Missing Information in pcAnywhere Audit reports
|Article:TECH208516|||||Created: 2013-07-11|||||Updated: 2013-11-21|||||Article URL http://www.symantec.com/docs/TECH208516|
When running a report to display pcAnywhere audit data, some of the data may not be populated. Some of the fields that may be blank are:
- Remote Machine(Console)
- User Name
- All versions pcAnywhere Solution
- All supported Windows, Linux, OS X, platforms
- An unsuccessful remote connection attempt.
- Other network traffic that is not originated from a pcAnywhere remote connection attempt.
A remote computers IP address is collected from the TCP traffic that reaches the Host on its TCP port(default 5631). Additionally, information such as remote hostname, remote user, etc, are collected from the pcAnywhere remote during the handshake of a remote connection. If something other than pcAnywhere, such as Telnet, triggers the TCP port pcAnywhere is using, default is 5631, pcAnywhere will log the IP address of the system where the traffic was generated from, but this traffic does not contain any other information we log such as remote hostname or username. Therefore if the system sending traffic to the default TCP port is not a pcAnywhere remote, we only are able to collect the ip address where that traffic originated from.
Note: any traffic received on the pcAnywhere TCP port, whether from a pcA Remote connection attempt or any other utility, such as Telnet, may trigger the Thumbprint dialog on the host. If this traffic is not from a pcA remote, the dialog will show the hosts thumbprint certificate info but the handshake will deny the connection. The presence of this dialog by itself does not indicate a pcAnywhere remote connection attempt.
Recommendation: If non-pcA traffic needs to be monitored on the pcA TCP port or any other port, it is recommended a network monitoring/scanning tool be used as this is outside the scope of what pcAnywhere was designed to do. Even a network monitor tool, however, will not be able to collect certain information, such as computer name or logged in user, if that data is not contained in the network traffic.
Article URL http://www.symantec.com/docs/TECH208516