Client Activity Record

1E clients capture certain types of event data in a local database (refer to Persistent Storage) that instructions can query later. Data is compressed and encrypted in a way that ensures a very low impact on device performance and security.

Client Activity Record, also known as 1E Inventory, is similar to Windows Task Manager and Perfmon. On Windows client devices, 1E continuously captures events, which enables all significant events to be captured as they happen. Other operating systems use polling, which requires the polling frequency to be regular enough to ensure brief events to be captured.

The type of data captured is described below, and the configuration options for each capture source are described in Inventory module settings. There are DEXPack instructions for getting and setting these configuration options.

For more information about the Client Activity Record, refer to Client Activity Record in our SDK documentation.

Capture sources

The table below lists the capture sources supported by the Client Activity Record feature, and on which OS they are supported.

Source Name

Description

Windows

macOS

Linux

ARP

ARP cache entries: The Inventory module captures the results of cached IP address to physical address resolutions.

3.2

n/a

n/a

BootPerformance

Windows boot performance metrics.

8.0

n/a

n/a

DeviceInteraction

User session input metrics (keyboard and mouse activity).

5.1

n/a

n/a

DevicePerformance

Device performance metrics for device performance by interrogating Windows Performance Counters. These metrics cover disk, memory, network, and processor performance.

This capture source is required by the Experience Analytics application.

5.0

n/a

n/a

DeviceResourceDemand

Disk, network, memory, and processor performance metrics.

5.1

n/a

n/a

DNS

DNS resolution queries: The Inventory module captures whenever a DNS address is resolved.

2.1

2.1

n/a

OperatingSystemPerformance

Performance metrics for OS: The metrics executable runs every 4 hours by default.

This capture source is required by the Experience Analytics application.

5.0

n/a

n/a

PerformanceEvent

Distinct events which may be of relevance when diagnosing performance or end-user experience issues.

5.0

n/a

n/a

Process

Process execution: The Inventory module captures whenever a process starts on the device.

2.1

2.1

2.1

ProcessStabilization

The time taken for a process execution to be considered stable whenever a monitored process starts on the device.

3.2

n/a

n/a

ProcessUsage

A daily summary of the launches and terminations of processes.

The Process Usage capture source is required by the 1E Powered Inventory feature (1E connector).

Process Usage capture can generate high disk I/O while capturing process usage on virtual machine hosts with guests starting at the same time.

3.2

n/a

n/a

SensitiveProcess

Performance metrics for sensitive processes: The metrics executable runs every 4 hours by default.

This capture source is required by the Experience Analytics application.

5.0

n/a

n/a

Software

Software installs/uninstalls/presence: The Inventory module captures whenever software is installed/uninstalled, and it also captures which software is present on a device.

2.1

2.1

2.1

SoftwareInteraction

Software process responsiveness and duration of active interaction.

5.1

n/a

n/a

SoftwarePerformance

Performance metrics for software: Software performance polling is every 10 seconds by default.

This capture source is required by the Experience Analytics application.

Aggregated with SoftwarePerformance data:

  • SoftwarePerformance.DiskUsage: Disk-related metrics for each running process.

  • SoftwarePerformance.ProcessNetworkUsage: Network-related metrics for each running process.

5.0

n/a

n/a

TCP

Outbound TCP connections: The Inventory module captures whenever an outbound TCP connection is made.

2.1

2.1

2.1

UserUsage

A daily summary of all the logons and logoffs of users.

This capture source is required by the 1E Powered Inventory feature (1E connector).

3.2

n/a

n/a

Data management and retrieval

The data is captured and stored to a local, encrypted, persistent store and then periodically aggregated according to an ongoing daily, weekly, or monthly window. This means that the data is held securely, and the amount of data is minimized while still maintaining its usefulness.

1E provides a number of DEXPack instructions that will let you interrogate your 1E Client devices for the data they hold.