Audit trail

Overview

To trace relevant activities in your Appliances (accesses, configuration modifications, starts, stops, etc), Nexthink components write to the audit log file:

/var/log/nexthink/audit.log

Find below the complete list of audit events. In the tables, the words displayed in italics in the log messages are replaced by actual values by the log system. For example, the actual username of the account that performed a particular logged action will replace the word account.

Appliance

See how to configure the system log for the Appliance to record the following events:

  • Logon with the SSH Nexthink account

  • Commands launched with super-user privileges

Web Console

CodeDescription and format

50000

User logged in

[Console|Login|50000|account] Login successful

50001

User login failed

[Console|Login|50001|account] Login failed

50002

User logged out

[Console|Login|50002|account] User logout

51000

Web Console password updated[Console|Appliance|51000|account] Console password updated

51010

Portal remote management account password updated[Console|Appliance|51010|account] Remote password updated

51011

Portal remote management account enabled[Console|Appliance|51011|account] Remote access enabled

51012

Portal remote management account disabled[Console|Appliance|51012|account] Remote access disabled

51020

SSH Nexthink account password updated[Console|Appliance|51020|account] SSH Nexthink account password updated

51021

SSH Nexthink account enabled[Console|Appliance|51021|account] SSH Nexthink account enabled

51022

SSH Nexthink account disabled[Console|Appliance|51022|account] SSH Nexthink account disabled

51100

Appliance hostname updated[Console|Appliance|51100|account] Appliance hostname updated

51101

Appliance static route updated[Console|Appliance|51101|account] Appliance static route updated

51102

Appliance static route deleted[Console|Appliance|51102|account] Appliance static route deleted

51103

Appliance DNS server updated[Console|Appliance|51103|account] Appliance dns server updated

51104

Appliance default gateway updated[Console|Appliance|51104|account] Appliance default gateway updated

51106

Appliance NTP servers updated[Console|Appliance|51106|account] Appliance NTP servers updated

51107

Appliance NTP service enabled[Console|Appliance|51107|account] Appliance NTP service enabled

51108

Appliance NTP service disabled[Console|Appliance|51108|account] Appliance NTP service disabled

51109

Appliance network interface updated[Console|Appliance|51109|account] Appliance network insterface updated

51111

rsyslog service restarted[Console|Appliance|51111|account] rsyslog service restarted

51112

crond service restarted[Console|Appliance|51112|account] crond service restarted

51603

Automatic updates enabled / disabled[Console|Appliance|51603|account] Automatic updates enabled[Console|Appliance|51603|account] Automatic updates disabled

51609

Updates email recipient updated[Console|Appliance|51609|account] Updates email recipient updated

51610

Check for updates triggered[Console|Appliance|51610|account] Check for updates triggered

51611

Start updates triggered[Console|Appliance|51611|account] Start updates triggered

51800

Appliance reboot triggered[Console|Appliance|51800|account] Appliance reboot triggered

52000

Portal parameters updated[Console|Portal|52000|account] Portal parameters updated

52001

Engine name updated

[Console|Engine-01|52001|account] Engine name updated

52007

Maximum stored events updated

[Console|Engine-01|52007|account] Maximum stored events updated

52010

Portal server address updated

[Console|Engine-01|52010|account] Portal server address updated

52010

Portal admin account reset[Console|Portal|52010|account] Portal admin account reset

52011

Aggregation policy updated

[Console|Engine-01|52011|account] Aggregation policy updated

52012

Domain compression updated

[Console|Engine-01|52012|account] Domain compression updated

52090

Engine stopped

[Console|Engine-01|52090|account] Engine stopped

52091

Engine started

[Console|Engine-01|52091|account] Engine started

52100

Internal network removed

[Console|Engine-01|52100|account] Internal network removed

52100

Internal network added

[Console|Engine-01|52100|account] Internal network added

52105

Engine internal domains configuration updated[Console|Engine-01|52105|account] Engine internal domains configuration updated

52200

Active directory added

[Console|Engine-01|52200|account] Active directory added

52201

Active directory removed

[Console|Engine-01|52201|account] Active directory removed

52550

Engine Mobile Bridge parameters updated[Console|Engine-01|52550|account] Engine Mobile Bridge parameters updated

