Audit trail
Contents |
Audit trail
Overview
To trace relevant activities in your Appliances (accesses, configuration modifications, starts, stops, etc), Nexthink components write to the audit log file:
-
/var/log/nexthink/audit.log
Find below the complete list of audit events.
Appliance
See how to configure the system log for the Appliance to record the following events:
- Logon with the SSH Nexthink account
- Commands launched with super-user privileges
Web Console
| Code | Description |
|---|---|
| 50000 | User logged in |
| 50001 | User login failed |
| 50003 | User logged out |
| 51000 | Web Console password updated |
| 51010 | Portal remote management account password updated |
| 51011 | Portal remote management account enabled |
| 51012 | Portal remote management account disabled |
| 51020 | SSH Nexthink account password updated |
| 51021 | SSH Nexthink account enabled |
| 51022 | SSH Nexthink account disabled |
| 51100 | Appliance hostname updated |
| 51101 | Appliance static route updated |
| 51102 | Appliance static route deleted |
| 51103 | Appliance DNS server updated |
| 51104 | Appliance default gateway updated |
| 51106 | Appliance NTP servers updated |
| 51107 | Appliance NTP service enabled |
| 51108 | Appliance NTP service disabled |
| 51109 | Appliance network insterface updated |
| 51111 | rsyslog service restarted |
| 51112 | crond service restarted |
| 51603 | Automatic updates enabled / disabled |
| 51609 | Updates email recipient updated |
| 51610 | Check for updates triggered |
| 51611 | Start updates triggered |
| 51800 | Appliance reboot triggered |
| 52000 | Portal parameters updated |
| 52001 | Engine name updated |
| 52007 | Maximum stored events updated |
| 52010 | Portal server address updated |
| 52010 | Portal admin account reset |
| 52011 | Aggregation policy updated |
| 52012 | Domain compression updated |
| 52090 | Engine stopped |
| 52091 | Engine started |
| 52100 | Internal network removed |
| 52100 | Internal network added |
| 52105 | Engine internal domains configuration updated |
| 52200 | Active directory added |
| 52201 | Active directory removed |
| 52550 | Engine Mobile Bridge parameters updated |
| 53090 | Portal stopped |
| 53091 | Portal started |
| 53092 | LLM started |
| 53093 | LLM stopped |
| 53094 | Nginx started |
| 53095 | Nginx stopped |
Portal
| Code | Description |
|---|---|
| 20001 | Portal is starting |
| 20002 | Portal is up and running |
| 20004 | Portal is stopped |
| 20101 | User logged in |
| 20102 | User logged out |
| 20103 | User login failed |
| 20201 | User created |
| 20202 | User removed |
| 20203 | User updated |
| 20204 | User profile updated |
| 20205 | User domain ownership updated |
| 20206 | Role added |
| 20207 | Role updated |
| 20208 | Role removed |
| 20209 | Profile added (with number of roles) |
| 20210 | Profile updated (with number of roles) |
| 20211 | Profile removed |
| 20501 | Hierarchy added |
| 20502 | Hierarchy removed |
| 20503 | Hierarchy updated |
| 20504 | Definition of entities updated |
| 20701 | Engine added |
| 20702 | Engine removed |
| 20703 | Engine connected |
| 20704 | Engine disconnected |
| 20801 | Finder user logged in |
| 20803 | Finder user login failed |
| 20901 | Remote action updated |
| 20902 | Remote action created |
| 20903 | Remote action deleted |
| 21001 | Manual execution of a remote action from the Finder |
| 21002 | External execution of a remote action through the API |
Engine
| Code | Description |
|---|---|
| 10001 | Engine is up and running |
| 10002 | Engine stopped with error |
| 10003 | Engine stopped gracefully |
| 10004 | Engine stopped forcefully |
| 10005 | Database created |
| 10006 | Finder user logged in |
| 10007 | Finder user logged out |
| 10008 | Finder user login attempt |
| 10009 | Finder account created |
| 10010 | Finder account deleted |
| 10011 | Finder account updated |
| 10012 | Finder account password changed |
| 10017 | Global alert created |
| 10018 | Global alert deleted |
| 10019 | Global alert updated |
| 10026 | LDAP synchronization request |
| 10028 | Object manually tagged |
| 10029 | Binary filtering rule updated |
| 10030 | Executable filtering rule updated |
| 10031 | Application filtering rule updated |
| 10032 | Device filtering rule updated |
| 10034 | Finder request execution |
| 10035 | Alert execution |
| 10036 | Web API request execution (deprecated) |
| 10038 | License updated |
| 10039 | NXQL request execution |
The start and stop commands for the Engine that are executed from the CLI are logged in journalctl. Use the following command to retreive them:
-
sudo journalctl -u [email protected]*.service | grep systemd
Related tasks