Portal.

UPDATE

An event is logged when a user updates a Role Assignment in the Portal.

DELETE

An event is logged when a user deletes a Role Assignment in the Portal.

USER

CREATE

An event is logged when a user creates another User in the Portal.

UPDATE

An event is logged when a user updates a User in the Portal

DELETE

An event is logged when a user deletes another User in the Portal.

UPSERT

An event is logged when a user logs in the Portal via ADFS and the user is created/updated.

START_RESET_PASSWORD

An event is logged when a user initiates the reset password mechanism in the Portal, by providing their email.

RESET_PASSWORD

An event is logged when a user resets the password using the instructions received by email.

CANCEL_RESET_PASSWORD

An event is logged when a user cancels a previous reset password request.

ATTACH_TO_GROUP

An event is logged when a user is added to a specific User Group by clicking the Attach to Group button.

DETACH_FROM_GROUP

An event is logged when a user is removed from a User Group.

GENERATE_MFA_OTC

An event is logged when a user generates one-time Multi-Factor Authentication codes to be used for login.

VERIFY_EMAIL

An event is logged when a user validates his/her email after the creation of a trial account.

LOGIN

An event is logged when a user attempts to log into the Portal.

MFA_EMAIL_LOGIN

An event is logged when a user authenticates in the Portal with a Multi Factor token received by email.

MFA_OTC_LOGIN

An event is logged when a user authenticates in the Portal with a one-time Multi-Factor Authentication code previously generated in the Portal.

LOGOUT

An event is logged when a user logs out from the Portal.

HOST

PORTAL_CONNECTION_STARTED

An event is logged when a Portal profile is initialized and the Host successfully connects to the Portal.

The following Host parameters are logged in the event log:

  • logged_on_windows_user. The username of the Windows user currently logged in on the Host machine.
  • guest_access_method. The Guest access method defined in the Host settings.
  • nrc_id. The Host ID.
  • computer_name. The name of the Host machine.
  • public_ip. The public IP of the Host machine.
  • private_ip. The private IP of the Host machine.
  • operating_system. The operating system of the Host machine.
  • nrc_version. The Host's version.
  • nrc_buildnumber. The Host's build number.

 

PORTAL_CONNECTION_STOPPED

An event is logged when a Portal connection (profile) is stopped. The following Host parameters are logged in the event log:

  • logged_on_windows_user. The username of the Windows user currently logged in on the Host machine.
  • guest_access_method. The Guest access method defined in the Host settings.
  • nrc_id. The Host ID.
  • computer_name. The name of the Host machine.
  • public_ip. The public IP of the Host machine.
  • private_ip. The private IP of the Host machine.
  • operating_system. The operating system of the Host machine.
  • nrc_version. The Host's version.
  • nrc_buildnumber. The Host's build number.

 

NRC_SESSION_STARTED

An event is logged when a remote session is started. The following parameters are logged in the event log:

For the Host:

  • logged_on_windows_user. The username of the Windows user currently logged in on the Host machine.
  • guest_access_method. The Guest access method defined in the Host settings.
  • nrc_id. The Host ID.
  • computer_name. The name of the Host machine.
  • public_ip. The public IP of the Host machine.
  • private_ip. The private IP of the Host machine.
  • operating_system. The operating system of the Host machine.
  • nrc_version. The version of the Host.
  • nrc_buildnumber. The build number of the Host.

 

For the Guest:

  • logged_on_windows_user. The username of the Windows user currently logged in on the Guest machine.
  • gam_username. The username that the Guest used to authenticate to the Host, depending on the Host's authentication method. If the Host has simple password authentication, the parameter's value is empty.
  • nrc_id. The Guest ID.
  • computer_name.  The name of the Guest machine.
  • public_ip.  The public IP of the Guest machine. It can be empty if the Guest could not retrieve its public IP. Possible reasons for an empty value might be an older Guest version or the connection/authentication were not done using a Portal profile.
  • private_ip. The private IP of the Guest machine.
  • nrc_buildnumber. The build number of the Guest.

NRC_SESSION_STOPPED

An event is logged when a remote session is stopped.

REMOTECTRL_SESSION_STARTED

An event is logged when a remote control session is started.

REMOTECTRL_SESSION_STOPPED 

An event is logged when a remote control session is stopped.

FILETRANSFER_SESSION_STARTED

An event is logged when a file transfer session is started.

FILETRANSFER_SESSION_STOPPED

An event is logged when a file transfer session is stopped.

CHAT_SESSION_STARTED

An event is logged when a chat session is started.

CHAT_SESSION_STOPPED

An event is logged when a chat session is stopped.

AUDIO_TRANSFER_STARTED

An event is logged when audio is started during a remote session.

AUDIO_TRANSFER_STOPPED

An event is logged when audio is stopped during a remote session.

KBDMOUSE_TRANSFER_STARTED

An event is logged when, while in a remote control session, the technician takes over the keyboard and mouse control of the remote-controlled device.

KBDMOUSE_TRANSFER_STOPPED

An event is logged when, while in a remote control session, the technician's control over the keyboard and mouse of the remote-controlled device is stopped.

REMOTEMGMT_SESSION_STARTED

An event is logged when a remote management session is started.

REMOTEMGMT_SESSION_STOPPED

An event is logged when a remote management session is stopped.

FILE_SENT

An event is logged when, while in a file transfer session, a file is sent from the Host to the Guest. The following parameter is logged in the event log: file_name (the path and name of the sent file).

FILE_RECEIVED

An event is logged when, while in a file transfer session, a file is received by the Host. The following parameter is logged in the event log: file_name (the path and name of the received file).

RUN_PROGRAM

An event is logged when a program is run on the Host. The following parameter is logged in the event log: file_name (the name of the program or command that was ran).

EXECUTE_COMMAND

An event is logged when a command is executed on a remote-accessed device. The following parameter is logged in the event log: file_name (the name of the executed command).

INVENTORY_SENT

An event is logged when a Host inventory is sent to the Guest.

MESSAGE_RECEIVED

An event is logged when a message is received by a Host.

CLIPBOARD_SENT

An event is logged when, while in a remote-control session, the Host computer clipboard content is sent to the Guest computer clipboard.

CLIPBOARD_RECEIVED

An event is logged when, while in a remote-control session, the Guest computer clipboard content is retrieved by the Host computer clipboard.

KEYBOARD_LOCKED

An event is logged when, while in a remote-control session, the keyboard of the Host computer is locked.

Note: The session ID is not available on this event.

KEYBOARD_UNLOCKED

An event is logged when, while in a remote-control session, the keyboard of the Host computer is unlocked.

Note: The session ID is not available on this event.

SCREEN_BLANKED

An event is logged when, while in a remote-control session, the Host screen is blanked.

SCREEN_UNBLANKED

An event is logged when, while in a remote-control session, the Host screen is unblanked.

HELP_REQUEST_SENT

An event is logged when a help request is sent. The following parameters are logged in the event log:

  • service_name. The name of the service that the Host chose from the list of available services, before sending the Help request.
  • problem_description. The description of the problem given by the Host.

HELP_REQUEST_CANCELLED

An event is logged when a help request is cancelled.

GATEWAY_LOGIN

An event is logged when a connection is made through a Gateway that requires authentication.

The following Gateway parameters are logged in the event log:

  • guest_access_method. The Guest access method defined on the Gateway.
  • gateway_login_user. The username used by the Guest for the Gateway authentication.
  • gateway_login_domain. The domain used by the Guest for Gateway authentication, if the case.

 

The result code can be one of the following:

  • 0: password OK
  • 1: password wrong
  • 2: password wrong, maximum attempts reached

 

GUEST_ACCESS_METHOD_CHANGED

An event is logged when the Guest Access method defined on the Host is changed.

The following parameters are logged in the event log:

  • old_guest_access_method
  • new_guest_access_method

LOGIN_FAILED

An event is logged when the Guest fails authenticating to the Host.

The following Guest parameters are logged in the event log:

  • logged_on_windows_user. The username of the Windows user currently logged in on the Guest machine.
  • gam_username. The username that the Guest used to authenticate to the Host, depending on the Host's authentication method. If the Host has simple password authentication, the parameter's value is empty.
  • nrc_id. The Guest ID.
  • computer_name.  The name of the Guest machine.
  • public_ip.  The public IP of the Guest machine. It can be empty if the Guest could not retrieve its public IP. Possible reasons for an empty value might be an older Guest version or the connection/authentication were not done using a Portal profile.
  • private_ip. The private IP of the Guest machine.
  • nrc_buildnumber. The build number of the Guest.

CONFIRM_ACCESS_GRANTED

An event is logged when the Host confirms access for the Guest.

CONFIRM_ACCESS_DENIED

An event is logged when the Host denies Guest access.

ILLEGAL_PASSWORD_LIMIT_REACHED

An event is logged when, while authenticating to the Host, the Guest exceeds the maximum limit of password entries.

TIMEOUT_LIMIT_EXCEEDED_AUTHENTICATION

An event is logged when, while the Guest is authenticating to the Host, the authentication timeout limit is exceeded.

TIMEOUT_LIMIT_EXCEEDED_CONFIRM_ACCESS

An event is logged when the Confirm access on the Host has exceeded the timeout limit.

TIMEOUT_LIMIT_EXCEEDED_INACTIVITY

An event is logged when the remote session inactivity has exceeded the timeout limit.

WEB_UPDATE_DOWNLOAD

An event is logged when a web update is downloaded. The following parameters are logged in the event log:

  • file_count. This parameter is empty.
  • file_name. The name of the web update file downloaded.
  • error_message. This parameter is empty.

WEB_UPDATE_INSTALL

An event is logged when a web update is installed.

WEB_UPDATE_FAILED

An event is logged when a web update installation failed. The following parameters are logged in the event log:

  • file_count. This parameter is empty.
  • file_name. This parameter is empty.
  • error_message. The reason of failure.

WEB_UPDATE_CHECK

An event is logged when a web update is checked. The following parameters are logged in the event log:

  • file_count. The number of the files found.
  • file_name. This parameter is empty.
  • error_message. This parameter is empty.
Posted - Wed, Oct 18, 2017 2:07 PM.
Online URL: https://kb.netop.com/article/netop-portal-audit-logging-events-464.html