There are certain other helpful details related to the audit events logged for remote management events. Some of them are explained in the following sections:
Operations which are launched in another session (not independently) are termed as internal operations.
For example, File Transfer can be launched internally in a Remote Control or a Remote Diagnostics session. Remote Execute event is logged when launched as single operation where only commands can be executed. Remote Execute event is also logged when it is launched in a Remote Control session
You can launch and exit these internal operations any time without affecting actual remote session. But irrespective of how many times you launch these internal operations, an audit event is logged only at the end of the actual remote session.
An intermediate event is launched for events such as remote execute, remote diagnostics and file transfer when the commands executed, applications launched and files transferred are huge and exceed the limit of audit log file size. An intermediate event will have only start time and the status displayed for this event is In-Progress.
For example in a single File transfer session there can be thousands of files that can be transferred. As per the limitation on each audit log file size, you cannot log additional data (files transferred info) which has size exceeding 200KB. This comes to around 250 files transferred. Due to this limitation approximately for every 250 files transferred there is an intermediate file transfer audit log event. Similarly for remote execute and remote diagnostics events.
For events that are generated at the end of a session both start and end time information is available.
In a remote session that is in progress, if there is abrupt termination due to force reboot or power failure, the audit information is not lost and will be logged once the system comes back. Every time remote management service is initialized, it checks for the pending audit events to be logged and logs it with reason for termination as abrupt. The end time will not be accurate but will have maximum of a minute deviation. When system is down, the last updated time available on disk will be used as end time for the pending events to be logged.