Audit trail

Overview

To trace relevant activities in your Appliances (accesses, configuration modifications, starts, stops, and so on), Nexthink components write to the audit log file:

/var/log/nexthink/audit.log

Find below the complete list of audit events. In the tables, the words displayed in italics in the log messages are replaced by actual values by the log system. For example, the actual username of the account that performed a particular logged action will replace the word account.

Appliance

See how to configure the system log for the Appliance to record the following events:

Logon with the SSH Nexthink account
Commands launched with super-user privileges

Web Console

Code	Description and format
50000	User logged in `[Console\|Login\|50000\|account] Login successful`
50001	User login failed `[Console\|Login\|50001\|account] Login failed`
50002	User logged out `[Console\|Login\|50002\|account] User logout`
51000	Web Console password updated `[Console\|Appliance\|51000\|account] Console password updated`
51010	Portal remote management account password updated `[Console\|Appliance\|51010\|account] Remote password updated`
51011	Portal remote management account enabled `[Console\|Appliance\|51011\|account] Remote access enabled`
51012	Portal remote management account disabled `[Console\|Appliance\|51012\|account] Remote access disabled`
51020	SSH Nexthink account password updated `[Console\|Appliance\|51020\|account] SSH Nexthink account password updated`
51021	SSH Nexthink account enabled `[Console\|Appliance\|51021\|account] SSH Nexthink account enabled`
51022	SSH Nexthink account disabled `[Console\|Appliance\|51022\|account] SSH Nexthink account disabled`
51100	Appliance hostname updated `[Console\|Appliance\|51100\|account] Appliance hostname updated`
51101	Appliance static route updated `[Console\|Appliance\|51101\|account] Appliance static route updated`
51102	Appliance static route deleted `[Console\|Appliance\|51102\|account] Appliance static route deleted`
51103	Appliance DNS server updated `[Console\|Appliance\|51103\|account] Appliance dns server updated`
51104	Appliance default gateway updated `[Console\|Appliance\|51104\|account] Appliance default gateway updated`
51106	Appliance Chrony servers updated `[Console\|Appliance\|51106\|account] Appliance Chrony servers updated`
51107	Appliance Chrony service enabled `[Console\|Appliance\|51107\|account] Appliance Chrony service enabled`
51108	Appliance Chrony service disabled `[Console\|Appliance\|51108\|account] Appliance Chrony service disabled`
51109	Appliance network interface updated `[Console\|Appliance\|51109\|account] Appliance network insterface updated`
51111	rsyslog service restarted `[Console\|Appliance\|51111\|account] rsyslog service restarted`
51112	crond service restarted `[Console\|Appliance\|51112\|account] crond service restarted`
51200	STIG compliance enabled `[Console\|Compliance\|51200\|account] STIG compliance enabled`
51201	STIG compliance disabled `[Console\|Compliance\|51201\|account] STIG compliance disabled`
51300	New federated appliance added `[Console\|Appliance\|51300\|account] New federated appliance added with ID: id, DNS: dns`
51301	Edited federated appliance `[Console\|Appliance\|51301\|account] Edited federated appliance with ID: id, DNS: dns`
51302	Federated appliance deleted `[Console\|Appliance\|51302\|account] Federated appliance deleted with ID: id`
51400	External backup parameters saved `[Console\|Backup\|51400\|account] External backup parameters saved`
51603	Automatic updates enabled / disabled `[Console\|Appliance\|51603\|account] Automatic updates enabled` `[Console\|Appliance\|51603\|account] Automatic updates disabled`
51609	Updates email recipient updated `[Console\|Appliance\|51609\|account] Updates email recipient updated`
51610	Check for updates triggered `[Console\|Appliance\|51610\|account] Check for updates triggered`
51611	Start updates triggered `[Console\|Appliance\|51611\|account] Start updates triggered`
51800	Appliance reboot triggered `[Console\|Appliance\|51800\|account] Appliance reboot triggered`
52000	Portal parameters updated `[Console\|Portal\|52000\|account] Portal parameters updated`
52001	Engine name updated `[Console\|Engine-01\|52001\|account] Engine name updated`
52007	Maximum stored events updated `[Console\|Engine-01\|52007\|account] Maximum stored events updated`
52010	Portal server address updated `[Console\|Engine-01\|52010\|account] Portal server address updated`
52010	Portal admin account reset `[Console\|Portal\|52010\|account] Portal admin account reset`
52011	Aggregation policy updated `[Console\|Engine-01\|52011\|account] Aggregation policy updated`
52012	Domain compression updated `[Console\|Engine-01\|52012\|account] Domain compression updated`
52090	Engine stopped `[Console\|Engine-01\|52090\|account] Engine stopped`
52091	Engine started `[Console\|Engine-01\|52091\|account] Engine started`
52100	Internal network removed `[Console\|Engine-01\|52100\|account] Internal network removed`
52100	Internal network added `[Console\|Engine-01\|52100\|account] Internal network added`
52105	Engine internal domains configuration updated `[Console\|Engine-01\|52105\|account] Engine internal domains configuration updated`
52200	Active directory added `[Console\|Engine-01\|52200\|account] Active directory added`
52201	Active directory removed `[Console\|Engine-01\|52201\|account] Active directory removed`
52550	Engine Mobile Bridge parameters updated `[Console\|Engine-01\|52550\|account] Engine Mobile Bridge parameters updated`
53090	Portal stopped `[Console\|Portal\|53090\|account] Portal stopped`
53091	Portal started `[Console\|Portal\|53091\|account] Portal started`
53092	LLM started `[Console\|Portal\|53092\|account] LLM started`
53093	LLM stopped `[Console\|Portal\|53093\|account] LLM stopped`
53094	Nginx started `[Console\|Portal\|53094\|account] nginx started`
53095	Nginx stopped `[Console\|Portal\|53095\|account] nginx stopped`

