70.6 Viewing the Audit Log of Remote Management Sessions Using the Windows Event Viewer

ZENworks 7 Desktop Management records log information on a Windows 2000/XP managed workstation.

To view the audit log of Remote Management sessions:

  1. Click Start > Programs > Administrative Tools > Event Viewer.

  2. Click Log > Application.

  3. Double-click the event associated with the source Remote Management Agent.

    NOTE:To view only the events pertinent to the Remote Management Agent, choose Remote Management Agent from the Source drop-down list in the Filter dialog box.

Desktop Management provides remote diagnostics of workstations. Remote diagnostics displays the event log information of Windows 2000/XP managed workstations. You can also view the audit log for Remote Management using the Event Log window. For more information, see Section 71.4, Event Log Information.

70.6.1 Understanding the Audit Log

The Windows 2000/XP event logging mechanism allows applications running on the managed workstation to record events as log files. You can use the Event Viewer to view the event logs. The Event Viewer maintains Application, Security, and System log files. The events for Remote Management sessions are stored in the Application log file. The managed workstation where the Remote Management Agent is installed maintains this log information as an audit log. For more information, see Section 70.6, Viewing the Audit Log of Remote Management Sessions Using the Windows Event Viewer.

The audit log maintains the list of events for each Remote Management session and stores the following details:

  • The success or failure of the authentication process

  • The start time or end time of Remote Management sessions

  • The name of the user attempting to remote manage the workstation

  • The domain name and address of the management console accessing the managed workstation

  • The remote operation performed on the managed workstation

  • The name of the user logged in to the managed workstation

  • The event success or failure status, and details for the failure

The following sections contain additional information:

Details of Events in the Audit Log

The following table explains the information stored by each event during a Remote Management session:

Table 70-6 Details of Events in the Audit Log

Parameter

Description

Date

Date of the event occurrence.

Time

Time stamp of the event occurrence.

Computer

Name of the computer on which the event occurred.

Event ID

Unique ID assigned to the event.

Source

The source name for the Remote Management audit log is Remote Management Agent.

Type

The type of the event indicates if the particular event was a success, failure, information, warning, or error.

Category

The category lists the different events for the application. The details of an event are in the detailed message for the event. The events for Remote Management Agent are:

  • Authentication Event

  • Session Start Event

  • Session Terminate Event

Operation

The various operations that a management console user can perform on the managed workstation are:

  • Remote Control

  • Remote View

  • Remote Diagnostics

  • File Transfer

  • Remote Execute

All events record the domain name of the remote operator who is remote accessing the managed workstation.

Console Address

IP address of the workstation that the remote operator uses to remote access the managed workstation.

Console DN

Domain name of the workstation that the remote operator uses to remote access the managed workstation.

Local User

Domain name of the user logged in to the managed workstation.

Event Message

The message for the event.

Event Log Messages for Remote Management Sessions

Informational and error messages are recorded for the following events during a Remote Management session:

You can view the details of events that occurred during a Remote Management session from the Description box in the Event Detail window. For more information about event details, see Section 70.6, Viewing the Audit Log of Remote Management Sessions Using the Windows Event Viewer.

Authentication Event

The Authentication event records whether the Remote Management Agent could authenticate the remote user for that operation. The following table describes the Authentication Event messages:

Table 70-7 Authentication Event Messages

Type

Message

Success

  • Authentication was successful.

  • The password is successfully set for this workstation.

  • The password is successfully reset for this workstation.

Failure

  • Authentication failed.

Session Start Event

The Session Start event records the time when a particular session was started. The following table describes the Session Start Event messages:

Table 70-8 Session Start Event Messages

Type

Message

Information

Session started.

Session Terminate Event

The Session Terminate event details the time when the session was disconnected, and the reason for terminating the session. The following table describes the Session Terminate Event messages:

Table 70-9 Session Terminate Event Messages

Type

Message

Information

Session terminated normally.