Audit trail
Last updated
Was this helpful?
Version 6.30
Last updated
Was this helpful?
To trace relevant activities in your Appliances (accesses, configuration modifications, starts, stops, and so on), Nexthink components write to the audit log file:
/var/log/nexthink/audit.log
Find below the complete list of audit events. In the tables, the words displayed in italics in the log messages are replaced by actual values by the log system. For example, the actual username of the account that performed a particular logged action will replace the word account.
See how to for the Appliance to record the following events:
Logon with the SSH Nexthink account
Commands launched with super-user privileges
50000
User logged in
[Console|Login|50000|account] Login successful
50001
User login failed
[Console|Login|50001|account] Login failed
50002
User logged out
[Console|Login|50002|account] User logout
51000
Web Console password updated
[Console|Appliance|51000|account] Console password updated
51010
Portal remote management account password updated
[Console|Appliance|51010|account] Remote password updated
51011
Portal remote management account enabled
[Console|Appliance|51011|account] Remote access enabled
51012
Portal remote management account disabled
[Console|Appliance|51012|account] Remote access disabled
51020
SSH Nexthink account password updated
[Console|Appliance|51020|account] SSH Nexthink account password updated
51021
SSH Nexthink account enabled
[Console|Appliance|51021|account] SSH Nexthink account enabled
51022
SSH Nexthink account disabled
[Console|Appliance|51022|account] SSH Nexthink account disabled
51100
Appliance hostname updated
[Console|Appliance|51100|account] Appliance hostname updated
51101
Appliance static route updated
[Console|Appliance|51101|account] Appliance static route updated
51102
Appliance static route deleted
[Console|Appliance|51102|account] Appliance static route deleted
51103
Appliance DNS server updated
[Console|Appliance|51103|account] Appliance dns server updated
51104
Appliance default gateway updated
[Console|Appliance|51104|account] Appliance default gateway updated
51106
Appliance Chrony servers updated
[Console|Appliance|51106|account] Appliance Chrony servers updated
51107
Appliance Chrony service enabled
[Console|Appliance|51107|account] Appliance Chrony service enabled
51108
Appliance Chrony service disabled
[Console|Appliance|51108|account] Appliance Chrony service disabled
51109
Appliance network interface updated
[Console|Appliance|51109|account] Appliance network insterface updated
51111
rsyslog service restarted
[Console|Appliance|51111|account] rsyslog service restarted
51112
crond service restarted
[Console|Appliance|51112|account] crond service restarted
51200
STIG compliance enabled
[Console|Compliance|51200|account] STIG compliance enabled
51201
STIG compliance disabled
[Console|Compliance|51201|account] STIG compliance disabled
51300
New federated appliance added
[Console|Appliance|51300|account] New federated appliance added with ID: id, DNS: dns
51301
Edited federated appliance
[Console|Appliance|51301|account] Edited federated appliance with ID: id, DNS: dns
51302
Federated appliance deleted
[Console|Appliance|51302|account] Federated appliance deleted with ID: id
51400
External backup parameters saved
[Console|Backup|51400|account] External backup parameters saved
51603
Automatic updates enabled / disabled
[Console|Appliance|51603|account] Automatic updates enabled
[Console|Appliance|51603|account] Automatic updates disabled
51609
Updates email recipient updated
[Console|Appliance|51609|account] Updates email recipient updated
51610
Check for updates triggered
[Console|Appliance|51610|account] Check for updates triggered
51611
Start updates triggered
[Console|Appliance|51611|account] Start updates triggered
51800
Appliance reboot triggered
[Console|Appliance|51800|account] Appliance reboot triggered
52000
Portal parameters updated
[Console|Portal|52000|account] Portal parameters updated
52001
Engine name updated
[Console|Engine-01|52001|account] Engine name updated
52007
Maximum stored events updated
[Console|Engine-01|52007|account] Maximum stored events updated
52010
Portal server address updated
[Console|Engine-01|52010|account] Portal server address updated
52010
Portal admin account reset
[Console|Portal|52010|account] Portal admin account reset
52011
Aggregation policy updated
[Console|Engine-01|52011|account] Aggregation policy updated
52012
Domain compression updated
[Console|Engine-01|52012|account] Domain compression updated
52090
Engine stopped
[Console|Engine-01|52090|account] Engine stopped
52091
Engine started
[Console|Engine-01|52091|account] Engine started
52100
Internal network removed
[Console|Engine-01|52100|account] Internal network removed
52100
Internal network added
[Console|Engine-01|52100|account] Internal network added
52105
Engine internal domains configuration updated
[Console|Engine-01|52105|account] Engine internal domains configuration updated
52200
Active directory added
[Console|Engine-01|52200|account] Active directory added
52201
Active directory removed
[Console|Engine-01|52201|account] Active directory removed