Portal

Code	Description
20001	Portal is starting `[Portal\|SYSTEM\|20001\|*system] Portal is starting`
20002	Portal is up and running `[Portal\|SYSTEM\|20002\|*system] Portal is up and running`
20004	Portal is stopped `[Portal\|SYSTEM\|20004\|*system] Portal is stopped`
20101	User logged in `[Portal\|LOGIN\|20101\|account] User account logged with session id session id`
20102	User logged out `[Portal\|LOGIN\|20102\|account] User account logout for session id session id`
20103	User login failed `[Portal\|LOGIN\|20103\|*system] User account failed login attempts - reason`
20104	User locked `[Portal\|LOGIN\|20104\|account] User account is locked`
20105	User account session time out `[Portal\|LOGIN\|20105\|account] User account session timed out for session id session id`
20201	User created `[Portal\|USER\|20201\|account] User created account is created`
20202	User removed `[Portal\|USER\|20202\|account] User deleted account is removed`
20203	User updated `[Portal\|USER\|20203\|account] User updated account is created`
20204	User profile updated `[Portal\|USER\|20204\|account] Updated profile of n users`
20205	User domain ownership updated `[Portal\|USER\|20204\|account] Updated account ownership of n users`
20206	Role added `[Portal\|USER\|20206\|account] Role name is added`
20207	Role updated `[Portal\|USER\|20207\|account] Role name is updated`
20208	Role removed `[Portal\|USER\|20208\|account] Role name is removed`
20209	Profile added (with roles) `[Portal\|USER\|20209\|account] Added profile name roles: roles names`
20210	Profile updated (with roles) `[Portal\|USER\|20210\|account] Updated profile name roles: roles names`
20211	Profile removed `[Portal\|USER\|20211\|account] Removed profile name`
20501	Hierarchy added `[Portal\|HIERARCHY\|20501\|account] Hierarchy name is added`
20502	Hierarchy removed `[Portal\|HIERARCHY\|20502\|account] Hierarchy name is removed`
20503	Hierarchy updated `[Portal\|HIERARCHY\|20503\|account] Hierarchy name is updated`
20504	Definition of entities updated `[Portal\|HIERARCHY\|20504\|account] CSV of entities category is updated`
20701	Engine added `[Portal\|ENGINE\|20701\|account] Engine name of IP IP address or DNS name Port port number is added`
20702	Engine removed `[Portal\|ENGINE\|20702\|account] Engine name of IP IP address or DNS name Port port number is removed`
20703	Engine connected `[Portal\|ENGINE\|20703\|account] Engine name of IP IP address or DNS name Port port number is connected`
20704	Engine disconnected `[Portal\|ENGINE\|20704\|account] Engine name of IP IP address or DNS name Port port number is disconnected`
20801	Finder user logged in `[Portal\|FINDER\|20801\|account] User account logged in (finder)`
20803	Finder user login failed `[Portal\|FINDER\|20801\|account] User account login failed`
20804	Library pack import request (only issued for big packs) `[Portal\|FINDER\|20804\|account] Finder import req uid=pack uid`
20901	Remote action updated `[Portal\|CONTENTMANAGER\|20901\|account] Updated remote action in content manager, uid=remote action uid, name=remote action name`
20902	Remote action created `[Portal\|CONTENTMANAGER\|20902\|account] Created remote action in content manager, uid=remote action uid, name=remote action name`
20903	Remote action deleted `[Portal\|CONTENTMANAGER\|20902\|account] Deleted remote action in content manager, uid=remote action uid`
20911	Metric updated `[Portal\|CONTENTMANAGER\|20911\|account] Updated metric in content manager, uid=metric uid, status=enabled\|disabled`
20912	Metric created `[Portal\|CONTENTMANAGER\|20912\|account] Created metric in content manager, uid=metric uid`
