Kaseya Community

Alert when a technician remotely accesses a specific machine?

This question is answered

We would like to setup alerts or service desk tickets or automated emails when a VSA user remotely accesses a specific computer (such as the CEO or another high level Executive). We don't want to block access to these machines as there are occasions where access is needed, but we want to receive an alert in real time when this occurs.

Does anyone know of a way to do this?

Verified Answer
  • We have a "Monitor Set" for that. We use it to populate Kaseya Views such as "RC Started Last 60 minutes". You could create this monitor set, and apply to your target machine with email alerts.

    XML to import this monitor set:

    <?xml version="1.0" encoding="UTF-8" ?>
    <monitor_set_definition version="1.0">
    <MonitorSet name="KRC-KVNC-RDP is Active" description='Shows if KRC (or other RC tool is active)' enableCounterMatching='0'>
    <Counters>
    </Counters>
    <Services>
    </Services>
    <Processes>
    <Process name='KaseyaRemoteControlHost.exe' processDescription='KRC exe file' description='KRC Remote Control Host' monitorDirection='Up' reArm='1200'/>
    <Process name='KRlyCLis.exe' processDescription='Kaseya Relay Client for VNC / RDP' description='KVNC RDP K-Relay Client' monitorDirection='Up' reArm='1200'/>
    </Processes>
    </MonitorSet>
    </monitor_set_definition>

All Replies
  • We have a "Monitor Set" for that. We use it to populate Kaseya Views such as "RC Started Last 60 minutes". You could create this monitor set, and apply to your target machine with email alerts.

    XML to import this monitor set:

    <?xml version="1.0" encoding="UTF-8" ?>
    <monitor_set_definition version="1.0">
    <MonitorSet name="KRC-KVNC-RDP is Active" description='Shows if KRC (or other RC tool is active)' enableCounterMatching='0'>
    <Counters>
    </Counters>
    <Services>
    </Services>
    <Processes>
    <Process name='KaseyaRemoteControlHost.exe' processDescription='KRC exe file' description='KRC Remote Control Host' monitorDirection='Up' reArm='1200'/>
    <Process name='KRlyCLis.exe' processDescription='Kaseya Relay Client for VNC / RDP' description='KVNC RDP K-Relay Client' monitorDirection='Up' reArm='1200'/>
    </Processes>
    </MonitorSet>
    </monitor_set_definition>

  • That works great. Any idea how to (or if its even possible to) include which technician started the remote session and who the last logged in user on that computer was? The last logged on user is generally the main user of that computer so this would allow at a quick glance to see technician X has accessed the CEOs computer, etc.

  • Getting the Windows logged in user should be pretty easy. When the Monitor set triggersm run a procedure that includes

    function: ExecuteShellCommandToVariable

    Execute as: user

    command: whoami

    Then later in the procedure use the Function to SendEmail with #global:cmdresults# in the body.

    It could very well be possible to get the name of the Kaseya Admin using the SQLRead function in the procedure. I've not done that before.

    The sql query would be something along the lines of:

    SELECT adminName FROM KaseyaRemoteControl.Log WHERE agentGuid = #vMachine.agentGuid# AND completed = 0 AND lastActiveTime >= DATEADD(n, -1, GETDATE())


    KaseyaRemoteControl.Log is the SQL table in ksubscribers DB that contains info about active or completed RC sessions. The SQL statement above should be a good start, but probably needs (absolutely needs) some tweaking before putting into the XML SQLRead folder on the server.

    About SQLRead: http://help.kaseya.com/WebHelp/EN/VSA/9050000/#11625.htm

    Hopefully someone else on the forum can help cleanup the sql statement making it fit for use with SQLRead.  Good Luck!

  • This is where our Intelligent Ticket Processing (ITP) system stands out. Using myArch-man's monitor, we can define that to execute a code module. This momentarily places the ticket "on hold" in ITP until the additional code runs and data is gathered. This can be an agent procedure to return the WhoAmI results, then an API call to return the Remote Control Log data via API. With that, in one PSA ticket, you would have the 'Executive Remote Access" alert, the user currently logged in, and the person initiating the connection. While this would require a custom code module for the API call, those are usually turned around in 2-3 days and don't cost anything more than the $199 monthly subscription.

    Timing is everything - the VSA is queried every 60 seconds for events, and ITP event processing takes less than 1 second in almost all cases. Allowing 2 minutes for email delivery to the PSA (slowest method), your complete alert with all data would be available within 3 minutes of when it occurred. I would even offer a way to detect executive users and automatically apply these monitors to their systems. :)

    Glenn