By default, all actions performed by a Goverlan operator are audited. This cannot be turned off. Audits are registered in the event viewer of the endpoint when an action is executed against it. For additional security of the audits, they can be centralized using the Goverlan Reach Server.
What is being audited?
Every action executed on a remote system within the Goverlan Reach Operator Console is audited. This includes background system queries and executions as well remote desktop access.
However, the actions executed within a remote desktop access session via the use of the mouse and keyboard and the command line executions within a Goverlan Remote Command Prompt are not audited.
Goverlan Audits in the Event Viewer
To view the actions executed on a system through Goverlan:
- Open the Windows Event Viewer
- Select Windows Logs > Application
- Search for events with the Source: Goverlan Services (event ID: 6549)
The Goverlan Audit includes the following information:
|Operator Identity||Identity information of the operator that executed the action. This includes operator ID and machine information from where the action originated.|
NOTE: Operator identity is masked in audits resulting from On-Demand remote assistance sessions. This is to protect your organization confidential information. In such audits, a section named Secure Data contains the operator identity in an encrypted format. This encrypted data blog must be sent to our support specialist to be decrypted.
|Action Impact||Defines the impact severity of the action performed on the local system:|
|Action Information||Full description of the action performed by the operator including parameters and results.|
Remotely Querying Remote Control Session Activity
Goverlan remote desktop access sessions generate additional audit traces in a separate log. These audits can be queried remotely through Goverlan.
On-Demand Session Auditing
During an On-Demand remote assistance session over the internet, the assisted user will have the option to display all actions performed on his/her system during the session.
To do so, the user must select Review support actions upon exit before clicking the End Support Session button.
Upon ending the support session, the user is presented with a summary of performed actions on their system:
These audit traces are also located in the Application log of the Windows Event Viewer.
Event viewer audits can be removed by any local administrator. To secure your audits, you can centralize them using the Goverlan Reach Server – Auditing Services. Once configured, every audit generated by Goverlan are automatically registered to the Goverlan Reach Server. These audits cannot be removed.