To trace relevant activities in your Appliances (accesses, configuration modifications, starts, stops, etc), Nexthink components write to the audit log file:
Find below the complete list of audit events. In the tables, the words displayed in cursive in the log messages are replaced by actual values by the log system. For example, the actual username of the account that performed a particular logged action will replace the word account.
| Code
| Description and format
|
| 50000
|
- User logged in
- [Console|Login|50000|account] Login successful
|
| 50001
|
- User login failed
- [Console|Login|50001|account] Login failed
|
| 50002
|
- User logged out
- [Console|Login|50002|account] User logout
|
| 51000
|
- Web Console password updated
- [Console|Appliance|51000|account] Console password updated
|
| 51010
|
- Portal remote management account password updated
- [Console|Appliance|51010|account] Remote password updated
|
| 51011
|
- Portal remote management account enabled
- [Console|Appliance|51011|account] Remote access enabled
|
| 51012
|
- Portal remote management account disabled
- [Console|Appliance|51012|account] Remote access disabled
|
| 51020
|
- SSH Nexthink account password updated
- [Console|Appliance|51020|account] SSH Nexthink account password updated
|
| 51021
|
- SSH Nexthink account enabled
- [Console|Appliance|51021|account] SSH Nexthink account enabled
|
| 51022
|
- SSH Nexthink account disabled
- [Console|Appliance|51022|account] SSH Nexthink account disabled
|
| 51100
|
- Appliance hostname updated
- [Console|Appliance|51100|account] Appliance hostname updated
|
| 51101
|
- Appliance static route updated
- [Console|Appliance|51101|account] Appliance static route updated
|
| 51102
|
- Appliance static route deleted
- [Console|Appliance|51102|account] Appliance static route deleted
|
| 51103
|
- Appliance DNS server updated
- [Console|Appliance|51103|account] Appliance dns server updated
|
| 51104
|
- Appliance default gateway updated
- [Console|Appliance|51104|account] Appliance default gateway updated
|
| 51106
|
- Appliance NTP servers updated
- [Console|Appliance|51106|account] Appliance NTP servers updated
|
| 51107
|
- Appliance NTP service enabled
- [Console|Appliance|51107|account] Appliance NTP service enabled
|
| 51108
|
- Appliance NTP service disabled
- [Console|Appliance|51108|account] Appliance NTP service disabled
|
| 51109
|
- Appliance network interface updated
- [Console|Appliance|51109|account] Appliance network insterface updated
|
| 51111
|
- rsyslog service restarted
- [Console|Appliance|51111|account] rsyslog service restarted
|
| 51112
|
- crond service restarted
- [Console|Appliance|51112|account] crond service restarted
|
| 51603
|
- Automatic updates enabled / disabled
- [Console|Appliance|51603|account] Automatic updates enabled
- [Console|Appliance|51603|account] Automatic updates disabled
|
| 51609
|
- Updates email recipient updated
- [Console|Appliance|51609|account] Updates email recipient updated
|
| 51610
|
- Check for updates triggered
- [Console|Appliance|51610|account] Check for updates triggered
|
| 51611
|
- Start updates triggered
- [Console|Appliance|51611|account] Start updates triggered
|
| 51800
|
- Appliance reboot triggered
- [Console|Appliance|51800|account] Appliance reboot triggered
|
| 52000
|
- Portal parameters updated
- [Console|Portal|52000|account] Portal parameters updated
|
| 52001
|
- Engine name updated
- [Console|Engine-01|52001|account] Engine name updated
|
| 52007
|
- Maximum stored events updated
- [Console|Engine-01|52007|account] Maximum stored events updated
|
| 52010
|
- Portal server address updated
- [Console|Engine-01|52010|account] Portal server address updated
|
| 52010
|
- Portal admin account reset