52550
Engine Mobile Bridge parameters updated
[Console|Engine-01|52550|account] Engine Mobile Bridge parameters updated
53090
Portal stopped
[Console|Portal|53090|account] Portal stopped
53091
Portal started
[Console|Portal|53091|account] Portal started
53092
LLM started
[Console|Portal|53092|account] LLM started
53093
LLM stopped
[Console|Portal|53093|account] LLM stopped
53094
Nginx started
[Console|Portal|53094|account] nginx started
53095
Nginx stopped
[Console|Portal|53095|account] nginx stopped
20001
Portal is starting
[Portal|SYSTEM|20001|*system] Portal is starting
20002
Portal is up and running
[Portal|SYSTEM|20002|*system] Portal is up and running
20004
Portal is stopped
[Portal|SYSTEM|20004|*system] Portal is stopped
20101
User logged in
[Portal|LOGIN|20101|account] User account logged with session id session id
20102
User logged out
[Portal|LOGIN|20102|account] User account logout for session id session id
20103
User login failed
[Portal|LOGIN|20103|*system] User account failed login attempts - reason
20104
User locked
[Portal|LOGIN|20104|account] User account is locked
20105
User account session time out
[Portal|LOGIN|20105|account] User account session timed out for session id session id
20201
User created
[Portal|USER|20201|account] User created account is created
20202
User removed
[Portal|USER|20202|account] User deleted account is removed
20203
User updated
[Portal|USER|20203|account] User updated account is created
20204
User profile updated
[Portal|USER|20204|account] Updated profile of n users
20205
User domain ownership updated
[Portal|USER|20204|account] Updated account ownership of n users
20206
Role added
[Portal|USER|20206|account] Role name is added
20207
Role updated
[Portal|USER|20207|account] Role name is updated
20208
Role removed
[Portal|USER|20208|account] Role name is removed
20209
Profile added (with roles)
[Portal|USER|20209|account] Added profile name roles: roles names
20210
Profile updated (with roles)
[Portal|USER|20210|account] Updated profile name roles: roles names
20211
Profile removed
[Portal|USER|20211|account] Removed profile name
20501
Hierarchy added
[Portal|HIERARCHY|20501|account] Hierarchy name is added
20502
Hierarchy removed
[Portal|HIERARCHY|20502|account] Hierarchy name is removed
20503
Hierarchy updated
[Portal|HIERARCHY|20503|account] Hierarchy name is updated
20504
Definition of entities updated
[Portal|HIERARCHY|20504|account] CSV of entities category is updated
20701
Engine added
[Portal|ENGINE|20701|account] Engine name of IP IP address or DNS name Port port number is added
20702
Engine removed
[Portal|ENGINE|20702|account] Engine name of IP IP address or DNS name Port port number is removed
20703
Engine connected
[Portal|ENGINE|20703|account] Engine name of IP IP address or DNS name Port port number is connected
20704
Engine disconnected
[Portal|ENGINE|20704|account] Engine name of IP IP address or DNS name Port port number is disconnected
20801
Finder user logged in
[Portal|FINDER|20801|account] User account logged in (finder)
20803
Finder user login failed
[Portal|FINDER|20801|account] User account login failed
20804
Library pack import request (only issued for big packs)
[Portal|FINDER|20804|account] Finder import req uid=pack uid
20901
Remote action updated
[Portal|CONTENTMANAGER|20901|account] Updated remote action in content manager, uid=remote action uid, name=remote action name
20902
Remote action created
[Portal|CONTENTMANAGER|20902|account] Created remote action in content manager, uid=remote action uid, name=remote action name
20903
Remote action deleted
[Portal|CONTENTMANAGER|20902|account] Deleted remote action in content manager, uid=remote action uid
20911
Metric updated
[Portal|CONTENTMANAGER|20911|account] Updated metric in content manager, uid=metric uid, status=enabled|disabled
20912
Metric created
[Portal|CONTENTMANAGER|20912|account] Created metric in content manager, uid=metric uid
20913
Metric deleted
[Portal|CONTENTMANAGER|20913|account] Deleted metric in content manager, uid=metric uid
20921
Service updated
[Portal|CONTENTMANAGER|20921|account] Updated service in content manager, uid=service uid, status=enabled|disabled
20922
Service created
[Portal|CONTENTMANAGER|20922|account] Created service in content manager, uid=service uid
20923
Service deleted
[Portal|CONTENTMANAGER|20923|account] Deleted service in content manager, uid=service uid
20931
Campaign updated
[Portal|CONTENTMANAGER|20931|account] Updated campaign in content manager, uid=campaign uid, name=campaign name, status=draft|published|retired
20932
Campaign created
[Portal|CONTENTMANAGER|20932|account] Created campaign in content manager, uid=campaign uid, name=campaign name
20933
Campaign deleted
[Portal|CONTENTMANAGER|20933|account] Deleted campaign in content manager, uid=campaign uid
20941
Category updated
[Portal|CONTENTMANAGER|20941|account] Updated category, uid=category uid
20942
Category created
[Portal|CONTENTMANAGER|20942|account] Created category, uid=category uid
20943
Category deleted
[Portal|CONTENTMANAGER|20943|account] Deleted category, uid=category uid
21001
Manual execution of a remote action through the Finder
