cancel
Showing results for 
Search instead for 
Did you mean: 

Local & Centralized Logging with DameWare

Product Manager

In talking with some of our more security focused and more tightly regulated customers from a compliance perspective; a common question I get asked is in regards to audit logging with DameWare.  With Mini Remote Control (MRC), there are a couple different options when it comes to logging.

By default, DameWare Mini Remote Control writes to the Windows Event Log.  The two events which MRC writes audit event are either attempts to connect to a remote host and disconnects from a remote host.  These Application Event Log entries contain connection information, along with specific information about the system the MRC user connected from and the username used to establish the MRC connection.

Event-Log.png

The next couple options are not enabled and configured by default, so for these to work, both the logging server and all remote systems must be running the MRC client agent.


If you already have MRC deployed in your environment and you want to enable this, you can configure the agents by either clicking on the highlighted icon within MRC or you can right click on the tray icon and select “Settings”.

UI-Setting.png

-OR-

Task-Menu.png

In the dialog you receive, as seen below, select the “Additional Settings” tab and click on the highlighted “Logging” button.

Agent-Setting-First.png

Once here you can either configure this agent log locally and/or log to a remote destination.  Double check and make sure the destination folder exists on the file system.  DameWare will automatically create the file, but only if the path exists.

Agent-Setting.png

If you have not deployed the DameWare agents on to your network yet, you can customize and configure the agents to have these settings by default.  In order to do this, you will need to create a new msi with our utility, which is installed by default and is called “DameWare Mini Remote Control Client Agent MSI Builder”.

Once you have this configured and are sending the audit events to a log file, using a comma separated file is recommended.  An example of what this would look like can be seen below.

CSV-File.png

If you have deployed and are using DameWare Central Server for over the internet or outside the firewall remote control sessions, the Central Server also writes various events to the Windows Event Log, such as licensing information, session connection and disconnection information.  In our upcoming release we will be adding active directory synchronization information.  If you need any further information on logging, you can also see a KB we have here.

I’m interested in hearing what other types of events or action you would like to see logged going forward, so please post any feedback to the comments section or you can always direct message me via thwack.

6 Comments
troeder
Level 7

I have followed this information and the information in the KB article referenced, but cannot get local or central logging to work for some reason....

aaronengineer
Level 9

I followed the instructions but I had to add something to make it work.  To log locally, I had to select BOTH fields (Enable Remote Logging & Enable Logging to this host).  In the "Enable Remote Logging" field I populated the same machine's IP address. Once I did this I started to receive logs for that machine. 

I was also able to send remote logs to the central host by just checking "Enable Remote Logging" and putting in the IP address of the destination server.  It created the CSV file.  Note: if the CSV file is open additional logs will not be written while it is open.

funderburg78
Level 7

I have experienced this same issue.  It only works if we enable remote logging and enter the ip address of the local machine.  Obviousl this can not be done via the MSI builder.  While there are ways to script changing the IP in the registry and remotely updating all clients the work involved in doing such a configuration is pretty intense.  Is Dameware doing anything to fix this issue so it works the way it is supposed too?

aaronengineer
Level 9

You are seeking to log to the local machine only or to a central location?

aaronengineer
Level 9

Have you tried setting the IP within the MSI package builder to 127.0.0.1 or the hostname to localhost in order to log to the local system?

jjoelc
Level 7

Syslog support for the remote logging portion is something I would consider essential, and would simplify things immensely. Syslog was designed precisely for this exact scenario (remote, centralized logging), has been the industry standard since well before Windows was around, has proven itself robust, reliable, and secure over the years, and there are literally thousands of tools available to analyze, take action on, or otherwise make use of syslog events.

About the Author
I have currently been at SolarWinds for a little over three years and have been in the IT technology field for about 10 years either as an Engineer/IT Admin or working for a software company to help makes those folks lives easier.  I graduated from Texas A&M University with an MIS degree from the Business School and have been in Austin for about 8 years.
Labels