Cameyo saves activity traces at different levels. This article describes some of the most useful logs for forensics and security tracking. In this article we only describe security-related logs, not functional or administrative logs.

Centralized portal logs

Acitivity logs

Accessible throughout the portal, these logs can be shown per server, cluster, app, or user. They show server activity and session initiation activities, along with the IP they came from and detected geo location:

Server-based logs

These logs are saved on individual Cameyo logs. They are not uploaded nor centralized.

System sessions logs

Location: C:\RemoteAppPilot\Logs\SYSTEM.Sessions.log

Contents: session-related logs, including regular interval listing of processes running on the different server's sessions. Example:

This listing includes process names and details, Cameyo session ID (tokenId), user ID, local username, local Windows session ID (WTSSession), for all running sessions.

Individual session logs

Location: C:\RemoteAppPilot\Logs\[UserName].[TokenId].log

Example: C:\RemoteAppPilot\Logs\RemoteUser15.856946a6-80e5-4b86-8d6b-d691f318b0a1

For each individual session, Cameyo stores a log named after the local UserName (i.e. RemoteUser15) and the session's TokenId (i.e. 856946a6-80e5-4b86-8d6b-d691f318b0a1):

This log also contains process executions indicated by "Native.CreateProcess", including command line, arguments, parent process and new process ID. This information can be used to trace unauthorized or malicious process executions.

HTTP access logs

Although Cameyo's Port Shield and Cloud Tunneling prevent unauthorized / non-session-related HTTP/S access to Cameyo servers, sometimes it can be useful to see access attempts performed onto Cameyo servers. This can be found in C:\RapPrereqs\Tomcat\logs in files names localhost_access_log.xxxx. Example: