Cameyo saves activity traces at different levels. This article describes some of the most useful logs for forensics and security tracking. In this article we only describe security-related logs, not functional or administrative logs.
Centralized portal logs
Accessible throughout the portal, these logs can be shown per server, cluster, app, or user. They show server activity and session initiation activities, along with the IP they came from and detected geo location:
These logs are saved on individual Cameyo logs. They are not uploaded nor centralized.
System sessions logs
Contents: session-related logs, including regular interval listing of processes running on the different server's sessions. Example:
This listing includes process names and details, Cameyo session ID (tokenId), user ID, local username, local Windows session ID (WTSSession), for all running sessions.
Individual session logs
For each individual session, Cameyo stores a log named after the local UserName (i.e. RemoteUser15) and the session's TokenId (i.e. 856946a6-80e5-4b86-8d6b-d691f318b0a1):
This log also contains process executions indicated by "Native.CreateProcess", including command line, arguments, parent process and new process ID. This information can be used to trace unauthorized or malicious process executions.
HTTP access logs
Although Cameyo's Port Shield and Cloud Tunneling prevent unauthorized / non-session-related HTTP/S access to Cameyo servers, sometimes it can be useful to see access attempts performed onto Cameyo servers. This can be found in C:\RapPrereqs\Tomcat\logs in files names localhost_access_log.xxxx. Example: