1. Support
  2. User Guides
  3. Auditing of Goverlan Operator Actions

Auditing of Goverlan Operator Actions

Overview

All actions performed by a Goverlan operator are audited by default. This cannot be turned off. Audits are registered in the event viewer of the endpoint onto which the actions were performed. For additional security of the audits, they can be centralized using the Goverlan Reach Server.

What is being audited?

Every action executed on a remote system within the Goverlan Reach Operator Console is audited. This includes background system queries and executions as well remote desktop access.

However, the actions performed within a remote desktop access session via the use of the mouse and keyboard and the command line executions within a Goverlan Remote Command Prompt are not audited.

Goverlan Audits in the Event Viewer

To view the actions performed on a system through Goverlan:

  • Open the Windows Event Viewer
  • Select Windows Logs > Application
  • Search for events with the Source: Goverlan Services (event ID: 6549)

The Goverlan Audit includes the following information:

Operator Identity Identity information of the operator that performed the action. This includes operator ID and machine information from where the action originated.

NOTE: Operator identity is masked in audits resulting from On-Demand remote assistance sessions. This is to protect your organization confidential information. In such audits, a section named Secure Data contains the operator identity in an encrypted format. This encrypted data blog must be sent to our support specialist to be decrypted.

Action Type
  • Query – The operator query system information
  •  Execution – The operator performed a task on the system
Action Impact Defines the impact severity of the action performed on the local system:

  • None – Actions that do not result in any change to the local system and do no represent a security risk (e.g.:  Query Video Configuration.)
  • Low – Actions that have a minimal impact on the local system or represent little security risk (e.g.: Modify Default Printer.)
  • Medium – Actions that may have a medium impact on the local system or may represent a medium security risk (e.g.: Map a Drive).
  • High – Actions that may have a high impact on the local system or may represent a high security risk (e.g.: Change Network Configuration).
Action Information  Full description of the action performed by the operator including parameters and results.

Remotely Querying Remote Control Session Activity

Goverlan remote desktop access sessions generate additional audit trace in a separate log. These audits can be queried remotely through Goverlan.

On-Demand Session Auditing

During an On-Demand remote assistance session over the internet, the assisted user will have the option to display all actions performed on his/her system during the session.

To do so, the user must select Review support actions upon exit before clicking the End Support Session button.

Upon ending the support session, the user is presented with a summary of performed actions on their system:

These audit trace are also located in the Application log of the Windows Event Viewer.

Centralized Auditing

Event viewer audits can be removed by any local administrator. To secure your audits, you can centralize them using the Goverlan Reach Server – Auditing Services. Once configured, every audit generated by Goverlan are automatically registered to the Goverlan Reach Server. These audits cannot be removed.

Was this article helpful?

Related Articles