The Agent’s Windows Event Logs are provided to give you visibility into what the AutoElevate Agent observes and how it operates on the system. They can be ingested by a SIEM or syslog service to better automate events happening within AutoElevate.

This feature can be enabled or disabled in the Admin Portal settings.

Some of the events do contain but are not limited to the same information shown on the Admin Portal’s Events screen.
 

The Agent’s Windows Event Logs Has the Following Benefits
 

• Troubleshooting Errors
   
• Auditing technician authentication
   
• Recording UAC events while offline
   
• Tracking privilege elevation request
   
• Tracking changes to certain security settings
   
• Recording when a rule has been used
   

How to Use the Logs?

The Agent’s Windows Event Logs are implemented using the Event Tracing for Windows system. Therefore, they can be viewed or captured just like any standardized log that you will find in the Windows Event Viewer.

They follow Microsoft’s guidelines, including recommended naming conventions.

If you use a log collector or SIEM tool, then with the help of the information below you will be able to configure it to capture the Agent’s Windows Event Logs.
 

Events

UAC Tripped

Trigger: When a UAC prompt appears.

Channel: Operational

Event ID: 1000

Version: 0

Level: 4 (Informational)

Task: 0 (N/A)

Opcode: 0 (N/A)

Keywords: 0x4000000000000009 (UAC, UAC_Agent)

Support Languages: English

Rule Applied

Trigger: When a UAC prompt is automatically handled by an existing rule.

Channel: Operational

Event ID: 1001

Version: 0

Level: 4 (Informational)

Task: 0 (N/A)

Opcode: 0 (N/A)

Keywords: 0x4000000000000009 (UAC, UAC_Agent)

Support Languages: English

Technician Mode Authenticate

Trigger: When a technician has been authenticated for a new technician mode session.

Channel: Operational

Event ID: 2000

Version: 0

Level: 4 (Informational)

Task: 0 (N/A)

Opcode: 0 (N/A)

Keywords: 0x4000000000000024 (Tech_Sess, Tech_Launcher)

Support Languages: English

Agent Mode Changed

Trigger: When the Agent mode is changed from the Computers screen in the Admin Portal.

Channel: Operational

Event ID: 3000

Version: 0

Level: 4 (Informational)

Task: 0 (N/A)

Opcode: 0 (N/A)

Keywords: 0x4000000000000012 (Agent_Config, Agent)

Support Languages: English

UAC Settings Changed

Trigger: When the UAC setting is changed from the Computers screen in the Admin Portal.

Channel: Operational

Event ID: 3001

Version: 0

Level: 4 (Informational)

Task: 0 (N/A)

Opcode: 0 (N/A)

Keywords: 0x4000000000000012 (Agent_Config, Agent)

Support Languages: English

Remove Admin Privileges Setting Changed

Trigger: When the “Remove Admin Privileges” setting is changed from the Settings screen in the Admin Portal.

Channel: Operational

Event ID: 4000

Version: 0

Level: 4 (Informational)

Task: 0 (N/A)

Opcode: 0 (N/A)

Keywords: 0x4000000000000012 (Agent_Config, Agent)

Support Languages: English

UAC Loading Overlay Setting Changed

Trigger: When the “UAC Loading Overlay” setting is changed from the Settings screen in the Admin Portal.

Channel: Operational

Event ID: 4001

Version: 0

Level: 4 (Informational)

Task: 0 (N/A)

Opcode: 0 (N/A)

Keywords: 0x4000000000000012 (Agent_Config, Agent)

Support Languages: English

Block Requests from "AppData\Local\Temp" Setting Changed

Trigger: When the “Block Requests from ‘AppData\Local\Temp’” setting is changed from the Settings screen in the Admin Portal.

Channel: Operational

Event ID: 4002

Version: 0

Level: 4 (Informational)

Task: 0 (N/A)

Opcode: 0 (N/A)

Keywords: 0x4000000000000012 (Agent_Config, Agent)

Support Languages: English

Agent Registration Error

Trigger: When there is an error with the Agent’s registration process which may be preventing the agent from appearing on the Computers Screen of the Admin Portal.

Channel: Admin

Event ID: 5000

Version: 0

Level: 1 (Critical)

Task: 0 (N/A)

Opcode: 0 (N/A)

Keywords: 0x8000000000000110 (Registration, Agent)

Support Languages: English

Agent Login Error

Trigger: When there is an error with the Agent’s login process which may cause the Agent status to not be updated on the Computers screen of the Admin Portal and may put the agent into offline mode.

Channel: Admin

Event ID: 5001

Version: 0

Level: 2 (Error)

Task: 0 (N/A)

Opcode: 0 (N/A)

Keywords: 0x8000000000000210 (Login, Agent)

Support Languages: English

Approval Request Sent

Trigger: When a privilege elevation request is sent to the technicians.

Channel: Operational

Event ID: 6000

Version: 0

Level: 4 (Informational)

Task: 0 (N/A)

Opcode: 0 (N/A)

Keywords: 0x40000000000000c0 (Approval_Request, Alert_Agent)

Support Languages: English

Approval Request Approved

Trigger: When the Agent has received a privilege elevation response as approved.

Channel: Operational

Event ID: 6001

Version: 0

Level: 4 (Informational)

Task: 0 (N/A)

Opcode: 0 (N/A)

Keywords: 0x40000000000000c0 (Approval_Request, Alert_Agent)

Support Languages: English

Approval Request Denied

Trigger: When the Agent has received a privilege elevation response as denied.

Channel: Operational

Event ID: 6002

Version: 0

Level: 4 (Informational)

Task: 0 (N/A)

Opcode: 0 (N/A)

Keywords: 0x40000000000000c0 (Approval_Request, Alert_Agent)

Support Languages: English

Approval Request Delayed

Trigger: When a privilege elevation request was not handled within the configured timer interval. This event will not be triggered if the timer interval has been disabled.

Channel: Operational

Event ID: 6003

Version: 0

Level: 4 (Informational)

Task: 0 (N/A)

Opcode: 0 (N/A)

Keywords: 0x40000000000000c0 (Approval_Request, Alert_Agent)

Support Languages: English

Channels

Operational Channel

Path: AutoElevate/Operational

Type: Operational

Information: General logging.

Admin Channel

Path: AutoElevate/Admin (Previously: AutoElevate/Errors)

Type: Admin

Information: Errors that suggest immediate action by Administrators.

Keywords

A list of keywords that the event logs may contain and what they represent.

UAC - The event was caused by the Agents interaction with the UAC prompt.

Agent_Config - The event was caused by a change to the Agent’s configuration.

Tech_Sess - The event was caused by a technician mode session.

Registration - The event was caused by the Agent’s registration process.

Login - The event was caused by the Agent’s login process.

Approval_Request - The event was caused by a privilege elevation request.

UAC_Agent - The event originated from the AutoElevate UAC Agent.

Agent - The event originated from the AutoElevate Agent.

Tech_Launcher - The event originated from the AutoElevate Technician Mode Launcher.

Alert_Agent - The event originated from the AutoElevate Alert Agent.