Jean M 7 Posted October 1, 2019 Share Posted October 1, 2019 Hi, I wanted to know if there is any audit log for the SMC that would contain for example: - User authentication on SMC server web interface - User actions like triggered tasks, etc. I tried to look in /var/log/eset/RemoteAdministrator/Server/trace.log But it is rather verbose and I couldn't find what I needed. Thanks, Jean Mousinho Link to comment Share on other sites More sharing options...
ESET Staff MartinK 375 Posted October 1, 2019 ESET Staff Share Posted October 1, 2019 There is audit log accessible via standard reports mechanisms -> please check predefined reports where you should find audit log containing exactly what you are searching for. Link to comment Share on other sites More sharing options...
Jean M 7 Posted October 2, 2019 Author Share Posted October 2, 2019 Great. That's exactly what we wanted. I noticed that it logs a lot of: 2019 Oct 2 10:53:52 Update modules Update Modules successfully updated. Success System user system yes It is occurring every minute. Is it possible to filter out this message somehow? Thanks! Link to comment Share on other sites More sharing options...
ESET Staff MartinK 375 Posted October 2, 2019 ESET Staff Share Posted October 2, 2019 It is possible to clone this report template and check whether there is possibility to extend it with filters, but I think set of possible filters was very limited in ESMC 7.0 and it will be improved in upcoming version. Just to be sure, it seems that you set updates of your ESMC to happen every minute - is this correct and expected configuration? This parameter is configured in ESMC's settings in console, and default value is 6 hours as modules for ESMC are not released very often (it is not related to antivirus updates which happen multiple times a day). Link to comment Share on other sites More sharing options...
Jean M 7 Posted October 2, 2019 Author Share Posted October 2, 2019 Exactly, I was looking for a setting to configure that interval but couldn't find it. With your description I was able to find it and it was in fact set to 1min! Probably by mistake.. One suggestion. We noticed that run commands logged in this audit report are not showing what command is being executed (a detail information from the command), at least from what we know. This is an important audit information as you should understand. We'd say that this should show at least in the audit events related to when we change the run command user task configuration (that's when that information is set). Certainly it could imply changes in the amount of information stored in the audit. Thanks! rmdir32 1 Link to comment Share on other sites More sharing options...
Jean M 7 Posted November 25, 2019 Author Share Posted November 25, 2019 I was looking for other ways of getting this information (knowing what commands were run by a certain user of SMC Console), do you have any suggestion? The audit provides runTask logs and change task logs, but no information on the command. Looking at specific computer details, we see a list of events but for the run task we can only see the most recent command assigned to the task. Thanks. rmdir32 1 Link to comment Share on other sites More sharing options...
Recommended Posts