AWEM (Accops Windows Event Monitor)
AWEM (Accops Windows Event Monitor) is used to analyse the system events based on the user’s activities.
AWEM also:
-
collects and analysis events data to identify the time span of the different activities.
-
helps in identifying the issue in user session based on the analysed data sent to the server by the application.
-
monitors critical and non-critical events and according to event type data is sent to the server or dump in output file.
Registry settings
Property Name | Type | Default Value | Description |
---|---|---|---|
monitor.winlogon | BOOL | true | To enable or disable the monitoring through AWLM module. |
monitor.critical_event.interval | NUMBER | 10 | Time frame at which AWLM process the critical events collected data and send to server or dumped in the file based on the server configuration. |
Note
Service needs to be restarted after modifying registry value
Events setting
AWLM application events can be configured using “event_watch.json” file.
-
Location: - C:\Program Files (x86)\Accops\AUEM
Note
Currently file location is not configurable it always needs to be present at the above location otherwise application will not work.
-
Every event have “isCriticalEvent” node which defines whether any event is critical or not.
- isCriticalEvent have three values 1: Critical, 2: Non-critical, 3: Both Critical and Non-critical
- Critical events data is send at the interval value defined in the “monitor.critical_event.interval” registry value.
- By default, 36, 4005,40,1500,1508,1509,1511 events are considered as critical.
- Non-critical events data is sent at the interval of 10 minutes after analysis, currently this setting is not configurable.
- if isCriticalEvent is 3 then events data is processed as critical and non-critical both.
Note
Currently application considers all other value except 1 and 3 as Non-critical events.
Note
Service needs to be restarted after modifying registry value
Channel name - Microsoft-Windows-GroupPolicy/Operational
Event ID | Description | Log type | Comment |
---|---|---|---|
4001 | Starting user logon policy processing | Type is identified based on the event data. | |
5016 | Show the time when the processing of GPO application extensions ends. It also used to identify the total time taken for the extension processing. | GPO_EXTENSION_FINISHED | |
5017 | Get the user account details from Domain Controller with Timestamp and time span. | ACCOUNT_FETCHED | |
5117 | Event is logged when user group policy session completed. | GPO_POLICY_SESSION_FINISHED | |
5126 | Event is logged when user GPO's from the domain download completed. | GPO_FETCHED | |
5216 | Event is logged when policies saved to local datastore completed. | GPO_ALL_SAVED | |
5257 | Event is logged when all policies download completed. | GPO_ALL_DOWNLOADED | |
5312 | Shows a list of all policies that apply to the computer or user object based on its AD placement. | Type is identified based on the event data. | |
5313 | List of policies are filtered as they are not applicable due to security filter | Type is identified based on the event data. | |
5324 | Group Policy received the notification StartShell from Winlogon for session. | It is used to identify the record id and used by event 4001 for filtration. This event data is not sent to the server. |
|
5326 | Defines the time taken to make connection. | DC_DETAILS_RECEIVED | |
6339 | Event is generated when GPOs processing ends | GPO_START_SESSION_FINISHED | |
8001 | Log data related the logon policy with timestamp. | GPO_PROCESSING_FINISHED |
Channel name - Microsoft-Windows-Shell-Core/Operational
Event Id | Description | Log type | Comment |
---|---|---|---|
42 | It is used to identify the username It is used by event 9705, 9706, 62170, 62171 for filtration. |
This event data is not sent to the server. | |
9705 | Event is generated when application task started. | SHELL_RUN_STATUP_APPS | Based on 9705 and 9706 timespans is calculated. Only single record is sent for 9705 and 9706. |
9706 | Event is generated when application task finished. | Based on 9705 and 9706 timespans is calculated. Only single record is sent for 9705 and 9706. |
|
