MID Server command audit log

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of MID Server Command Audit Log

    The MID Server command audit log records the commands executed by the MID Server for the Discovery application. This log is essential for monitoring and identifying any anomalies or errors in command execution during discovery processes.

    Show full answer Show less

    Key Features

    • Records commands run by the MID Server, including Powershell commands for WMI and WinRM, and supports SSNC for SSH commands.
    • Enabled through the MID Server property mid.log.commandaudit.enable, which is false by default.
    • Accessed in the instance via MID Server > Command Audit Logs, requiring the agentsecurityadmin role for changes.
    • Logs contain command names, command hashes, and execution statuses (success or failure) without considering the outcome of data gathering.
    • Records JEA profiles for WinRM commands if available.
    • Table rotation occurs every seven days to manage log size.

    Key Outcomes

    By utilizing the MID Server command audit log, customers can efficiently monitor the commands executed during discovery, allowing for quick identification of any operational issues. This feature enhances visibility into command execution and supports better troubleshooting and management of the discovery process.

    The command audit log records the commands run by the MID Server for the Discovery application. Review the commands to check for anomalies or errors.

    Set-up indicator for security phaseEnsure that the MID Server can connect to elements inside and outside your networkDownload and install the MID Server on a Linux or Windows hostConfigure your MID ServerConfigure MID Server securityEnsure that the MID Server can connect to elements inside and outside your networkDownload and install the MID Server on a Linux or Windows hostConfigure your MID ServerConfigure MID Server security

    The MID Server command audit log is a record of the commands the MID Server runs during discovery. For example, executing one pattern may run many separate commands. The MID Server command audit log supports Powershell commands for WMI and WinRM. For SSH commands, the audit log supports SSNC but not J2SSH. In Quebec, the command audit log only supports recording the commands run during discovery.

    Enable the command audit log

    The MID Server audit log is enabled with the MID Server property mid.log.command_audit.enable, which is set to false by default. Add the property in the MID Server Properties table [ecc_agent_property_list.do]. Once enabled, the MID Server command audit logs are accessed in the instance by navigating to MID Server > Command Audit Logs [ecc_agent_command_audit_log_list.do]. To see or change this table, the user must have the role agent_security_admin.

    Typical data in the MID Server command audit logs.

    Data recorded in the command audit logs

    The MID Server command audit log records the name of the command and the command hash. If, for example, during discovery a probe does not run a command but instead runs a script then the script name is recorded. The command hash is calculated based on the content of the script, regardless of the name. Therefore, changing the name does not affect the command hash.

    When a probe, such as a WMIRunner, runs a command with multiple WMI fields then WMI creates one script to query those fields. The script is created temporarily on the MID Server host in the temp folder. After the script is run, it is removed from the temp folder. The script is given a name based on the fields and a random number. However, the hash key is always the same given the same contents.

    The command audit log reports the execution status as either a success or failure. The record entry is a success if the command was run, or a failure if it was unable to run. The command audit log does not consider the result of the command being run. For example, a command which runs but fails gather data is still listed in the execution status as a success.

    Discovery supports JEA profiles for WinRM. The MID Server command audit log records the JEA profile of the discovery command, if it is available. See Microsoft Just Enough Administration (JEA) for Discovery for more information on JEA profiles.

    By default, the table is rotated every seven days. For more information, see Table Rotation.