Windows - Forensics - Get Automox Remote Control Log (rc-Module.log)

What the Remote Control Log Retrieval Worklet does

This Automox Worklet™ extracts error entries from the Remote Control module log file (rc-module.log) and outputs the results to the Automox Activity Log. The rc-module.log resides at C:\Program Files (x86)\Automox\modules\rc\rc-module.log and contains detailed records of Remote Control connection attempts, session events, and errors.

The Worklet retrieves the last 100 error entries by default, but supports six different retrieval modes. You can configure it to fetch the entire log, filter by specific dates, retrieve a custom number of entries, or extract only error-level events. This flexibility allows you to focus on relevant troubleshooting data without overwhelming endpoints with large data transfers.

Why diagnose Remote Control module issues

Remote Control failures disrupt support workflows and increase resolution times for critical issues. By accessing rc-module.log entries centrally through Automox, you eliminate the need for manual log access on each endpoint and can quickly identify connection failures, authentication problems, or configuration mismatches.

The module log captures network connectivity errors, timeout events, and session termination reasons. Having this data in your Activity Log creates a searchable audit trail of Remote Control usage and helps you troubleshoot patterns across multiple endpoints simultaneously. You can correlate log entries with Worklet execution times and system events to pinpoint root causes.

How rc-module.log analysis works

1. Evaluation phase: Checks whether the rc-module.log file exists at the standard location. If the log file is present, the Worklet flags the endpoint for remediation. If the log does not exist, the Worklet exits without action.

2. Remediation phase: Executes the Get-AmRemoteControlLog function to retrieve log entries based on the configured mode. By default, it returns the last 100 error-level entries. The Worklet outputs all matching entries to the Automox Activity Log for review and analysis.

Remote Control log analysis requirements

• Windows Server 2016 or later, or Windows 10/11 workstations

• PowerShell v4 or higher

• Automox agent with Remote Control module installed

• Read access to C:\Program Files (x86)\Automox\modules\rc\ directory

• Six retrieval modes available via mode parameter: full log, last N lines, last N errors, date-filtered, date-filtered lines, or date-filtered errors

Expected Remote Control diagnostic output

After the Worklet runs, the Activity Log contains timestamped entries from rc-module.log. You can review error messages, connection timeout details, and authentication failures. Each log entry includes the timestamp when the event occurred, allowing you to correlate Remote Control issues with other system events on that endpoint. You can verify this change through the Automox Activity Log or by checking the endpoint configuration directly.

If no log entries match your search criteria, the Worklet notifies you that no matching entries were found. This indicates either that no errors have occurred in the specified timeframe or date range, or that you need to adjust your search parameters. Schedule this Worklet regularly during Remote Control troubleshooting sessions to maintain a running diagnostic log.

How to validate get automox remote control log (rc-module.log) changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for get automox remote control log (rc-module.log).

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as Remote-Control, Module-FAQs, Test-Path.

4. Validate remediation effects from script operations such as Get-AmRemoteControlLog, Remote-Control, Module-FAQs, then rerun evaluation for compliance.