20913	Metric deleted `[Portal\|CONTENTMANAGER\|20913\|account] Deleted metric in content manager, uid=metric uid`
20921	Service updated `[Portal\|CONTENTMANAGER\|20921\|account] Updated service in content manager, uid=service uid, status=enabled\|disabled`
20922	Service created `[Portal\|CONTENTMANAGER\|20922\|account] Created service in content manager, uid=service uid`
20923	Service deleted `[Portal\|CONTENTMANAGER\|20923\|account] Deleted service in content manager, uid=service uid`
20931	Campaign updated `[Portal\|CONTENTMANAGER\|20931\|account] Updated campaign in content manager, uid=campaign uid, name=campaign name, status=draft\|published\|retired`
20932	Campaign created `[Portal\|CONTENTMANAGER\|20932\|account] Created campaign in content manager, uid=campaign uid, name=campaign name`
20933	Campaign deleted `[Portal\|CONTENTMANAGER\|20933\|account] Deleted campaign in content manager, uid=campaign uid`
20941	Category updated `[Portal\|CONTENTMANAGER\|20941\|account] Updated category, uid=category uid`
20942	Category created `[Portal\|CONTENTMANAGER\|20942\|account] Created category, uid=category uid`
20943	Category deleted `[Portal\|CONTENTMANAGER\|20943\|account] Deleted category, uid=category uid`
21001	Manual execution of a remote action through the Finder `[Portal\|REMOTEACTION\|21001\|account] Finder request manual execution of remote action, uid=remote action uid on n devices with uids devices uids`
21002	External execution of a remote action through the API `[Portal\|REMOTEACTION\|21002\|account] API request manual execution of remote action, uid=remote action uid on n devices with uids devices uids`
21003	External execution of a remote action through the API v2 `[Portal\|REMOTEACTION\|21003\|account] API request manual execution of remote action, uid=remote action uid on n devices with uids devices uids`
21101	Metric compute triggered from the Finder `[Portal\|METRICS\|21101\|account] Compute metric from finder uid=metric uid`
21102	Metric clear history triggered by query `[Portal\|METRICS\|21102\|account] Clear metric from query uid=metric uid`
21103	Metric clear triggered from the Finder `[Portal\|METRICS\|21103\|account] Clear metric from finder uid=metric uid`
21104	Metric compute triggered by query `[Portal\|METRICS\|21104\|account] Compute metric from query uid=metric uid`
21201	Module published `[Portal\|MODULES\|21201\|account] Published module uid=module uid, name=module name`
21202	Module deleted `[Portal\|MODULES\|21202\|account] Deleted module uid=module uid`
21203	Module replaced `[Portal\|MODULES\|21203\|account] Replaced published module uid=module uid, replaced uid=module uid`
21501	Dashboard deleted `[Portal\|DASHBOARDS\|21501\|account] Deleted dashboard, uid=dashboard uid`
21301	Software metering metric updated `[Portal\|SOFTWARE_METERING_METRIC\|21301\|account] Updated software metering metric, uid=metric uid`
21302	Software metering metric deleted `[Portal\|SOFTWARE_METERING_METRIC\|21302\|account] Deleted software metering metric, uid=metric uid`
21303	Software metering metric enabled `[Portal\|SOFTWARE_METERING_METRIC\|21303\|account] Enabled software metering metric, uid=metric uid`
21304	Software metering metric disabled `[Portal\|SOFTWARE_METERING_METRIC\|21304\|account] Disabled software metering metric, uid=metric uid`
21401	Software metering module updated `[Portal\|SOFTWARE_METERING_MODULE\|21401\|account] Updated software metering module, uid=module uid`
21402	Software metering module created `[Portal\|SOFTWARE_METERING_MODULE\|21402\|account] Created software metering module, uid=module uid`