- [Console|Portal|52010|account] Portal admin account reset
|
| 52011
|
- Aggregation policy updated
- [Console|Engine-01|52011|account] Aggregation policy updated
|
| 52012
|
- Domain compression updated
- [Console|Engine-01|52012|account] Domain compression updated
|
| 52090
|
- Engine stopped
- [Console|Engine-01|52090|account] Engine stopped
|
| 52091
|
- Engine started
- [Console|Engine-01|52091|account] Engine started
|
| 52100
|
- Internal network removed
- [Console|Engine-01|52100|account] Internal network removed
|
| 52100
|
- Internal network added
- [Console|Engine-01|52100|account] Internal network added
|
| 52105
|
- Engine internal domains configuration updated
- [Console|Engine-01|52105|account] Engine internal domains configuration updated
|
| 52200
|
- Active directory added
- [Console|Engine-01|52200|account] Active directory added
|
| 52201
|
- Active directory removed
- [Console|Engine-01|52201|account] Active directory removed
|
| 52550
|
- Engine Mobile Bridge parameters updated
- [Console|Engine-01|52550|account] Engine Mobile Bridge parameters updated
|
| 53090
|
- Portal stopped
- [Console|Portal|53090|account] Portal stopped
|
| 53091
|
- Portal started
- [Console|Portal|53091|account] Portal started
|
| 53092
|
- LLM started
- [Console|Portal|53092|account] LLM started
|
| 53093
|
- LLM stopped
- [Console|Portal|53093|account] LLM stopped
|
| 53094
|
- Nginx started
- [Console|Portal|53094|account] nginx started
|
| 53095
|
- Nginx stopped
- [Console|Portal|53095|account] nginx stopped
|
| Code
| Description
|
| 20001
|
- Portal is starting
- [Portal|SYSTEM|20001|*system] Portal is starting
|
| 20002
|
- Portal is up and running
- [Portal|SYSTEM|20002|*system] Portal is up and running
|
| 20004
|
- Portal is stopped
- [Portal|SYSTEM|20004|*system] Portal is stopped
|
| 20101
|
- User logged in
- [Portal|LOGIN|20101|account] User account logged with session id session id
|
| 20102
|
- User logged out
- [Portal|LOGIN|20102|account] User account logout for session id session id
|
| 20103
|
- User login failed
- [Portal|LOGIN|20103|*system] User account failed login attempts - reason
|
| 20201
|
- User created
- [Portal|USER|20201|account] User created account is created
|
| 20202
|
- User removed
- [Portal|USER|20202|account] User deleted account is removed
|
| 20203
|
- User updated
- [Portal|USER|20203|account] User updated account is created
|
| 20204
|
- User profile updated
- [Portal|USER|20204|account] Updated profile of n users
|
| 20205
|
- User domain ownership updated
- [Portal|USER|20204|account] Updated account ownership of n users
|
| 20206
|
- Role added
- [Portal|USER|20206|account] Role name is added
|
| 20207
|
- Role updated
- [Portal|USER|20207|account] Role name is updated
|
| 20208
|
- Role removed
- [Portal|USER|20208|account] Role name is removed
|
| 20209
|
- Profile added (with roles)
- [Portal|USER|20209|account] Added profile name roles: roles names
|
| 20210
|
- Profile updated (with roles)
- [Portal|USER|20210|account] Updated profile name roles: roles names
|
| 20211
|
- Profile removed
- [Portal|USER|20211|account] Removed profile name
|
| 20501
|
- Hierarchy added
- [Portal|HIERARCHY|20501|account] Hierarchy name is added
|
| 20502
|
- Hierarchy removed
- [Portal|HIERARCHY|20502|account] Hierarchy name is removed
|
| 20503
|
- Hierarchy updated
- [Portal|HIERARCHY|20503|account] Hierarchy name is updated
|
| 20504
|
- Definition of entities updated
- [Portal|HIERARCHY|20504|account] CSV of entities category is updated
|
| 20701
|
- Engine added
- [Portal|ENGINE|20701|account] Engine name of IP IP address or DNS name Port port number is added
|
| 20702
|
- Engine removed
- [Portal|ENGINE|20702|account] Engine name of IP IP address or DNS name Port port number is removed
|
| 20703
