Audit trail

Contents

Audit trail

Overview

To trace relevant activities in your Appliances (accesses, configuration modifications, starts, stops, etc), Nexthink components write to the audit log file:

/var/log/nexthink/audit.log

Find below the complete list of audit events. In the tables, the words displayed in cursive in the log messages are replaced by actual values by the log system. For example, the actual username of the account that performed a particular logged action will replace the word account.

Appliance

See how to configure the system log for the Appliance to record the following events:

  • Logon with the SSH Nexthink account
  • Commands launched with super-user privileges

Web Console

Code Description and format
50000
User logged in
[Console|Login|50000|account] Login successful
50001
User login failed
[Console|Login|50001|account] Login failed
50002
User logged out
[Console|Login|50002|account] User logout
51000
Web Console password updated
[Console|Appliance|51000|account] Console password updated
51010
Portal remote management account password updated
[Console|Appliance|51010|account] Remote password updated
51011
Portal remote management account enabled
[Console|Appliance|51011|account] Remote access enabled
51012
Portal remote management account disabled
[Console|Appliance|51012|account] Remote access disabled
51020
SSH Nexthink account password updated
[Console|Appliance|51020|account] SSH Nexthink account password updated
51021
SSH Nexthink account enabled
[Console|Appliance|51021|account] SSH Nexthink account enabled
51022
SSH Nexthink account disabled
[Console|Appliance|51022|account] SSH Nexthink account disabled
51100
Appliance hostname updated
[Console|Appliance|51100|account] Appliance hostname updated
51101
Appliance static route updated
[Console|Appliance|51101|account] Appliance static route updated
51102
Appliance static route deleted
[Console|Appliance|51102|account] Appliance static route deleted
51103
Appliance DNS server updated
[Console|Appliance|51103|account] Appliance dns server updated
51104
Appliance default gateway updated
[Console|Appliance|51104|account] Appliance default gateway updated
51106
Appliance NTP servers updated
[Console|Appliance|51106|account] Appliance NTP servers updated
51107
Appliance NTP service enabled
[Console|Appliance|51107|account] Appliance NTP service enabled
51108
Appliance NTP service disabled
[Console|Appliance|51108|account] Appliance NTP service disabled
51109
Appliance network interface updated
[Console|Appliance|51109|account] Appliance network insterface updated
51111
rsyslog service restarted
[Console|Appliance|51111|account] rsyslog service restarted
51112
crond service restarted
[Console|Appliance|51112|account] crond service restarted
51603
Automatic updates enabled / disabled
[Console|Appliance|51603|account] Automatic updates enabled
[Console|Appliance|51603|account] Automatic updates disabled
51609
Updates email recipient updated
[Console|Appliance|51609|account] Updates email recipient updated
51610
Check for updates triggered
[Console|Appliance|51610|account] Check for updates triggered
51611
Start updates triggered
[Console|Appliance|51611|account] Start updates triggered
51800
Appliance reboot triggered
[Console|Appliance|51800|account] Appliance reboot triggered
52000
Portal parameters updated
[Console|Portal|52000|account] Portal parameters updated
52001
Engine name updated
[Console|Engine-01|52001|account] Engine name updated
52007
Maximum stored events updated
[Console|Engine-01|52007|account] Maximum stored events updated
52010
Portal server address updated
[Console|Engine-01|52010|account] Portal server address updated
52010
Portal admin account reset
[Console|Portal|52010|account] Portal admin account reset
52011
Aggregation policy updated
[Console|Engine-01|52011|account] Aggregation policy updated
52012
Domain compression updated
[Console|Engine-01|52012|account] Domain compression updated
52090
Engine stopped
[Console|Engine-01|52090|account] Engine stopped
52091
Engine started
[Console|Engine-01|52091|account] Engine started
52100
Internal network removed
[Console|Engine-01|52100|account] Internal network removed
52100
Internal network added
[Console|Engine-01|52100|account] Internal network added
52105
Engine internal domains configuration updated
[Console|Engine-01|52105|account] Engine internal domains configuration updated
52200
Active directory added
[Console|Engine-01|52200|account] Active directory added
52201
Active directory removed
[Console|Engine-01|52201|account] Active directory removed
52550
Engine Mobile Bridge parameters updated
[Console|Engine-01|52550|account] Engine Mobile Bridge parameters updated
53090
Portal stopped
[Console|Portal|53090|account] Portal stopped
53091
Portal started
[Console|Portal|53091|account] Portal started
53092
LLM started
[Console|Portal|53092|account] LLM started
53093
LLM stopped
[Console|Portal|53093|account] LLM stopped
53094
Nginx started
[Console|Portal|53094|account] nginx started
53095
Nginx stopped
[Console|Portal|53095|account] nginx stopped

