Audit trail

Contents

Audit trail

Overview

To trace relevant activities in your Appliances (accesses, configuration modifications, starts, stops, etc), Nexthink components write to the audit log file:

/var/log/nexthink/audit.log

Find below the complete list of audit events.

Appliance

See how to configure the system log for the Appliance to record the following events:

  • Logon with the SSH Nexthink account
  • Commands launched with super-user privileges

Web Console

Code Description
50000 User logged in
50001 User login failed
50003 User logged out
51000 Web Console password updated
51010 Portal remote management account password updated
51011 Portal remote management account enabled
51012 Portal remote management account disabled
51020 SSH Nexthink account password updated
51021 SSH Nexthink account enabled
51022 SSH Nexthink account disabled
51100 Appliance hostname updated
51101 Appliance static route updated
51102 Appliance static route deleted
51103 Appliance DNS server updated
51104 Appliance default gateway updated
51106 Appliance NTP servers updated
51107 Appliance NTP service enabled
51108 Appliance NTP service disabled
51109 Appliance network insterface updated
51111 rsyslog service restarted
51112 crond service restarted
51603 Automatic updates enabled / disabled
51609 Updates email recipient updated
51610 Check for updates triggered
51611 Start updates triggered
51800 Appliance reboot triggered
52000 Portal parameters updated
52001 Engine name updated
52007 Maximum stored events updated
52010 Portal server address updated
52010 Portal admin account reset
52011 Aggregation policy updated
52012 Domain compression updated
52090 Engine stopped
52091 Engine started
52100 Internal network removed
52100 Internal network added
52105 Engine internal domains configuration updated
52200 Active directory added
52201 Active directory removed
52550 Engine Mobile Bridge parameters updated
53090 Portal stopped
53091 Portal started
53092 LLM started
53093 LLM stopped
53094 Nginx started
53095 Nginx stopped

Portal

Code Description
20001 Portal is starting
20002 Portal is up and running
20004 Portal is stopped
20101 User logged in
20102 User logged out
20103 User login failed
20201 User created
20202 User removed
20203 User updated
20204 User profile updated
20205 User domain ownership updated
20206 Role added
20207 Role updated
20208 Role removed
20209 Profile added (with number of roles)
20210 Profile updated (with number of roles)
20211 Profile removed
20501 Hierarchy added
20502 Hierarchy removed
20503 Hierarchy updated
20504 Definition of entities updated
20701 Engine added
20702 Engine removed
20703 Engine connected
20704 Engine disconnected
20801 Finder user logged in
20803 Finder user login failed
20901 Remote action updated
20902 Remote action created
20903 Remote action deleted
21001 Manual execution of a remote action from the Finder
21002 External execution of a remote action through the API

Engine

Code Description
10001 Engine is up and running
10002 Engine stopped with error
10003 Engine stopped gracefully
10004 Engine stopped forcefully
10005 Database created
10006 Finder user logged in
10007 Finder user logged out
10008 Finder user login attempt
10009 Finder account created
10010 Finder account deleted
10011 Finder account updated
10012 Finder account password changed
10017 Global alert created
10018 Global alert deleted
10019 Global alert updated
10026 LDAP synchronization request
10028 Object manually tagged
10029 Binary filtering rule updated
10030 Executable filtering rule updated
10031 Application filtering rule updated
10032 Device filtering rule updated
10034 Finder request execution
10035 Alert execution
10036 Web API request execution (deprecated)
10038 License updated
10039 NXQL request execution

The start and stop commands for the Engine that are executed from the CLI are logged in journalctl. Use the following command to retreive them:

sudo journalctl -u [email protected]*.service | grep systemd