1. Splashtop On-Prem - Support
  2. Security
  3. General

Splashtop On-Prem: Auditing and Logs Overview

Avatar
Splashtop

Introduction

Splashtop On-Prem provides comprehensive auditing and logging capabilities to help organizations maintain security compliance, troubleshoot issues, and monitor remote access activity. This article covers the key auditing features available in Splashtop On-Prem and how to use them effectively.

Available Audit Features

1. Team Logs

Overview

Team logs provide administrators with detailed records of user activities, authentication events, and system operations within your Splashtop deployment. These logs are essential for monitoring user behavior, identifying security incidents, and maintaining compliance with organizational policies.

What's Logged

Team logs capture a variety of events including:

  • User login and logout events
  • Remote session connections and disconnections
  • Configuration changes made by administrators
  • Permission and role modifications
  • Device additions and removals
  • Authentication failures and security events
  • File transfer activities (if enabled)
  • User management actions (creation, deletion, modification)

How to Access Team Logs

  1. Log in to your Splashtop On-Prem management web console as an administrator
  2. Navigate to Logs > Session types
  3. Use the filter options to narrow down results by:
    • Unattended sesssion / Attended session
    • Date range 
    • Action performed

Best Practices

  • Regularly review team logs for unusual activity patterns
  • Set up a schedule for log reviews as part of your security procedures
  • Export logs periodically for long-term archival
  • Use filters to quickly identify specific events or troubleshoot issues

2. Centralized Session Recording

Overview

Centralized Session Recording automatically captures video recordings of remote sessions, providing a complete visual record of all activities performed during remote access connections. This feature is critical for security audits, compliance requirements, and investigating security incidents.

Key Features

  • Automatic Recording: Sessions are recorded automatically based on configured policies
  • Centralized Storage: All recordings are stored on your On-Prem server infrastructure
  • Playback Controls: Review recordings with standard video playback controls
  • Retention Policies: Configure automatic cleanup based on storage capacity and compliance requirements

How to Enable and Configure

  1. Navigate to Settings > Team Settings > Centralized Session Recording
  2. Enable centralized session recording
  3. Configure recording settings:
    • Set what role can access recordings 
    • Set what role can remove recordings
  4. Save your configuration

How to Access Recorded Sessions

  1. Go to Logs > Remote Desktop Sessions > Recording
  2. Use search filters to locate specific sessions:
    • Date and time range
    • Username
    • Computer name
    • Session duration
  3. Click on a recording to play it back
  4. Use playback controls to review specific portions of the session

Storage Considerations

  • Session recordings can consume significant storage space depending on duration and quality settings
  • Plan for adequate storage capacity based on your expected session volume
  • Implement retention policies to automatically remove old recordings
  • Consider storage expansion if you need long-term retention for compliance

3. Syslog and SIEM Integration

Overview

Splashtop On-Prem can forward audit logs to external syslog servers or Security Information and Event Management (SIEM) systems. This integration enables centralized log management, correlation with other security events, and advanced analytics across your entire IT infrastructure.

Supported Integration Types

  • Syslog: Standard syslog protocol (UDP/TCP)
  • SIEM Platforms: Compatible with major SIEM solutions including:
    • Splunk
    • IBM QRadar
    • ArcSight
    • LogRhythm
    • Azure Sentinel
    • Other syslog-compatible SIEM systems

Configuration Steps

  1. Navigate to System > Syslog
  2. Enable syslog forwarding
  3. Configure connection details:
    • Syslog Server Address: IP address or hostname of your syslog/SIEM server
    • Port: Typically 514 (UDP) or 6514 (TCP/TLS)
    • Protocol: Select UDP, TCP, or TLS based on your requirements
    • Facility: Choose appropriate syslog facility (typically Local0-Local7)
    • Severity Levels: Select which severity levels to forward
  4. Test the connection to verify logs are being received
  5. Save the configuration

Log Format

Splashtop forwards logs in standard syslog format (RFC 5424 or RFC 3164), including:

  • Timestamp
  • Event type
  • User information
  • Source and destination computers
  • Session details
  • Result/status of actions

SIEM Integration Benefits

  • Centralized Visibility: View Splashtop events alongside other security logs
  • Correlation: Identify patterns by correlating remote access with other security events
  • Alerting: Set up automated alerts for suspicious activities
  • Compliance Reporting: Generate comprehensive reports across all systems
  • Long-term Retention: Leverage your SIEM's storage for extended log retention

Troubleshooting

  • Verify network connectivity between Splashtop On-Prem and syslog server
  • Check firewall rules to ensure syslog ports are open
  • Confirm syslog server is configured to accept logs from Splashtop
  • Review syslog format compatibility with your SIEM parsing rules

4. Session Transcripts

Types of Session Transcripts

Splashtop Gateway supports three types of session transcripts:

1. Chat Transcript

  • Records all chat conversations between the technician and the remote user during a remote support session
  • Captures both in-session and off-session chat messages (if enabled)
  • Useful for reviewing support interactions and verifying communications

2. Remote Command Transcript

  • Captures all commands executed via the Remote Command feature
  • Provides a complete audit trail of command-line operations performed remotely
  • Essential for security auditing and compliance

3. SSH Transcript

  • Records the terminal input/output of SSH sessions initiated through Splashtop
  • Captures complete terminal sessions including commands and their outputs
  • Critical for auditing privileged access to servers and network devices

Key Benefits

  • Searchable: Unlike video recordings, transcripts are fully text-searchable
  • Lightweight: Requires minimal storage compared to video recordings
  • Audit-Friendly: Easy to review specific commands or conversations without watching entire sessions
  • Compliance: Provides evidence of privileged command execution and user interactions
  • Forensics: Enables detailed investigation of what commands were run and what was communicated

How to Enable Chat Transcripts

Team Owners can enable or disable the option to save in-session and off-session chat transcripts to session logs in Team Settings.

Requirements: On-Prem Streamer v3.7.4.5 or above

For Unattended Access:

  1. Navigate to [Settings] > [Team Settings] > [Unattended access] in your Splashtop Gateway
  2. Locate the session security options
  3. Enable the relevant transcript options based on your needs

For Attended Access:

  1. Navigate to [Settings] > [Team Settings] > [Attended access] in your Splashtop Gateway
  2. Scroll to the session security section
  3. Toggle "Save in-session chat transcript to session logs" to enable chat transcript logging
  4. Save your settings

How to View Session Transcripts

Once transcript saving is enabled, you can access the saved transcripts through the web console Logs section.

To View Chat Transcripts:

  1. Navigate to [Logs] > [Chat] in your web console
  2. Review saved chat transcripts between technicians and remote users
  3. Filter by date, user, or session as needed

To View Remote Command Transcripts:

  1. Navigate to [Logs] > [Remote Command] in your web console
  2. Review all commands executed via the Remote Command feature
  3. Search for specific commands or filter by time period

To View SSH Transcripts:

  1. Navigate to [Logs] > [SSH] in your web console
  2. Review complete SSH session terminal input/output
  3. Filter transcripts by date, user, or target server

Use Cases

  • Support Quality Assurance: Review chat transcripts to ensure technicians are providing appropriate support
  • Security Auditing: Monitor privileged command execution through SSH and Remote Command transcripts
  • Compliance Requirements: Maintain records of all remote access activities for regulatory compliance
  • Incident Investigation: Quickly search transcripts to identify what actions were taken during a security incident
  • Troubleshooting: Review command histories to understand what operations were performed

Compliance and Retention Best Practices

Define Retention Policies

Establish clear retention policies based on:

  • Regulatory requirements (HIPAA, SOC 2, GDPR, PCI-DSS, etc.)
  • Industry standards
  • Organizational policies
  • Storage capacity

Regular Audit Reviews

  • Schedule periodic reviews of audit logs and recordings
  • Assign responsibility for log monitoring
  • Document review procedures
  • Investigate and document any anomalies

Access Control

  • Limit access to audit logs and recordings to authorized personnel only
  • Implement role-based access control (RBAC) for audit features
  • Log all access to audit data for additional accountability

Backup and Archival

  • Regularly back up audit logs, recordings, and transcripts
  • Store backups in secure, separate locations
  • Test restoration procedures periodically
  • Consider archival solutions for long-term compliance retention

Integration with Security Operations

  • Incorporate Splashtop audit data into your security monitoring workflow
  • Set up alerts for high-priority security events
  • Include Splashtop logs in incident response procedures
  • Use audit data for threat hunting and proactive security
1 out of 1 found this helpful

Articles in this section