62170 | Logon start event. | SHELL_ALL_LOGON_TASK | Application login timespan is calculated based on the “62170” and “62171” events data. Only single record is sent for 62170 and 62171. |
62171 | Logon finished event | Application login timespan is calculated based on the “62170” and “62171” events data. Only single record is sent for 62170 and 62171. |
Channel name - Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
Event Id | Description | Log type | Comment |
---|---|---|---|
21 | Event is generated when a Remote Desktop Services: Session logon succeeded | TERMINAL_SESSION_FINISHED | Event id 21 and 22 is used to identify the terminal session timespan Only single record is sent for 41 and 42 |
22 | Event is generated when a Remote Desktop Services: Shell start notification received. | TERMINAL_SESSION_FINISHED | Event id 21 and 22 is used to identify the terminal session timespan Only single record is sent for 41 and 42 |
36 | Event is generated when server is in hang state. | SESSION_HANG_ISSUE | |
40 | Session has been disconnected with reason code. | SESSION_DISCONNECTION | |
41 | Event is generated when a session arbitration started. | AUTHENTICATED | Event id 41 and 42 is used to identify the authentication timespan. Only single record is sent for 41 and 42. |
42 | Event is generated when a session arbitration finished. | Event id 41 and 42 is used to identify the authentication timespan. Only single record is sent for 41 and 42. |
Channel name - Microsoft-Windows-User Profile Service/Operational
Event Id | Description | Log type | Comment |
---|---|---|---|
1 | Started processing user logon notification on session id. | USER_PROFILE_LOADED | Event id 1 and 2 is used to identify the time taken in user logon processing. Only single record is sent for 1 and 2. |
2 | Finished processing user logon notification on session id. | Event id 1 and 2 is used to identify the time taken in user logon processing. Only single record is sent for 1 and 2. |
Channel name - Microsoft-Windows-Winlogon/Operational
Event Id | Description | Log type | Comment |
---|---|---|---|
1 | Event is generated when user started login operation. | AUTHENTICATED | Event id 1 and 2 is used to identify the time taken in login operation. Only single record is sent for 1 and 2. |
2 | Event is generated when user finished login operation. | Event id 1 and 2 is used to identify the time taken in login operation. Only single record is sent for 1 and 2. |
|
811 | Notification start event. | Event id 811 and 812 is used to identify the time taken in different notification. Only single record is sent for 811 and 812 with log type based on the subscriber name. |
|
812 | Notification End event. | Event id 811 and 812 is used to identify the time taken in different notification. Only single record is sent for 811 and 812 with log type based on the subscriber name. |
Note
Notification data log type is decided based on the subscriber name.
Subscriber name | Log type |
---|---|
GPClient | GPCLIENT_FINISHED |
TermSrv | TERMINAL_SERVICE_FINISHED |
Wlansvc | WLAN_SVC_FINISHED |
Profiles | PROFILE_FINISHED |
Sens | SENS_FINISHED |
SessionEnv | SESSION_ENV_FINISHED |
- | OTHER_NOTIFICATION_FINISHED |
Channel name - Application
Event Id | Description | Log type | Comment |
---|---|---|---|
4005 | Event is generated when server is in hang state. | SESSION_HANG_ISSUE | |
1500 | Event is generated when default profile is corrupted. | PROFILE_CORRUPTION | |
1508 | Event is generated when default profile is corrupted. | PROFILE_CORRUPTION | |
1509 | Event is generated when default profile is corrupted. | PROFILE_CORRUPTION | |
1511 | Event is generated when default profile is corrupted. | PROFILE_CORRUPTION |
Log Settings
Application logs can be configured using the WinLog4net.config file.
-
Location: C:\Program Files (x86)\Accops\AUEM
-
Following node is critical in the config file
-
level value="INFO"
- To change the application log level
-
maxSizeRollBackups value="5"
- Maximum number of log files needs be maintained.
-
maximumFileSize value="5MB"
- Maximum log file size
-
appendToFile value="true"
- Append value to the file or override the file contents.
-
file value="Logs\WinLogon.log"
- Log file location with name
-
Note
Service needs to be restarted after modifying registry value.