Network Activity Monitoring on VDI
Network Activity Monitoring on Session Host Servers
Latest session host server (v13063 or later) can track and monitor all the network activities in user session. Session host server can send these activities to configured ARS (Accops Reporting Server) or syslog server for reporting and auditing.
Supported Version
- HyWorks Session Host Server v3.3.0.13063 or later
- HyWorks Controller v3.3.0.12803(GA)+Hotfix4 or later
How is network activity monitored?
Session host server is having driver to capture network activity, the captured network activities are shared by driver with session host server.
Session host server appends some more information to details captured by driver and send it to configured ARS server.
Enable network activity monitoring
Network activity monitoring is currently controlled from registry settings on session host server.
- Log in with administrative privileges on session host server
- Open registry editor
-
Go to following registry location - Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Accops\Controller\EDC\SESSIONHOST\EXTERNAL LOG SETTINGS
- Set key EnableLogShipper as true
- Set Event type as 3, to monitor user connection events as well as processes being accessed by user. For other options, refer section External Log Settings
- Set LogType as 2 for SysLog Server logging
- Set Syslog/ARS host address in SyslogHost key.
- Set SyslogPort as required. Default is 514.
-
Review all configurations and restart the Session host service. This will monitor all the new sessions and send following details to configured ARS/Syslog server:
| Attribute Name | Meaning |
|---|---|
| host | IP address of host |
| iptype | IPv6 or IPv4 |
| pid | Process Id |
| srchostname | Hostname of source server |
| srcip | IP Address of source server |
| srcport | Port number used for the activity |
| dstip | Destination server IP address |
| dstport | Destination Port number |
| domain | Domain to which source server is registered |
| username | Name of the user |
| wtsid | Remote desktop session ID |
| protocol | Protocol used for communication 6: TCP, 17: UDP |
| macaddress | MAC Address of endpoint from where user is connected to source remote server This is controlled from HyWorks Controller, see next sub-section for more details |
| process | Name of process used by the activity |
| timestamp | Time of the activity |
Enable Client Information from Controller
While capturing network activity, the source is always remote desktop server and thus for multiple user initiating different network connections, source information will always be same. To have more distinct information, client information (MAC Address) can be added. This information is sent by the HyWorks Controller and session host server appends it before sending it to the syslog or ARS server. This configuration will be available on HyWorks Controller v3.3.0.12803 (GA) + Hotfix4.
- Log in to HyWorks Management Console with administrative privileges
- Go to System > Advanced Config
- Search and locate setting ShareClientInfo
- Set it as True. Default value is False.
Now network activity logs will have client MAC address.
Note
- MAC address will not be captured if connecting from HyLite or for direct RDP sessions.
- If source host is having proxy server configured for the internet access, all network connection logs will have destination server IP as IP address of the configured proxy server.
- For enabling this feature on Windows 2008R2-SP1, update KB3033929 must be installed.
- In reconnected sessions, client information of first client will be shown and not of the client from where session is currently reconnected.