|
- Engine connected
- [Portal|ENGINE|20703|account] Engine name of IP IP address or DNS name Port port number is connected
|
| 20704
|
- Engine disconnected
- [Portal|ENGINE|20704|account] Engine name of IP IP address or DNS name Port port number is disconnected
|
| 20801
|
- Finder user logged in
- [Portal|FINDER|20801|account] User account logged in (finder)
|
| 20803
|
- Finder user login failed
- [Portal|FINDER|20801|account] User account login failed
|
| 20804
|
- Library pack import request (only issued for big packs)
- [Portal|FINDER|20804|account] Finder import req uid=pack uid
|
| 20901
|
- Remote action updated
- [Portal|CONTENTMANAGER|20901|account] Updated remote action in content manager, uid=remote action uid, name=remote action name
|
| 20902
|
- Remote action created
- [Portal|CONTENTMANAGER|20902|account] Created remote action in content manager, uid=remote action uid, name=remote action name
|
| 20903
|
- Remote action deleted
- [Portal|CONTENTMANAGER|20902|account] Deleted remote action in content manager, uid=remote action uid
|
| 20911
|
- Metric updated
- [Portal|CONTENTMANAGER|20911|account] Updated metric in content manager, uid=metric uid, status=enabled|disabled
|
| 20912
|
- Metric created
- [Portal|CONTENTMANAGER|20912|account] Created metric in content manager, uid=metric uid
|
| 20913
|
- Metric deleted
- [Portal|CONTENTMANAGER|20913|account] Deleted metric in content manager, uid=metric uid
|
| 20921
|
- Service updated
- [Portal|CONTENTMANAGER|20921|account] Updated service in content manager, uid=service uid, status=enabled|disabled
|
| 20922
|
- Service created
- [Portal|CONTENTMANAGER|20922|account] Created service in content manager, uid=service uid
|
| 20923
|
- Service deleted
- [Portal|CONTENTMANAGER|20923|account] Deleted service in content manager, uid=service uid
|
| 20931
|
- Campaign updated
- [Portal|CONTENTMANAGER|20931|account] Updated campaign in content manager, uid=campaign uid, name=campaign name, status=draft|published|retired
|
| 20932
|
- Campaign created
- [Portal|CONTENTMANAGER|20932|account] Created campaign in content manager, uid=campaign uid, name=campaign name
|
| 20933
|
- Campaign deleted
- [Portal|CONTENTMANAGER|20933|account] Deleted campaign in content manager, uid=campaign uid
|
| 21002
|
- Manual execution of a remote action through the Finder or the API
- [Portal|REMOTEACTION|21002|account] Request manual execution of remote action, uid=remote action uid on devices 0 - (n - 1) with uids devices uids
|
| 21101
|
- Metric compute triggered from the Finder
- [Portal|METRICS|21101|account] Compute metric from finder uid=metric uid
|
| 21102
|
- Metric clear history triggered by query
- [Portal|METRICS|21102|account] Clear metric from query uid=metric uid
|
| 21103
|
- Metric clear triggered from the Finder
- [Portal|METRICS|21103|account] Clear metric from finder uid=metric uid
|
| 21104
|
- Metric compute triggered by query
- [Portal|METRICS|21104|account] Compute metric from query uid=metric uid
|
| 21201
|
- Module published
- [Portal|MODULES|21201|account] Published module uid=module uid, name=module name|-
|
| 21202
|
- Module deleted
- [Portal|MODULES|21202|account] Deleted module uid=module uid
|
| 21203
|
- Module replaced
- [Portal|MODULES|21203|account] Replaced published module uid=module uid, replaced uid=module uid
|
| 21501
|
- Dashboard deleted
- [Portal|DASHBOARDS|21501|account] Deleted dashboard, uid=dashboard uid
|
| 21301
|
- Software metering metric updated
- [Portal|SOFTWARE_METERING_METRIC|21301|account] Updated software metering metric, uid=metric uid
|
| 21302
|
- Software metering metric deleted
- [Portal|SOFTWARE_METERING_METRIC|21302|account] Deleted software metering metric, uid=metric uid
|
| 21303
|