[Portal|REMOTEACTION|21001|account] Finder request manual execution of remote action, uid=remote action uid on n devices with uids devices uids
21002
External execution of a remote action through the API
[Portal|REMOTEACTION|21002|account] API request manual execution of remote action, uid=remote action uid on n devices with uids devices uids
21003
External execution of a remote action through the API v2
[Portal|REMOTEACTION|21003|account] API request manual execution of remote action, uid=remote action uid on n devices with uids devices uids
21101
Metric compute triggered from the Finder
[Portal|METRICS|21101|account] Compute metric from finder uid=metric uid
21102
Metric clear history triggered by query
[Portal|METRICS|21102|account] Clear metric from query uid=metric uid
21103
Metric clear triggered from the Finder
[Portal|METRICS|21103|account] Clear metric from finder uid=metric uid
21104
Metric compute triggered by query
[Portal|METRICS|21104|account] Compute metric from query uid=metric uid
21201
Module published
[Portal|MODULES|21201|account] Published module uid=module uid, name=module name
21202
Module deleted
[Portal|MODULES|21202|account] Deleted module uid=module uid
21203
Module replaced
[Portal|MODULES|21203|account] Replaced published module uid=module uid, replaced uid=module uid
21501
Dashboard deleted
[Portal|DASHBOARDS|21501|account] Deleted dashboard, uid=dashboard uid
21301
Software metering metric updated
[Portal|SOFTWARE_METERING_METRIC|21301|account] Updated software metering metric, uid=metric uid
21302
Software metering metric deleted
[Portal|SOFTWARE_METERING_METRIC|21302|account] Deleted software metering metric, uid=metric uid
21303
Software metering metric enabled
[Portal|SOFTWARE_METERING_METRIC|21303|account] Enabled software metering metric, uid=metric uid
21304
Software metering metric disabled
[Portal|SOFTWARE_METERING_METRIC|21304|account] Disabled software metering metric, uid=metric uid
21401
Software metering module updated
[Portal|SOFTWARE_METERING_MODULE|21401|account] Updated software metering module, uid=module uid
21402
Software metering module created
[Portal|SOFTWARE_METERING_MODULE|21402|account] Created software metering module, uid=module uid
10001
Engine is up and running
[Engine-01|General|10001|nxengine] Engine is up and running
10002
Engine stopped with error
[Engine-01|General|10002|nxengine] Engine abnormally stopped
10003
Engine stopped gracefully
[Engine-01|MAIN|10003|nxengine] Engine gracefuly stopped
10004
Engine stopped forcefully
[Engine-01|General|10004|nxengine] Engine stopped
10005
Database created
[Engine-01|Database|10005|nxengine] Engine database creation:new database created
10006
Finder user logged in
[Engine-01|Communication|10006|account] Finder user logged in:[milliseconds]
10007
Finder user logged out
[Engine-01|Communication|10007|account] Finder logged out
10008
Finder user login attempt
[Engine-01|Communication|10008|account] Finder log-in attempt
10009
Finder account created
[Engine-01|Database|10009|portal] Finder account creation:[created account]
10010
Finder account deleted
[Engine-01|Database|10010|portal] Finder account destruction:[deleted account]
10011
Finder account updated
[Engine-01|Database|10011|portal] Finder account update:[updated account]
10012
Finder account password changed
[Engine-01|Database|10012|portal] Finder password change:[changed account]
10017
Global alert created
[Engine-01|Database|10017|portal] Global alert creation:[alert name]
10018
Global alert deleted
[Engine-01|Database|10018|portal] Global alert destruction:[alert name]
10019
Global alert updated
[Engine-01|Database|10019|portal] Global alert update:[alert name]
10026
LDAP synchronization request
[Engine-01|Communication|10026|account] LDAP synchronization
10028
Object manually tagged
[Engine-01|DBMGR|10028|account] Manual tagging:[object type|object name]
10029
Binary filtering rule (storage policy) updated
[Engine-01|DBMGR|10029|account] Binary filtering rule update:[binary|executable name]
10030
Executable filtering rule (storage policy) updated
[Engine-01|DBMGR|10030|account] Application filtering rule update:[application|executable name]
10031
Application filtering rule (storage policy) updated
[Engine-01|DBMGR|10031|account] Product or source filtering rule update:[product|application name]
10032
Device filtering rule (storage policy) updated
[Engine-01|DBMGR|10032|account] Source filtering rule update:[source|device name]
10034
Finder request execution
[Engine-01|Communication|10034|account] Request execution:[request type|request details]
10035
Alert execution
[Engine-01|Alert|10035|account] Alert execution:[alert name|alert frequency|number of impacted objects|selector]
10038
License updated
[Engine-01|License|10038|nxengine] License updated: D licensed sources, S licensed servers, M licensed mobile devices with enabled features
10039
NXQL request execution
[Engine-01|WebAPI|10039|account] NXQL V2 execution:[duration ms|wait ms|computation ms| dump ms|NXQL query]
The start and stop commands for the Engine that are executed from the command line interface (CLI) are logged in journalctl. Run the following command to retrieve them:
RELATED TASK