Skip to content

Log Locations of Important HyWorks Components

Details of log locations of different Accops Components are given in this document:

HyWorks Controller

Installation Logs

Log location: %appdata%\HyWorksController\Logs

Controller Logs

  • In to respective log database servers, configured during installation (Microsoft SQL Server).

  • In the Controller installation directory in the text file:

    C:\Program Files (x86)\Accops\HyWorks\Service\Logs\EDController.txt

  • On configured ARS/ Syslog server (if configured)

    • Sending logs to the external Syslog server: To send HyWorks Controller logs to the external Syslog server, configurations can be made from the HyWorks Management Console -> System -> Syslog config section. Refer to the Syslog Config section for detailed information.

Monitoring Service

C:\Program Files (x86)\Accops\HyWorks\ServerMonitoring\Logs\ServiceLogs.txt

Licensing Service Logs

C:\Program Files (x86)\Accops\HyWorks\HyWorksLicenseServer

Upgrade Service Logs

C:\Program Files (x86)\Accops\HyWorks\HyWorksUpgradeService

Session Host Server

Installation Logs

C:\ProgramData\HyWorksSessionHost\Logs

Session Host Agent

Log Location

C:\Program Files (x86)\Accops\HyWorks\SessionHost\Logs\ServiceLogs.txt

Check Session Host Service From Controller

https://<IP Address of Session Host>:38871/AppController/rest/Test

Monitoring Service

Log Location

C:\Program Files (x86)\Accops\HyWorks\ServerMonitoring\Logs\ServiceLogs.txt

Check Monitoring Service From Controller

https://<IP Address of Session Host>:38870/MonitoringService/rest/gTest

Desktop Agent and DVM Tools

Installation Logs

%appdata%\DVMAgent\Logs\InstallationLog.txt

C:\Program Files (x86)\Accops\HyWorks Desktop Agent\Logs\DesktopAgent-Setup-Logs.txt

Agent Logs

C:\Program Files (x86)\Accops\HyWorks Desktop Agent\Logs\DesktopAgent.txt

Hyprep (Desktop Customization Logs)

HyPrep writes logs in Desktop Agent logs only:

C:\Program Files (x86)\Accops\HyWorks Desktop Agent\Logs\DesktopAgent.txt

Sysprep Logs

C:\Windows\System32\Sysprep\Panther

C:\Windows\System32\Sysprep\Panther\diagerr.xml\diagerr.log C:\Windows\System32\Sysprep\Panther\diagerr.xml\diagwrn.log C:\Windows\System32\Sysprep\Panther\setupact.log

Note

  • It is a secure directory; hence, the administrator must copy log files from the above-mentioned location to a different location within the system.

Test Agent Accessibility from HyWorks Controller

https://<IP Address of DVM Agent>:38863/api/edccontract/gTest

Join Domain Logs

C:\Windows\debug\NetSetup.LOG

Windows RDP Events

<------------------- --------- Remote Session Event Flow ------------------ ------------------>
Case Event Id Location Message Area
RDP Successful Logon 1149 Microsoft - Windows - Terminal Services - Remote Connection Manager - Operational User authentication succeeded Network Connection
4624 Security The account was successfully logged in. Type 10, 7 for reconnect Authentication
21 Microsoft - Windows - Terminal Services - Local Session Manager - Operational Remote Desktop Services: Session login succeeded. Login
22 Microsoft - Windows - Terminal Services - Local Session Manager - Operational Remote Desktop Services: Shell start notification received Login
RDP Unsuccessful Logon 1149 Microsoft - Windows - Terminal Services - Remote Connection Manager - Operational User authentication succeeded Network Connection
4625 Security An account failed to log on. Type 10, 7 for Reconnect. Authentication
RDP Session Disconnect (Windows Close) 24 Microsoft - Windows - Terminal Services - Local Session Manager - Operational Remote Desktop Services: Session has been disconnected
40 Microsoft - Windows - Terminal Services - Local Session Manager - Operational Session has been disconnected, reason code Session Disconnect/ Reconnect
4779 Security A session was disconnected from a Window Station
4634 Security An account was logged off
RDP Session Disconnect (Start -> Disconnect by User) 24 Microsoft - Windows - Terminal Services - Local Session Manager - Operational Remote Desktop Services: Session has been disconnected
39 Microsoft - Windows - Terminal Services - Local Session Manager - Operational Session has been disconnected by session
40 Microsoft - Windows - Terminal Services - Local Session Manager - Operational Session has been disconnected, reason code Session Disconnect/ Reconnect
4779 Security A session was disconnected from a Window Station
4634 Security An account was logged off
RDP Session Reconnect 1149 Microsoft - Windows - Terminal Services - Remote Connection Manager - Operational User authentication succeeded Network Connection
4624 Security The account was successfully logged in. Type 10, 7 for reconnect Authentication
25 Microsoft - Windows - Terminal Services - Local Session Manager - Operational Remote Desktop Services: Session reconnection successful
40 Microsoft - Windows - Terminal Services - Local Session Manager - Operational Session has been disconnected, reason code Session Disconnect/ Reconnect
4778 Security A session was reconnected to a Windows station
RDP Session Logoff 23 Microsoft - Windows - Terminal Services - Local Session Manager - Operational Remote Desktop Services: Session logoff succeeded
4634 Security An account was logged off Logoff
4647 Security User-initiated logoff Logoff
9009 System The Desktop Window Manager has end user-initiated with code

