Auditing Desktops

Use the Secure Desktops administrator console to audit a desktop pool or individual desktop. Secure Desktops calls on the Logging service to perform the audit.

Auditing a Desktop Pool

To audit a desktop pool:

  1. Open the navigation menu and click Compute. Under Secure Desktops, click Desktop Pools.
  2. Under List scope, select the compartment that contains the desktop pool.
  3. Click the desktop pool name.
  4. From the Desktop Pool Details page, click More actions and select Audit.

    The OCI Logging service Search page is displayed. A query is automatically filtered for the selected desktop pool instance and all available events are listed under the Explore tab. For more information, see Logging Search.

  5. Adjust the filtered Start Date and End Date as necessary and click Apply.
    Note

    The period between these dates can't exceed 14 days.
  6. Scroll to the Explore tab where log events are listed.

    By default, the following information is presented for each event:

    • Datetime: The date and time when the event occurred.
    • Data.identity.principalName: The friendly name associated with OCID of the principal.
    • Data.resourceid: The OCID of the resource emitting the event.
    • Type: The API operation that generated the event.
  7. To display results for a specific user name, you can add a qualifier to the query to return results for a specific user name:

    AND data.identity.principalName='<username>'

    Note

    You can include an asterisk as part of the <username>.
  8. To customize the columns that appear in the search results, Click Actions and select Manage log fields. Select or clear columns and click Apply.

Auditing an Individual Desktop

To audit an individual desktop:

  1. Open the navigation menu and click Compute. Under Secure Desktops, click Desktop Pools.
  2. Under List scope, select the compartment that contains the desktop pool.
  3. Click the desktop pool name.
  4. On the Desktop Pool Details page, scroll to the Desktops section.
  5. Locate the desktop you want to audit and click the action icon (three-dots) displayed in the desktop's row.
  6. Select Audit from the drop-down list. This starts a desktop audit in the Oracle Cloud Infrastructure Logging service.

    The OCI Logging service Audit page is displayed. A query is automatically filtered for the selected desktop instance and all available events are listed under the Explore Events tab. For more information, see Audit Logs.

  7. Adjust the filtered Start Date and End Date as necessary and click Apply.
    Note

    The period between these dates can't exceed 14 days.
  8. Scroll to the Explorer Events tab.

    By default, the following information is presented for each event:

    • Event Date: The date and time when the event occurred.
    • User: The friendly name associated with OCID of the principal.
    • Resource: The desktop OCID.
    • Action: The HTTP method of the request.
    • Type: The type of request.
    • Status: The status code of the response.