WAC in HA Events lacking User ID

Copper Contributor

Based on https://learn.microsoft.com/en-us/windows-server/manage/windows-admin-center/use/logging

I'd expect to see more detailed usage logging, however I'm not seeing anything in Microsoft-ServerManagementExperience that mentions the username performing these actions. For example, I just see "

PATCH - 204 - (2083): /api/nodes/mynode/features/fileTransfer/files/asdfasdfasdf?api-version=2019-02-01"

when a file was uploaded to "mynode". I dont see who did it. There are also no Event ID 4000s at all on the gateway server and I dont see these events on "mynode"...

Not sure if this has anything to do with it, but i have WAC installed in HA on two Windows Server 2022 VMs. 

Any ideas on how to get more informative events?

4 Replies
EventIDs working for everyone else?

Hi @ez12a,

 

You're right, we don't currently do user-based logging such that you can see what a user is doing.

 

This is something we can explore! Thank you for the feedback.

 

Kind regards,

Rebecca.

On the second question, what do you mean by EventIDs please?

What i'm seeing is that the logging on the managed machine of actions such as a file upload is unreliable. I can upload a file onto a Server 2019 machine and the file gets uploaded, but no event channel and eventID 4000 is generated on the managed machine.

If i upload a file on a different Server 2022 machine, the file uploads and i see the event channel and logs which I then forward to something like Splunk.

In any case, imo a better design choice would be to log such events on the WAC server itself in addition to the local logs on the client.

Also, can the logs on the managed server also include the computer name of the managed server? Currently, I'm forwarding the logs to something like Splunk for example, it is not easy to see what server the command was being run from or the source managed machine.

The information being forwarded from the managed server is like this, from source <insert WAC server>:

 

 

 

 

{"file":"Upload","module":"msft.sme.file-explorer","userOnGateway":"contoso\username","gateway":"wac.contoso.com","userOnTarget":"contoso\username"}

 

 

 

 

 I dont have the hostname of the managed server in this event, so I cant tell where this was being run looking at this casually from Splunk

But then again if we log these on the WAC server i wont have to forward WAC logs from the thousands of managed clients. Instead i will forward from the wac servers themselves which seems way easier.