Client-side Logs for Disconnections

Often, for session disconnections, the following two logs on Windows desktops (Client-side) can be referred to:

** EDCLauncher Logs**: C:\Users\admin\AppData\Local\Accops\edc\softclient\logs\EDCLauncher.log

Microsoft Event Viewer: Application and Services Logs - Microsoft - Windows - Terminal Services-ClientActiveXCore - Microsoft-Windows-TerminalServices-RDPClient/Operational

Online References

  • https://ponderthebits.com/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investigation/
  • https://frsecure.com/blog/rdp-connection-event-logs/
  • https://countuponsecurity.com/2015/11/25/digital-forensics-supertimeline-event-logs-part-ii/
  • https://jpcertcc.github.io/ToolAnalysisResultSheet/details/mstsc.htm#KeyEvents-Source

Linux VDI Logs

DVM Tools Version

cat /etc/edcdvm/linuxDVM/productInfo.txt

Installation Logs of DVM Agent

vi /etc/edcdvm/linuxDVM/Logs/linuxDvmAgentInstaller.txt

Desktop Agent Logs

vi /etc/edcdvm/linuxDVM/Logs/DesktopAgentLog.txt

Xrdp Logs

When a black screen or session failure issues are observed, when the session disconnects, the following logs can be checked:

vi /var/log/xrdp.log

Xrdp sessman Log

When the session disconnects, issues such as a black screen or session failure are observed. The following logs can be checked:

vi /var/log/xrdp-sesman.log

HyPrep Logs for Linux

vi /etc/edcdvm/linuxDVM/Logs/linuxSysprep.txt

Session Server Extensions

Server-side Logs

C:\Windows\Temp\Accops

C:\Windows\Temp\Accops\VirtChannels

C:\Windows\Temp\Accops\HyPrint

C:\Windows\Temp\Accops\Contentrdr

C:\Windows\Temp\Accops\LightSpeed

Client-side Logs (Windows)

%temp%\Accops\RDPClientExtension\

%temp%\Accops\RDPClientExtension\ContentRedirect.log

%temp%\Accops\RDPClientExtension\FileRedirect.log

%temp%\Accops\RDPClientExtension\HyPrint.log

%temp%\Accops\RDPClientExtension\RequestRedirect.log

How to Enable Client Side

The respective registry entry must be modified to enable the Client-side extension logs.

  • For Non-admin Clients, the registry location will be: HKEY_CURRENT_USER\SOFTWARE\Accops\RDPClientExtension

  • For Admin Client, the registry location will be: HKEY_LOCAL_MACHINE\SOFTWARE\Accops\RDPClientExtension

  • If registry keys do not exist in the Current User, the fallback location is from the Local Machine.

To enable Client-side virtual channel logs, follow the below steps:

  1. For Content Redirection Client Extension Logs: Latency data, Client information, messages

    1. Open registry editor.

    2. Navigate to the registry location HKEY_CURRENT_USER\SOFTWARE\Accops\RDPClientExtension\ContentRedirect

    3. Set registry key log level as 3.

  2. Follow the same process for other Extensions. Following are the registry locations:

    1. File Redirection (File Transfer): HKEY_CURRENT_USER\SOFTWARE\Accops\RDPClientExtension\FileRedirect:

    2. HyPrint (HyPrint, Light Speed Printing, Legacy Printing): HKEY_CURRENT_USER\SOFTWARE\Accops\RDPClientExtension\HyPrint:

    3. Request Redirection (Network Redirection): HKEY_CURRENT_USER\SOFTWARE\Accops\RDPClientExtension\RequestRedirect

User Apps

Workspace User App

%localappdata%\Accops\edc\softclient\logs

SRMS

C:\Program Files (x86)\Accops\HyWorks\SessionRecordingManager\SessionRecordingAggregator\Logs

C:\Program Files (x86)\Accops\HyWorks\SessionRecordingManager\SessionRecordingAutoClean\Logs

C:\Program Files (x86)\Accops\HyWorks\SessionRecordingManager\SessionRecordingManager\Logs

Scheduler and Action Processor

C:\Program Files (x86)\Accops\HyWorks\ActionProcessor\Logs

C:\Program Files (x86)\Accops\HyWorks\Scheduler\SchedulerService\Logs

C:\Program Files (x86)\Accops\HyWorks\Scheduler\SchedulerWorker\Logs

AUEM

C:\Program Files (x86)\Accops\AUEM\Logs

Hyper-V Connector Logs

C:\Program Files\Accops\HyWorks\Hyper-V Connector\Logs

HyLabs

C:\Program Files (x86)\Accops\HyWorks\RMSService\Logs\EDController.txt

HyLabs event logs can be enabled from the HyWorks Management Console.

  1. Go to Settings > General > Advance.

  2. Locate settings Enable HyLabs event log > Set this as True.

  3. Update the Advanced Settings, and HyLabs event logs will start getting created at the following location:

C:\Program Files (x86)\Accops\HyWorks\RMSService\Logs\log.txt