US English (US)
ES Spanish

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

  • Contact Us
English (US)
US English (US)
ES Spanish
  • Home
  • AutoElevate Knowledgebase
  • General & Troubleshooting

Event Logging

Learn how to enable Event Logging!

Written by Daniel Rivera

Updated at July 27th, 2024

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

  • AutoElevate Knowledgebase
    New to AutoElevate? START HERE General & Troubleshooting Managing Rules Integrations Announcements FAQ Sales & Marketing
  • Password Boss Knowledgebase
    Using Password Boss Business Administration Password Boss Partner Documents
  • Changelogs for Autoelevate and Password Boss
  • Current Status
  • Marketing Toolkit
    MSP Marketing & Education Toolkit
+ More

Table of Contents

The Agent’s Windows Event Logs Has the Following Benefits How to Use the Logs? Events UAC Tripped Rule Applied Technician Mode Authenticate Agent Mode Changed UAC Settings Changed Remove Admin Privileges Setting Changed UAC Loading Overlay Setting Changed Block Requests from "AppData\Local\Temp" Setting Changed Agent Registration Error Agent Login Error Approval Request Sent Approval Request Approved Approval Request Denied Approval Request Delayed Channels Operational Channel Admin Channel Keywords

The Agent’s Windows Event Logs are provided to give you visibility into what the AutoElevate Agent observes and how it operates on the system. They can be ingested by a SIEM or syslog service to better automate events happening within AutoElevate.

This feature can be enabled or disabled in the Admin Portal settings.

 

 

Some of the events do contain but are not limited to the same information shown on the Admin Portal’s Events screen.
 

The Agent’s Windows Event Logs Has the Following Benefits
 

  • Troubleshooting Errors
     
  • Auditing technician authentication
     
  • Recording UAC events while offline
     
  • Tracking privilege elevation request
     
  • Tracking changes to certain security settings
     
  • Recording when a rule has been used
     

How to Use the Logs?


The Agent’s Windows Event Logs are implemented using the Event Tracing for Windows system. Therefore, they can be viewed or captured just like any standardized log that you will find in the Windows Event Viewer.

They follow Microsoft’s guidelines, including recommended naming conventions.

If you use a log collector or SIEM tool, then with the help of the information below you will be able to configure it to capture the Agent’s Windows Event Logs.
 

Events

UAC Tripped

Trigger: When a UAC prompt appears.

Channel: Operational

Event ID: 1000

Version: 0

Level: 4 (Informational)

Task: 0 (N/A)

Opcode: 0 (N/A)

Keywords: 0x4000000000000009 (UAC, UAC_Agent)

Support Languages: English

Rule Applied

Trigger: When a UAC prompt is automatically handled by an existing rule.

Channel: Operational

Event ID: 1001

Version: 0

Level: 4 (Informational)

Task: 0 (N/A)

Opcode: 0 (N/A)

Keywords: 0x4000000000000009 (UAC, UAC_Agent)

Support Languages: English

Technician Mode Authenticate

Trigger: When a technician has been authenticated for a new technician mode session.

Channel: Operational

Event ID: 2000

Version: 0

Level: 4 (Informational)

Task: 0 (N/A)

Opcode: 0 (N/A)

Keywords: 0x4000000000000024 (Tech_Sess, Tech_Launcher)

Support Languages: English

Agent Mode Changed

Trigger: When the Agent mode is changed from the Computers screen in the Admin Portal.

Channel: Operational

Event ID: 3000

Version: 0

Level: 4 (Informational)

Task: 0 (N/A)

Opcode: 0 (N/A)

Keywords: 0x4000000000000012 (Agent_Config, Agent)

Support Languages: English

UAC Settings Changed

Trigger: When the UAC setting is changed from the Computers screen in the Admin Portal.

Channel: Operational

Event ID: 3001

Version: 0

Level: 4 (Informational)

Task: 0 (N/A)

Opcode: 0 (N/A)

Keywords: 0x4000000000000012 (Agent_Config, Agent)

Support Languages: English

Remove Admin Privileges Setting Changed

Trigger: When the “Remove Admin Privileges” setting is changed from the Settings screen in the Admin Portal.

Channel: Operational

Event ID: 4000

Version: 0

Level: 4 (Informational)

Task: 0 (N/A)

Opcode: 0 (N/A)

Keywords: 0x4000000000000012 (Agent_Config, Agent)

Support Languages: English

UAC Loading Overlay Setting Changed

Trigger: When the “UAC Loading Overlay” setting is changed from the Settings screen in the Admin Portal.

Channel: Operational

Event ID: 4001

Version: 0

Level: 4 (Informational)

Task: 0 (N/A)

Opcode: 0 (N/A)

Keywords: 0x4000000000000012 (Agent_Config, Agent)

Support Languages: English

Block Requests from "AppData\Local\Temp" Setting Changed

Trigger: When the “Block Requests from ‘AppData\Local\Temp’” setting is changed from the Settings screen in the Admin Portal.

Channel: Operational

Event ID: 4002

Version: 0

Level: 4 (Informational)

Task: 0 (N/A)

Opcode: 0 (N/A)

Keywords: 0x4000000000000012 (Agent_Config, Agent)

Support Languages: English

Agent Registration Error

Trigger: When there is an error with the Agent’s registration process which may be preventing the agent from appearing on the Computers Screen of the Admin Portal.

Channel: Admin

Event ID: 5000

Version: 0

Level: 1 (Critical)

Task: 0 (N/A)

Opcode: 0 (N/A)

Keywords: 0x8000000000000110 (Registration, Agent)

Support Languages: English

Agent Login Error

Trigger: When there is an error with the Agent’s login process which may cause the Agent status to not be updated on the Computers screen of the Admin Portal and may put the agent into offline mode.

Channel: Admin

Event ID: 5001

Version: 0

Level: 2 (Error)

Task: 0 (N/A)

Opcode: 0 (N/A)

Keywords: 0x8000000000000210 (Login, Agent)

Support Languages: English

Approval Request Sent

Trigger: When a privilege elevation request is sent to the technicians.

Channel: Operational

Event ID: 6000

Version: 0

Level: 4 (Informational)

Task: 0 (N/A)

Opcode: 0 (N/A)

Keywords: 0x40000000000000c0 (Approval_Request, Alert_Agent)

Support Languages: English

Approval Request Approved

Trigger: When the Agent has received a privilege elevation response as approved.

Channel: Operational

Event ID: 6001

Version: 0

Level: 4 (Informational)

Task: 0 (N/A)

Opcode: 0 (N/A)

Keywords: 0x40000000000000c0 (Approval_Request, Alert_Agent)

Support Languages: English

Approval Request Denied

Trigger: When the Agent has received a privilege elevation response as denied.

Channel: Operational

Event ID: 6002

Version: 0

Level: 4 (Informational)

Task: 0 (N/A)

Opcode: 0 (N/A)

Keywords: 0x40000000000000c0 (Approval_Request, Alert_Agent)

Support Languages: English

Approval Request Delayed

Trigger: When a privilege elevation request was not handled within the configured timer interval. This event will not be triggered if the timer interval has been disabled.

Channel: Operational

Event ID: 6003

Version: 0

Level: 4 (Informational)

Task: 0 (N/A)

Opcode: 0 (N/A)

Keywords: 0x40000000000000c0 (Approval_Request, Alert_Agent)

Support Languages: English

 

Channels

Operational Channel

Path: AutoElevate/Operational

Type: Operational

Information: General logging.

Admin Channel

Path: AutoElevate/Admin (Previously: AutoElevate/Errors)

Type: Admin

Information: Errors that suggest immediate action by Administrators.

 

Keywords

A list of keywords that the event logs may contain and what they represent.

UAC - The event was caused by the Agents interaction with the UAC prompt.

Agent_Config - The event was caused by a change to the Agent’s configuration.

Tech_Sess - The event was caused by a technician mode session.

Registration - The event was caused by the Agent’s registration process.

Login - The event was caused by the Agent’s login process.

Approval_Request - The event was caused by a privilege elevation request.

UAC_Agent - The event originated from the AutoElevate UAC Agent.

Agent - The event originated from the AutoElevate Agent.

Tech_Launcher - The event originated from the AutoElevate Technician Mode Launcher.

Alert_Agent - The event originated from the AutoElevate Alert Agent.

action log event record

Was this article helpful?

Yes
No
Give feedback about this article

Related Articles

  • Technician Mode Ticketing
  • CLSID Support
  • Enabling Browser Based Notifications For Technicians
  • Settings Overview
  • Products
    • Privileged Access Management
    • Password Management
  • Solutions
    • For MSPs
    • For IT Pros
    • By Industry
  • Resources
    • Weekly Demos
    • Events
    • Blog
    • FAQ
  • Company
    • Leadership
    • Culture + Values
    • Careers
    • Awards
    • News & Press
    • Trust Center
    • Distributors
  • Get Pricing
  • Free Trial
  • Request a Demo
  • Support
  • Login
  • Contact
4925 Independence Parkway
Suite 400
Tampa, FL 33634
CALL US (813) 578-8200
  • Link to Facebook
  • Link to Linkedin
  • Link to Twitter
  • Link to Youtube
© 2023 CYBERFOX LLC ALL RIGHTS RESERVED  |  Privacy Policy

Knowledge Base Software powered by Helpjuice

Expand