Portal

Code Description
20001
Portal is starting
[Portal|SYSTEM|20001|*system] Portal is starting
20002
Portal is up and running
[Portal|SYSTEM|20002|*system] Portal is up and running
20004
Portal is stopped
[Portal|SYSTEM|20004|*system] Portal is stopped
20101
User logged in
[Portal|LOGIN|20101|account] User account logged with session id session id
20102
User logged out
[Portal|LOGIN|20102|account] User account logout for session id session id
20103
User login failed
[Portal|LOGIN|20103|*system] User account failed login attempts - reason
20201
User created
[Portal|USER|20201|account] User created account is created
20202
User removed
[Portal|USER|20202|account] User deleted account is removed
20203
User updated
[Portal|USER|20203|account] User updated account is created
20204
User profile updated
[Portal|USER|20204|account] Updated profile of n users
20205
User domain ownership updated
[Portal|USER|20204|account] Updated account ownership of n users
20206
Role added
[Portal|USER|20206|account] Role name is added
20207
Role updated
[Portal|USER|20207|account] Role name is updated
20208
Role removed
[Portal|USER|20208|account] Role name is removed
20209
Profile added (with roles)
[Portal|USER|20209|account] Added profile name roles: roles names
20210
Profile updated (with roles)
[Portal|USER|20210|account] Updated profile name roles: roles names
20211
Profile removed
[Portal|USER|20211|account] Removed profile name
20501
Hierarchy added
[Portal|HIERARCHY|20501|account] Hierarchy name is added
20502
Hierarchy removed
[Portal|HIERARCHY|20502|account] Hierarchy name is removed
20503
Hierarchy updated
[Portal|HIERARCHY|20503|account] Hierarchy name is updated
20504
Definition of entities updated
[Portal|HIERARCHY|20504|account] CSV of entities category is updated
20701
Engine added
[Portal|ENGINE|20701|account] Engine name of IP IP address or DNS name Port port number is added
20702
Engine removed
[Portal|ENGINE|20702|account] Engine name of IP IP address or DNS name Port port number is removed
20703
Engine connected
[Portal|ENGINE|20703|account] Engine name of IP IP address or DNS name Port port number is connected
20704
Engine disconnected
[Portal|ENGINE|20704|account] Engine name of IP IP address or DNS name Port port number is disconnected
20801
Finder user logged in
[Portal|FINDER|20801|account] User account logged in (finder)
20803
Finder user login failed
[Portal|FINDER|20801|account] User account login failed
20901
Remote action updated
[Portal|CONTENTMANAGER|20901|account] Updated remote action in content manager, uid=remote action uid, name=remote action name
20902
Remote action created
[Portal|CONTENTMANAGER|20902|account] Created remote action in content manager, uid=remote action uid, name=remote action name
20903
Remote action deleted
[Portal|CONTENTMANAGER|20902|account] Deleted remote action in content manager, uid=remote action uid
20911
Metric updated
[Portal|CONTENTMANAGER|20911|account] Updated metric in content manager, uid=metric uid
20912
Metric created
[Portal|CONTENTMANAGER|20912|account] Created metric in content manager, uid=metric uid
20913
Metric deleted
[Portal|CONTENTMANAGER|20913|account] Deleted metric in content manager, uid=metric uid
20921
Service updated
[Portal|CONTENTMANAGER|20921|account] Updated service in content manager, uid=service uid
20922
Service created
[Portal|CONTENTMANAGER|20922|account] Created service in content manager, uid=service uid
20923
Service deleted
[Portal|CONTENTMANAGER|20923|account] Deleted service in content manager, uid=service uid
20931
Campaign updated
[Portal|CONTENTMANAGER|20931|account] Updated campaign in content manager, uid=campaign uid, name=campaign name
20932
Campaign created
[Portal|CONTENTMANAGER|20932|account] Created campaign in content manager, uid=campaign uid, name=campaign name
20933
Campaign deleted
[Portal|CONTENTMANAGER|20933|account] Deleted campaign in content manager, uid=campaign uid
21002
Manual execution of a remote action through the Finder or the API
[Portal|REMOTEACTION|21002|account] Request manual execution of remote action, uid=remote action uid on devices 0 - (n - 1) with uids devices uids
21101
Metric compute triggered from the Finder
[Portal|METRICS|21101|account] Compute metric from finder uid=metric uid
21102
Metric clear history triggered by query
[Portal|METRICS|21102|account] Clear metric from query uid=metric uid
21103
Metric clear triggered from the Finder
[Portal|METRICS|21103|account] Clear metric from finder uid=metric uid
21104
Metric compute triggered by query
[Portal|METRICS|21104|account] Compute metric from query uid=metric uid

