Skip to content

AWEM (Accops Windows Event Monitor)

AWEM (Accops Windows Event Monitor) is used to analyse the system events based on the user’s activities.

AWEM also:

  1. collects and analysis events data to identify the time span of the different activities.

  2. helps in identifying the issue in user session based on the analysed data sent to the server by the application.

  3. monitors critical and non-critical events and according to event type data is sent to the server or dump in output file.

Registry settings

Property Name Type Default Value Description
monitor.winlogon BOOL true To enable or disable the monitoring through AWLM module.
monitor.critical_event.interval NUMBER 10 Time frame at which AWLM process the critical events collected data and send to server or dumped in the file based on the server configuration.

Note

Service needs to be restarted after modifying registry value

Events setting

AWLM application events can be configured using “event_watch.json” file.

  • Location: - C:\Program Files (x86)\Accops\AUEM

    Note

    Currently file location is not configurable it always needs to be present at the above location otherwise application will not work.

  • Every event have “isCriticalEvent” node which defines whether any event is critical or not.

    • isCriticalEvent have three values 1: Critical, 2: Non-critical, 3: Both Critical and Non-critical
    • Critical events data is send at the interval value defined in the “monitor.critical_event.interval” registry value.
    • By default, 36, 4005,40,1500,1508,1509,1511 events are considered as critical.
    • Non-critical events data is sent at the interval of 10 minutes after analysis, currently this setting is not configurable.
    • if isCriticalEvent is 3 then events data is processed as critical and non-critical both.

    Note

    Currently application considers all other value except 1 and 3 as Non-critical events.

Note

Service needs to be restarted after modifying registry value

Channel name - Microsoft-Windows-GroupPolicy/Operational

Event ID Description Log type Comment
4001 Starting user logon policy processing Type is identified based on the event data.
5016 Show the time when the processing of GPO application extensions ends. It also used to identify the total time taken for the extension processing. GPO_EXTENSION_FINISHED
5017 Get the user account details from Domain Controller with Timestamp and time span. ACCOUNT_FETCHED
5117 Event is logged when user group policy session completed. GPO_POLICY_SESSION_FINISHED
5126 Event is logged when user GPO's from the domain download completed. GPO_FETCHED
5216 Event is logged when policies saved to local datastore completed. GPO_ALL_SAVED
5257 Event is logged when all policies download completed. GPO_ALL_DOWNLOADED
5312 Shows a list of all policies that apply to the computer or user object based on its AD placement. Type is identified based on the event data.
5313 List of policies are filtered as they are not applicable due to security filter Type is identified based on the event data.
5324 Group Policy received the notification StartShell from Winlogon for session. It is used to identify the record id and used by event 4001 for filtration.
This event data is not sent to the server.
5326 Defines the time taken to make connection. DC_DETAILS_RECEIVED
6339 Event is generated when GPOs processing ends GPO_START_SESSION_FINISHED
8001 Log data related the logon policy with timestamp. GPO_PROCESSING_FINISHED

Channel name - Microsoft-Windows-Shell-Core/Operational

Event Id Description Log type Comment
42 It is used to identify the username
It is used by event 9705, 9706, 62170, 62171 for filtration.
This event data is not sent to the server.
9705 Event is generated when application task started. SHELL_RUN_STATUP_APPS Based on 9705 and 9706 timespans is calculated.
Only single record is sent for 9705 and 9706.
9706 Event is generated when application task finished. Based on 9705 and 9706 timespans is calculated.
Only single record is sent for 9705 and 9706.
62170 Logon start event. SHELL_ALL_LOGON_TASK Application login timespan is calculated based on the “62170” and “62171” events data.
Only single record is sent for 62170 and 62171.
62171 Logon finished event Application login timespan is calculated based on the “62170” and “62171” events data.
Only single record is sent for 62170 and 62171.

Channel name - Microsoft-Windows-TerminalServices-LocalSessionManager/Operational

Event Id Description Log type Comment
21 Event is generated when a Remote Desktop Services: Session logon succeeded TERMINAL_SESSION_FINISHED Event id 21 and 22 is used to identify the terminal session timespan
Only single record is sent for 41 and 42
22 Event is generated when a Remote Desktop Services: Shell start notification received. TERMINAL_SESSION_FINISHED Event id 21 and 22 is used to identify the terminal session timespan
Only single record is sent for 41 and 42
36 Event is generated when server is in hang state. SESSION_HANG_ISSUE
40 Session has been disconnected with reason code. SESSION_DISCONNECTION
41 Event is generated when a session arbitration started. AUTHENTICATED Event id 41 and 42 is used to identify the authentication timespan.
Only single record is sent for 41 and 42.
42 Event is generated when a session arbitration finished. Event id 41 and 42 is used to identify the authentication timespan.
Only single record is sent for 41 and 42.

Channel name - Microsoft-Windows-User Profile Service/Operational

Event Id Description Log type Comment
1 Started processing user logon notification on session id. USER_PROFILE_LOADED Event id 1 and 2 is used to identify the time taken in user logon processing.
Only single record is sent for 1 and 2.
2 Finished processing user logon notification on session id. Event id 1 and 2 is used to identify the time taken in user logon processing.
Only single record is sent for 1 and 2.

Channel name - Microsoft-Windows-Winlogon/Operational

Event Id Description Log type Comment
1 Event is generated when user started login operation. AUTHENTICATED Event id 1 and 2 is used to identify the time taken in login operation.
Only single record is sent for 1 and 2.
2 Event is generated when user finished login operation. Event id 1 and 2 is used to identify the time taken in login operation.
Only single record is sent for 1 and 2.
811 Notification start event. Event id 811 and 812 is used to identify the time taken in different notification.
Only single record is sent for 811 and 812 with log type based on the subscriber name.
812 Notification End event. Event id 811 and 812 is used to identify the time taken in different notification.
Only single record is sent for 811 and 812 with log type based on the subscriber name.

Note

Notification data log type is decided based on the subscriber name.

Subscriber name Log type
GPClient GPCLIENT_FINISHED
TermSrv TERMINAL_SERVICE_FINISHED
Wlansvc WLAN_SVC_FINISHED
Profiles PROFILE_FINISHED
Sens SENS_FINISHED
SessionEnv SESSION_ENV_FINISHED
- OTHER_NOTIFICATION_FINISHED

Channel name - Application

Event Id Description Log type Comment
4005 Event is generated when server is in hang state. SESSION_HANG_ISSUE
1500 Event is generated when default profile is corrupted. PROFILE_CORRUPTION
1508 Event is generated when default profile is corrupted. PROFILE_CORRUPTION
1509 Event is generated when default profile is corrupted. PROFILE_CORRUPTION
1511 Event is generated when default profile is corrupted. PROFILE_CORRUPTION

Log Settings

Application logs can be configured using the WinLog4net.config file.

  • Location: C:\Program Files (x86)\Accops\AUEM

  • Following node is critical in the config file

    • level value="INFO"

      • To change the application log level
    • maxSizeRollBackups value="5"

      • Maximum number of log files needs be maintained.
    • maximumFileSize value="5MB"

      • Maximum log file size
    • appendToFile value="true"

      • Append value to the file or override the file contents.
    • file value="Logs\WinLogon.log"

      • Log file location with name

Note

Service needs to be restarted after modifying registry value.