53090

Portal stopped

[Console|Portal|53090|account] Portal stopped

53091

Portal started

[Console|Portal|53091|account] Portal started

53092

LLM started

[Console|Portal|53092|account] LLM started

53093

LLM stopped

[Console|Portal|53093|account] LLM stopped

53094

Nginx started

[Console|Portal|53094|account] nginx started

53095

Nginx stopped

[Console|Portal|53095|account] nginx stopped

Portal

CodeDescription

20001

Portal is starting

[Portal|SYSTEM|20001|*system] Portal is starting

20002

Portal is up and running[Portal|SYSTEM|20002|*system] Portal is up and running

20004

Portal is stopped

[Portal|SYSTEM|20004|*system] Portal is stopped

20101

User logged in

[Portal|LOGIN|20101|account] User account logged with session id session id

20102

User logged out

[Portal|LOGIN|20102|account] User account logout for session id session id

20103

User login failed

[Portal|LOGIN|20103|*system] User account failed login attempts - reason

20104

User locked

[Portal|LOGIN|20104|account] User account is locked

20201

User created

[Portal|USER|20201|account] User created account is created

20202

User removed

[Portal|USER|20202|account] User deleted account is removed

20203

User updated

[Portal|USER|20203|account] User updated account is created

20204

User profile updated

[Portal|USER|20204|account] Updated profile of n users

20205

User domain ownership updated[Portal|USER|20204|account] Updated account ownership of n users

20206

Role added

[Portal|USER|20206|account] Role name is added

20207

Role updated

[Portal|USER|20207|account] Role name is updated

20208

Role removed

[Portal|USER|20208|account] Role name is removed

20209

Profile added (with roles)[Portal|USER|20209|account] Added profile name roles: roles names

20210

Profile updated (with roles)[Portal|USER|20210|account] Updated profile name roles: roles names

20211

Profile removed

[Portal|USER|20211|account] Removed profile name

20501

Hierarchy added

[Portal|HIERARCHY|20501|account] Hierarchy name is added

20502

Hierarchy removed[Portal|HIERARCHY|20502|account] Hierarchy name is removed

20503

Hierarchy updated[Portal|HIERARCHY|20503|account] Hierarchy name is updated

20504

Definition of entities updated[Portal|HIERARCHY|20504|account] CSV of entities category is updated

20701

Engine added

[Portal|ENGINE|20701|account] Engine name of IP IP address or DNS name Port port number is added

20702

Engine removed

[Portal|ENGINE|20702|account] Engine name of IP IP address or DNS name Port port number is removed

20703

Engine connected

[Portal|ENGINE|20703|account] Engine name of IP IP address or DNS name Port port number is connected

20704

Engine disconnected[Portal|ENGINE|20704|account] Engine name of IP IP address or DNS name Port port number is disconnected

20801

Finder user logged in[Portal|FINDER|20801|account] User account logged in (finder)

20803

Finder user login failed[Portal|FINDER|20801|account] User account login failed

20804

Library pack import request (only issued for big packs)[Portal|FINDER|20804|account] Finder import req uid=pack uid

20901

Remote action updated[Portal|CONTENTMANAGER|20901|account] Updated remote action in content manager, uid=remote action uid, name=remote action name

20902

Remote action created[Portal|CONTENTMANAGER|20902|account] Created remote action in content manager, uid=remote action uid, name=remote action name

20903

Remote action deleted[Portal|CONTENTMANAGER|20902|account] Deleted remote action in content manager, uid=remote action uid

20911

Metric updated[Portal|CONTENTMANAGER|20911|account] Updated metric in content manager, uid=metric uid, status=enabled|disabled

20912

Metric created[Portal|CONTENTMANAGER|20912|account] Created metric in content manager, uid=metric uid

20913

Metric deleted[Portal|CONTENTMANAGER|20913|account] Deleted metric in content manager, uid=metric uid

20921

Service updated[Portal|CONTENTMANAGER|20921|account] Updated service in content manager, uid=service uid, status=enabled|disabled

20922

Service created[Portal|CONTENTMANAGER|20922|account] Created service in content manager, uid=service uid

20923

Service deleted[Portal|CONTENTMANAGER|20923|account] Deleted service in content manager, uid=service uid

20931

Campaign updated[Portal|CONTENTMANAGER|20931|account] Updated campaign in content manager, uid=campaign uid, name=campaign name, status=draft|published|retired

20932

Campaign created[Portal|CONTENTMANAGER|20932|account] Created campaign in content manager, uid=campaign uid, name=campaign name

20933

Campaign deleted[Portal|CONTENTMANAGER|20933|account] Deleted campaign in content manager, uid=campaign uid

20941

Category updated[Portal|CONTENTMANAGER|20941|account] Updated category, uid=category uid

20942

Category created[Portal|CONTENTMANAGER|20942|account] Created category, uid=category uid

20943

Category deleted[Portal|CONTENTMANAGER|20943|account] Deleted category, uid=category uid

21001

Manual execution of a remote action through the Finder

[Portal|REMOTEACTION|21001|account] Finder request manual execution of remote action, uid=remote action uid on n devices with uids devices uids

21002

External execution of a remote action through the API

[Portal|REMOTEACTION|21002|account] API request manual execution of remote action, uid=remote action uid on n devices with uids devices uids

