Audit trail
Overview
To trace relevant activities in your Appliances (accesses, configuration modifications, starts, stops, etc), Nexthink components write to the audit log file:
/var/log/nexthink/audit.log
Find below the complete list of audit events. In the tables, the words displayed in italics in the log messages are replaced by actual values by the log system. For example, the actual username of the account that performed a particular logged action will replace the word account.
Appliance
See how to configure the system log for the Appliance to record the following events:
Logon with the SSH Nexthink account
Commands launched with super-user privileges
Web Console
Code | Description and format |
---|---|
50000 | User logged in
|
50001 | User login failed
|
50002 | User logged out
|
51000 | Web Console password updated |
51010 | Portal remote management account password updated |
51011 | Portal remote management account enabled |
51012 | Portal remote management account disabled |
51020 | SSH Nexthink account password updated |
51021 | SSH Nexthink account enabled |
51022 | SSH Nexthink account disabled |
51100 | Appliance hostname updated |
51101 | Appliance static route updated |
51102 | Appliance static route deleted |
51103 | Appliance DNS server updated |
51104 | Appliance default gateway updated |
51106 | Appliance NTP servers updated |
51107 | Appliance NTP service enabled |
51108 | Appliance NTP service disabled |
51109 | Appliance network interface updated |
51111 | rsyslog service restarted |
51112 | crond service restarted |
51603 | Automatic updates enabled / disabled |
51609 | Updates email recipient updated |
51610 | Check for updates triggered |
51611 | Start updates triggered |
51800 | Appliance reboot triggered |
52000 | Portal parameters updated |
52001 | Engine name updated
|
52007 | Maximum stored events updated
|
52010 | Portal server address updated
|
52010 | Portal admin account reset |
52011 | Aggregation policy updated
|
52012 | Domain compression updated
|
52090 | Engine stopped
|
52091 | Engine started
|
52100 | Internal network removed
|
52100 | Internal network added
|
52105 | Engine internal domains configuration updated |
52200 | Active directory added
|
52201 | Active directory removed
|
52550 | Engine Mobile Bridge parameters updated |
53090 | Portal stopped
|
53091 | Portal started
|
53092 | LLM started
|
53093 | LLM stopped
|
53094 | Nginx started
|
53095 | Nginx stopped
|
Portal
Code | Description |
---|---|
20001 | Portal is starting
|
20002 | Portal is up and running |
20004 | Portal is stopped
|
20101 | User logged in
|
20102 | User logged out
|
20103 | User login failed
|
20104 | User locked
|
20201 | User created
|
20202 | User removed
|
20203 | User updated
|
20204 | User profile updated
|
20205 | User domain ownership updated |
20206 | Role added
|
20207 | Role updated
|
20208 | Role removed
|
20209 | Profile added (with roles) |
20210 | Profile updated (with roles) |
20211 | Profile removed
|
20501 | Hierarchy added
|
20502 | Hierarchy removed |
20503 | Hierarchy updated |
20504 | Definition of entities updated |
20701 | Engine added
|
20702 | Engine removed
|
20703 | Engine connected
|
20704 | Engine disconnected |
20801 | Finder user logged in |
20803 | Finder user login failed |
20804 | Library pack import request (only issued for big packs) |
20901 | Remote action updated |
20902 | Remote action created |
20903 | Remote action deleted |
20911 | Metric updated |
20912 | Metric created |
20913 | Metric deleted |
20921 | Service updated |
20922 | Service created |
20923 | Service deleted |
20931 | Campaign updated |
20932 | Campaign created |
20933 | Campaign deleted |
20941 | Category updated |
20942 | Category created |
20943 | Category deleted |
21001 | Manual execution of a remote action through the Finder
|
21002 | External execution of a remote action through the API
|
21003 | External execution of a remote action through the API v2
|
21101 | Metric compute triggered from the Finder |
21102 | Metric clear history triggered by query |
21103 | Metric clear triggered from the Finder |
21104 | Metric compute triggered by query |
21201 | Module published
|
21202 | Module deleted
|
21203 | Module replaced
|
21501 | Dashboard deleted |
21301 | Software metering metric updated |
21302 | Software metering metric deleted |
21303 | Software metering metric enabled |
21304 | Software metering metric disabled |
21401 | Software metering module updated |
21402 | Software metering module created |
Engine
Code | Description |
---|---|
10001 | Engine is up and running
|
10002 | Engine stopped with error
|
10003 | Engine stopped gracefully
|
10004 | Engine stopped forcefully
|
10005 | Database created
|
10006 | Finder user logged in
|
10007 | Finder user logged out
|
10008 | Finder user login attempt
|
10009 | Finder account created
|
10010 | Finder account deleted
|
10011 | Finder account updated
|
10012 | Finder account password changed
|
10017 | Global alert created
|
10018 | Global alert deleted
|
10019 | Global alert updated
|
10026 | LDAP synchronization request
|
10028 | Object manually tagged
|
10029 | Binary filtering rule (storage policy) updated |
10030 | Executable filtering rule (storage policy) updated |
10031 | Application filtering rule (storage policy) updated |
10032 | Device filtering rule (storage policy) updated |
10034 | Finder request execution
|
10035 | Alert execution
|
10038 | License updated
|
10039 | NXQL request execution
|
The start and stop commands for the Engine that are executed from the CLI are logged in journalctl
. Use the following command to retrieve them:
sudo journalctl -u nxengine@*.service | grep systemd
RELATED TASK
Last updated