- Software metering metric enabled
- [Portal|SOFTWARE_METERING_METRIC|21303|account] Enabled software metering metric, uid=metric uid
|
| 21304
|
- Software metering metric disabled
- [Portal|SOFTWARE_METERING_METRIC|21304|account] Disabled software metering metric, uid=metric uid
|
| 21401
|
- Software metering module updated
- [Portal|SOFTWARE_METERING_MODULE|21401|account] Updated software metering module, uid=module uid
|
| 21402
|
- Software metering module created
- [Portal|SOFTWARE_METERING_MODULE|21402|account] Created software metering module, uid=module uid
|
| Code
| Description
|
| 10001
|
- Engine is up and running
- [Engine-01|General|10001|nxengine] Engine is up and running
|
| 10002
|
- Engine stopped with error
- [Engine-01|General|10002|nxengine] Engine abnormally stopped
|
| 10003
|
- Engine stopped gracefully
- [Engine-01|MAIN|10003|nxengine] Engine gracefuly stopped
|
| 10004
|
- Engine stopped forcefully
- [Engine-01|General|10004|nxengine] Engine stopped
|
| 10005
|
- Database created
- [Engine-01|Database|10005|nxengine] Engine database creation:new database created
|
| 10006
|
- Finder user logged in
- [Engine-01|Communication|10006|account] Finder user logged in:[milliseconds]
|
| 10007
|
- Finder user logged out
- [Engine-01|Communication|10007|account] Finder logged out
|
| 10008
|
- Finder user login attempt
- [Engine-01|Communication|10008|account] Finder log-in attempt
|
| 10009
|
- Finder account created
- [Engine-01|Database|10009|portal] Finder account creation:[created account]
|
| 10010
|
- Finder account deleted
- [Engine-01|Database|10010|portal] Finder account destruction:[deleted account]
|
| 10011
|
- Finder account updated
- [Engine-01|Database|10011|portal] Finder account update:[updated account]
|
| 10012
|
- Finder account password changed
- [Engine-01|Database|10012|portal] Finder password change:[changed account]
|
| 10017
|
- Global alert created
- [Engine-01|Database|10017|portal] Global alert creation:[alert name]
|
| 10018
|
- Global alert deleted
- [Engine-01|Database|10018|portal] Global alert destruction:[alert name]
|
| 10019
|
- Global alert updated
- [Engine-01|Database|10019|portal] Global alert update:[alert name]
|
| 10026
|
- LDAP synchronization request
- [Engine-01|Communication|10026|account] LDAP synchronization
|
| 10028
|
- Object manually tagged
- [Engine-01|DBMGR|10028|account] Manual tagging:[object type|object name]
|
| 10029
|
- Binary filtering rule (storage policy) updated
- [Engine-01|DBMGR|10029|account] Binary filtering rule update:[binary|executable name]
|
| 10030
|
- Executable filtering rule (storage policy) updated
- [Engine-01|DBMGR|10030|account] Application filtering rule update:[application|executable name]
|
| 10031
|
- Application filtering rule (storage policy) updated
- [Engine-01|DBMGR|10031|account] Product or source filtering rule update:[product|application name]
|
| 10032
|
- Device filtering rule (storage policy) updated
- [Engine-01|DBMGR|10032|account] Source filtering rule update:[source|device name]
|
| 10034
|
- Finder request execution
- [Engine-01|Communication|10034|account] Request execution:[request type|request details]
|
| 10035
|
- Alert execution
- [Engine-01|Alert|10035|account] Alert execution:[alert name|alert frequency|number of impacted objects|selector]
|
| 10038
|
- License updated
- [Engine-01|License|10038|nxengine] License updated: D licensed sources, S licensed servers, M licensed mobile devices with enabled features
|
| 10039
|
- NXQL request execution
- [Engine-01|WebAPI|10039|account] NXQL V2 execution:[duration ms|wait ms|computation ms| dump ms|NXQL query]
|
The start and stop commands for the Engine that are executed from the CLI are logged in journalctl. Use the following command to retrieve them:
