User Data Logging
In this article
The following data is collected by the MUAM and EMUAM modules on user workstations. The archive.zip file consists of the following files:
- manifest.json
- activity.json
- inspector_log.json
- service_log.json
- timetracking_log.json
The archive types include the following files:
| Agent inspector archive | Agent service archive | Timetracking module archive |
|---|---|---|
| manifest.json | manifest.json | manifest.json |
| activity.json | service_log.json | timetracking_log.json |
| inspector_log.json | – | – |
To manually configure the archive generation interval, add the parameter activity_sending_period to the settings.cfg file located at ProgramData\OperavixAgent. This parameter sets the interval for sending activity data to the server (in seconds).
"activity_sending_period":60
manifest.json
The manifest.json file contains general user information and information about a log type. In the type field, it is identified where the archive has come from: the inspector (inspector), service (service) or time tracking (timetracking).
For example:
{
"version": "1.0.4",
"machine_guid": "3c830f47-9fcd-4a48-a568-750d8b179987",
"user": {
"name": "John Doe",
"login": "johndoe",
"domain": "CORP.BUSINESSPROJECT.COM",
"ad_guid": "d59396ef-c493-4215-8dd5-1c478c846191",
"timezone": "Europe/London",
"timezone_sec": 10800,
"employee_id": 2
},
"computer": {
"name": "c-066-test.corp.operavix.com",
"domain": "domain.com",
"workgroup": ""
},
"agent": {
"version": "2.14.3"
},
"type": "inspector"
}
Explanation:
- version — protocol version (a data format for a server)
- user:name — user name (the account used in the operating system)
- user:login — user login (the account used in the operating system)
- user:domain — user domain (if applicable)
- user:timezone — time zone
- user:timezone_sec — time zone offset from UTC in seconds
- user:employee_id — internal user ID
- computer:name — workstation name
- computer:domain — workstation domain
- computer:workgroup — workstation workgroup
- agent:version — agent version
activity.json
Employee activity is an array of records in the activity.json file. The file is later sent to the server.
Each record includes the following required fields:
{"version":"1.0.9"}
{
"time":1692694112,
"time_ms":469,
"cpu_loading":12,
"memory_loading":30,
"window_activity":{
"app_info":{
"program_name":"Google Chrome",
"version":"115.0.5790",
"executable_path":"%ProgramFiles(x86)%\\Google\\Chrome\\Application\\chrome.exe"},
"type":43,
"input_type":1
"main_window":"",
"domain":"",
"url_path":"",
"tab":"",
"file_name":"index (3).html",
"file_path":"%USERPROFILE%\\Desktop\\",
"location":[],
"element":null,
"parameters":[]
}
}
Explanation:
Note
Depending on the event, some fields may be empty.
- version — the manifest version
- time — UTC time of the event
- time_ms — milliseconds component of the timestamp
- cpu_loading — CPU load
- memory_loading — RAM load value
- window_activity — the container with information about the event
- app_info: — information about an application
- program_name — application name from the Description section
- version — application version
- executable_path — absolute path to the executable file
- type — event type
- input_type — the parameter defining an activity type: injected or hardware. If a hardware HID activity occurred right before an event, the parameter is filled as input_type=1, if there was an injected event then input_type=0
- main_window — main window title
- domain — window domain
- url_path — window URL
- tab — main window tab
- file_name — the name of an opened file
- file_path — absolute path to an opened file
- location — a hierarchy of windows with a type value strictly less than 10
- name — field name
- type — event code
- element — UI element (for example, a button or a checkbox)
- parameters — the container that contains the following information:
- name — field name
- value — hashed value
- type — event code
- is_current — indicates whether the action was performed in the current field. Value 1 means action occurred in the current field, otherwise the value is 0
Event Types
The type field is a numeric event code. Events are grouped by source into ranges.
| Event code | Description |
|---|---|
| 1 | Start — monitoring module startup. Under normal agent operation, without crashes or termination of the process via Task Manager, this coincides with user session start or unlock |
| 2 | Stop — monitoring module shutdown. Under normal agent operation, this coincides with user session lock or termination |
| 3 | ProcessCrashed — application crash/termination |
| Window Hierarchy | |
| 40 | WindowSwitch — switching between windows, browser tabs, or any switch between previously opened program windows |
| 41 | WindowUpdate — window title change |
| 42 | WindowOpen — opening a new window: browser window, new browser tab, program tab, etc. |
| 43 | DocumentOpen — opening a new document |
| 44 | DocumentSave — saving a document under a different name |
| 45 | SheetOpen — changing Excel sheet (switching sheets, renaming, or creating a new one) |
| UI Elements (Extended Monitoring Only) | |
| 52 | Invoke — clicks on UI elements (buttons, hyperlinks, etc.) |
| 53 | FieldEdit — editing Edit and Document elements. Recorded after editing completion and focus shift to another element. The Document element is captured only for specific applications. Field name and value are recorded in parameters |
| 56 | FileSelect — selecting a file or folder through the standard open dialog. File path and name are recorded in parameters under select_from |
| 58 | FileSave — saving a file through a dialog box, or downloading a file in Google Chrome browser. File path and name are recorded in parameters under save_to |
| 60 | Copy — copying or cutting text. Text appears in parameters under copy_value |
| 61 | Paste — pasting text. Text appears in parameters under paste_value |
| 62 | ValueSelect — selecting a value in a combo box, checkbox, or radio button (with or without a radio group). This is recorded if no extractable data exists in the value. The value is recorded after the name separated by a colon |
| 63 | Respond — button or hyperlink that triggered the Invoke event becomes invisible |
| 64 | FormRespond — event recorded instead of Respond when parameter fields in the window were modified |
| 65 | Select — selecting items in lists, tables, or trees |
| HID Activity | |
| 90 | InjectedMouseClick — software-generated mouse click |
| 91 | InjectedMouseScroll — software-generated mouse scroll |
| 92 | InjectedKeyboardEvent — software-generated keyboard key press |
| 95 | HardwareMouseClick — hardware-generated mouse click |
| 96 | HardwareMouseScroll — hardware-generated mouse scroll |
| 97 | HardwareKeyboardEvent — hardware-generated keyboard key press |
Control Elements
Only Window and Unknown elements appear in the basic monitoring. The extended monitoring has all the elements.
| Value | Code | Description |
|---|---|---|
| Window | 1 | Window |
| Button, Splitbutton | 10 | Buttons |
| CheckBox | 12 | Checkbox. Also used for RadioButton when no Radiogroup is found |
| ComboBox | 13 | Combo box. Also used for RadioButton when a Radiogroup is identified |
| Edit | 14 | Text fields |
| Hyperlink | 15 | Hyperlinks |
| ListItem | 17 | Lists |
| TreeItem | 34 | Tree lists |
| MenuItem | 21 | Menu items |
| Document | 40 | Text fields in MS Outlook |
| HotKey | 49 | Keyboard shortcuts |
| Location | 50 | Appears only in the parameters_type column for location fields (save_from, save_to, excel_sheet, etc.) |
| Clipboard | 51 | Appears only in the parameters_type column for copy_value and paste_value fields |
| UrlParam | 52 | Appears only in the parameters_type column for fields containing parameters extracted from URLs |
| NameParam | 53 | Appears only in the parameters_type column for fields containing parameters extracted from window titles or element names |
| Id | 54 | Appears only in the parameters_type column for window ID fields |
| Message | 55 | Appears only in the parameters_type column for message field from confirmation dialogs |
| ExitCode | 56 | Appears only in the parameters_type column for exit_code field from process crash events |
| ExcelSheet | 57 | Excel sheet name |
| TabItem | 29 | Tab |
| DataItem | 39 | Table item |
Hotkeys
The combinations with Ctrl, Alt, Shift modifiers, as well as functional F1-F12, are recorded in the Invoke event. The Shift+A combinations are not recorded, if A is a single character key. Such combinations, for example, are used for writing capital letters.
The case of the recording is important: Ctrl, Alt, Shift modifiers must be exactly in this form and F1-F12 must be capital letters. A key combined with a modifier must be in upper case, for example, Ctrl+X.
If a UI element's name contains hotkeys, only those hotkeys (in proper case) are recorded in element_name, while the rest of the name is stored in the element_hotkey_name field.
inspector_log.json
The logs in the inspector_log.json file contain information about the start of the agent inspector, the frequency of update requests, and the type of employee monitoring.
Log examples:
{"version":"1.0.0"}
PID=9212 TID=23400 important Start Inspector started, version = 2.14.3, user: jdoe@CORP.OPERAVIX.COM, settings: {"monitoring_status":2,"timetracking_status":false,"logger":{"level":"LEVEL_ERROR"}}, loggerSetting: LEVEL_ERROR
PID=9212 TID=23400 important system_info::GetUserAdGuid user sid = S-1-5-21-580362855-3340923925-1044332590-1417
PID=9212 TID=23400 important ActivitySender::ActivitySender reservedSpace file size = 1048576b
PID=9212 TID=23400 important ModuleManager::LoadModule module 'C:\Program
Files\OperavixAgent\mod_extended_monitoring.dll' loaded
PID=9212 TID=23400 important Controller::Start ActivityCollectorExtended started
PID=9212 TID=23400 important ModuleManager::LoadModule module 'C:\Program Files\OperavixAgent\mod_crash_watcher.dll' loaded
PID=9212 TID=23400 important Controller::Start ProcessCrashWatcher started
PID=9212 TID=9116 important SettingsManager::RefreshUserId EnsureUser success, employeeId = 2
PID=9212 TID=9116 important SettingsManager::RefreshServerComponents GetServerComponents success, components: com.operavix.subsystem.activedirectory com.operavix.subsystem.clickhouse.core com.operavix.subsystem.clickhouse.standalone com.operavix.subsystem.core com.operavix.subsystem.dashboard com.operavix.subsystem.dashboardext com.operavix.subsystem.frontend com.operavix.subsystem.monitoring com.operavix.subsystem.workspaces
PID=9212 TID=9116 important SettingsManager::RefreshSettings GetSettings success, employeeInfo: employeeId = 2, displayName = 'John Doe', logLevel = 'LEVEL_ERROR', monitoringType = Extended, trackingEnabled = false
PID=9212 TID=1484 important UserActivity::ExtractWindowActivity activityEventCount = 3, utcTime = [2021.12.06_04:41:42 - 2021.12.06_04:41:47]
PID=9212 TID=1484 important `anonymous-namespace'::PackActivity Timezone init id = Europe/Moscow, offsetInSec = 10800
service_log.json
Service_log.json contains data about the service start, blocking of the system for a specific user, and sent crashes.
Log examples:
{"version":"1.0.0"}
PID=6556 TID=17352 important main Service started, version = 2.14.3
PID=6556 TID=1116 important SessionController::StartInspector Inspector started, sessionId = 14, UserPrincipalName = 'jdoe@CORP.OPERAVIX.COM'
PID=6556 TID=17352 important RunAsService::<lambda_6f040d3ff28f03704b9026c4883d74c7>::operator () Session event WTS_SESSION_LOCK, sessionId = 14
PID=6556 TID=17352 important SessionController::OnSessionDeactivated Session deactivated, sessionId = 14, UserPrincipalName = 'jdoe@CORP.OPERAVIX.COM'
PID=6556 TID=17352 important RunAsService::<lambda_6f040d3ff28f03704b9026c4883d74c7>::operator () Session event WTS_SESSION_UNLOCK, sessionId = 14
PID=6556 TID=1116 important SessionController::StartInspector Inspector started, sessionId = 14, UserPrincipalName = 'jdoe@CORP.OPERAVIX.COM'
timetracking_log.json
Timetracking_log.json collects time tracking logs (the start time of the module, user information, etc.).
Log examples:
{"version":"1.0.0"}
PID=660 TID=5172 important main Timetracking started, version = 2.14.3, user: client02@TEST.OPERAVIX.RU, loggerSetting: LEVEL_ERROR
PID=660 TID=5172 important IdleManager::ProcessResumeInfo Save on server user activity = Пт ноя 26 11:33:32 2021
PID=660 TID=5172 important IdleManager::ProcessResumeInfo NotifyActiveTrackIdleResume
Was the article helpful?
Yes
No