Engine

Code	Description
10001	Engine is up and running `[Engine-01\|General\|10001\|nxengine] Engine is up and running`
10002	Engine stopped with error `[Engine-01\|General\|10002\|nxengine] Engine abnormally stopped`
10003	Engine stopped gracefully `[Engine-01\|MAIN\|10003\|nxengine] Engine gracefuly stopped`
10004	Engine stopped forcefully `[Engine-01\|General\|10004\|nxengine] Engine stopped`
10005	Database created `[Engine-01\|Database\|10005\|nxengine] Engine database creation:new database created`
10006	Finder user logged in `[Engine-01\|Communication\|10006\|account] Finder user logged in:[milliseconds]`
10007	Finder user logged out `[Engine-01\|Communication\|10007\|account] Finder logged out`
10008	Finder user login attempt `[Engine-01\|Communication\|10008\|account] Finder log-in attempt`
10009	Finder account created `[Engine-01\|Database\|10009\|portal] Finder account creation:[created account]`
10010	Finder account deleted `[Engine-01\|Database\|10010\|portal] Finder account destruction:[deleted account]`
10011	Finder account updated `[Engine-01\|Database\|10011\|portal] Finder account update:[updated account]`
10012	Finder account password changed `[Engine-01\|Database\|10012\|portal] Finder password change:[changed account]`
10017	Global alert created `[Engine-01\|Database\|10017\|portal] Global alert creation:[alert name]`
10018	Global alert deleted `[Engine-01\|Database\|10018\|portal] Global alert destruction:[alert name]`
10019	Global alert updated `[Engine-01\|Database\|10019\|portal] Global alert update:[alert name]`
10026	LDAP synchronization request `[Engine-01\|Communication\|10026\|account] LDAP synchronization`
10028	Object manually tagged `[Engine-01\|DBMGR\|10028\|account] Manual tagging:[object type\|object name]`
10029	Binary filtering rule (storage policy) updated `[Engine-01\|DBMGR\|10029\|account] Binary filtering rule update:[binary\|executable name]`
10030	Executable filtering rule (storage policy) updated `[Engine-01\|DBMGR\|10030\|account] Application filtering rule update:[application\|executable name]`
10031	Application filtering rule (storage policy) updated `[Engine-01\|DBMGR\|10031\|account] Product or source filtering rule update:[product\|application name]`
10032	Device filtering rule (storage policy) updated `[Engine-01\|DBMGR\|10032\|account] Source filtering rule update:[source\|device name]`
10034	Finder request execution `[Engine-01\|Communication\|10034\|account] Request execution:[request type\|request details]`
10035	Alert execution `[Engine-01\|Alert\|10035\|account] Alert execution:[alert name\|alert frequency\|number of impacted objects\|selector]`
10038	License updated `[Engine-01\|License\|10038\|nxengine] License updated: D licensed sources, S licensed servers, M licensed mobile devices with enabled features`
10039	NXQL request execution `[Engine-01\|WebAPI\|10039\|account] NXQL V2 execution:[duration ms\|wait ms\|computation ms\| dump ms\|NXQL query]`

The start and stop commands for the Engine that are executed from the command line interface (CLI) are logged in journalctl. Run the following command to retrieve them:

sudo journalctl -u nxengine@*.service | grep systemd

RELATED TASK

Configuring the system log

Last updated 2 days ago