21003

External execution of a remote action through the API v2

[Portal|REMOTEACTION|21003|account] API request manual execution of remote action, uid=remote action uid on n devices with uids devices uids

21101

Metric compute triggered from the Finder[Portal|METRICS|21101|account] Compute metric from finder uid=metric uid

21102

Metric clear history triggered by query[Portal|METRICS|21102|account] Clear metric from query uid=metric uid

21103

Metric clear triggered from the Finder[Portal|METRICS|21103|account] Clear metric from finder uid=metric uid

21104

Metric compute triggered by query[Portal|METRICS|21104|account] Compute metric from query uid=metric uid

21201

Module published

[Portal|MODULES|21201|account] Published module uid=module uid, name=module name|-

21202

Module deleted

[Portal|MODULES|21202|account] Deleted module uid=module uid

21203

Module replaced

[Portal|MODULES|21203|account] Replaced published module uid=module uid, replaced uid=module uid

21501

Dashboard deleted[Portal|DASHBOARDS|21501|account] Deleted dashboard, uid=dashboard uid

21301

Software metering metric updated[Portal|SOFTWARE_METERING_METRIC|21301|account] Updated software metering metric, uid=metric uid

21302

Software metering metric deleted[Portal|SOFTWARE_METERING_METRIC|21302|account] Deleted software metering metric, uid=metric uid

21303

Software metering metric enabled[Portal|SOFTWARE_METERING_METRIC|21303|account] Enabled software metering metric, uid=metric uid

21304

Software metering metric disabled[Portal|SOFTWARE_METERING_METRIC|21304|account] Disabled software metering metric, uid=metric uid

21401

Software metering module updated[Portal|SOFTWARE_METERING_MODULE|21401|account] Updated software metering module, uid=module uid

21402

Software metering module created[Portal|SOFTWARE_METERING_MODULE|21402|account] Created software metering module, uid=module uid

Engine

CodeDescription

10001

Engine is up and running

[Engine-01|General|10001|nxengine] Engine is up and running

10002

Engine stopped with error

[Engine-01|General|10002|nxengine] Engine abnormally stopped

10003

Engine stopped gracefully

[Engine-01|MAIN|10003|nxengine] Engine gracefuly stopped

10004

Engine stopped forcefully

[Engine-01|General|10004|nxengine] Engine stopped

10005

Database created

[Engine-01|Database|10005|nxengine] Engine database creation:new database created

10006

Finder user logged in

[Engine-01|Communication|10006|account] Finder user logged in:[milliseconds]

10007

Finder user logged out

[Engine-01|Communication|10007|account] Finder logged out

10008

Finder user login attempt

[Engine-01|Communication|10008|account] Finder log-in attempt

10009

Finder account created

[Engine-01|Database|10009|portal] Finder account creation:[created account]

10010

Finder account deleted

[Engine-01|Database|10010|portal] Finder account destruction:[deleted account]

10011

Finder account updated

[Engine-01|Database|10011|portal] Finder account update:[updated account]

10012

Finder account password changed

[Engine-01|Database|10012|portal] Finder password change:[changed account]

10017

Global alert created

[Engine-01|Database|10017|portal] Global alert creation:[alert name]

10018

Global alert deleted

[Engine-01|Database|10018|portal] Global alert destruction:[alert name]

10019

Global alert updated

[Engine-01|Database|10019|portal] Global alert update:[alert name]

10026

LDAP synchronization request

[Engine-01|Communication|10026|account] LDAP synchronization

10028

Object manually tagged

[Engine-01|DBMGR|10028|account] Manual tagging:[object type|object name]

10029

Binary filtering rule (storage policy) updated[Engine-01|DBMGR|10029|account] Binary filtering rule update:[binary|executable name]

10030

Executable filtering rule (storage policy) updated[Engine-01|DBMGR|10030|account] Application filtering rule update:[application|executable name]

10031

Application filtering rule (storage policy) updated[Engine-01|DBMGR|10031|account] Product or source filtering rule update:[product|application name]

10032

Device filtering rule (storage policy) updated[Engine-01|DBMGR|10032|account] Source filtering rule update:[source|device name]

10034

Finder request execution

[Engine-01|Communication|10034|account] Request execution:[request type|request details]

10035

Alert execution

[Engine-01|Alert|10035|account] Alert execution:[alert name|alert frequency|number of impacted objects|selector]

10038

License updated

[Engine-01|License|10038|nxengine] License updated: D licensed sources, S licensed servers, M licensed mobile devices with enabled features

10039

NXQL request execution

[Engine-01|WebAPI|10039|account] NXQL V2 execution:[duration ms|wait ms|computation ms| dump ms|NXQL query]

The start and stop commands for the Engine that are executed from the CLI are logged in journalctl. Use the following command to retrieve them:

sudo journalctl -u nxengine@*.service | grep systemd


RELATED TASK

Last updated