Engine

Code Description
10001
Engine is up and running
[Engine-01|General|10001|nxengine] Engine is up and running
10002
Engine stopped with error
[Engine-01|General|10002|nxengine] Engine abnormally stopped
10003
Engine stopped gracefully
[Engine-01|MAIN|10003|nxengine] Engine gracefuly stopped
10004
Engine stopped forcefully
[Engine-01|General|10004|nxengine] Engine stopped
10005
Database created
[Engine-01|Database|10005|nxengine] Engine database creation:new database created
10006
Finder user logged in
[Engine-01|Communication|10006|account] Finder user logged in:[milliseconds]
10007
Finder user logged out
[Engine-01|Communication|10007|account] Finder logged out
10008
Finder user login attempt
[Engine-01|Communication|10008|account] Finder log-in attempt
10009
Finder account created
[Engine-01|Database|10009|portal] Finder account creation:[created account]
10010
Finder account deleted
[Engine-01|Database|10010|portal] Finder account destruction:[deleted account]
10011
Finder account updated
Engine-01|Database|10011|portal] Finder account update:[updated account]
10012
Finder account password changed
[Engine-01|Database|10012|portal] Finder password change:[changed account]
10017
Global alert created
[Engine-01|Database|10017|portal] Global alert creation:[alert name]
10018
Global alert deleted
[Engine-01|Database|10018|portal] Global alert destruction:[alert name]
10019
Global alert updated
[Engine-01|Database|10019|portal] Global alert update:[alert name]
10026
LDAP synchronization request
[Engine-01|Communication|10026|account] LDAP synchronization
10028
Object manually tagged
[Engine-01|DBMGR|10028|account] Manual tagging:[object type|object name]
10029
Binary filtering rule (storage policy) updated
[Engine-01|DBMGR|10029|account] Binary filtering rule update:[binary|executable name]
10030
Executable filtering rule (storage policy) updated
[Engine-01|DBMGR|10030|account] Application filtering rule update:[application|executable name]
10031
Application filtering rule (storage policy) updated
Engine-01|DBMGR|10031|account] Product or source filtering rule update:[product|application name]
10032
Device filtering rule (storage policy) updated
[Engine-01|DBMGR|10032|account] Source filtering rule update:[source|device name]
10034
Finder request execution
[Engine-01|Communication|10034|account] Request execution:[request type|request details]
10035
Alert execution
[Engine-01|Alert|10035|account] Alert execution:[alert name|alert frequency|number of impacted objects|selector]
10038
License updated
[Engine-01|License|10038|nxengine] License updated: D licensed sources, S licensed servers, M licensed mobile devices with enabled features
10039
NXQL request execution
[Engine-01|WebAPI|10039|account] NXQL V2 execution:[duration ms|wait ms|computation ms| dump ms|NXQL query

The start and stop commands for the Engine that are executed from the CLI are logged in journalctl. Use the following command to retrieve them:

sudo journalctl -u [email protected]*.service | grep systemd