Introduction

Starting from version 2.4, WebADM introduces an advanced AI-powered activity reporting feature designed to provide actionable insights from system and access logs. By leveraging state-of-the-art language models such as OpenAI GPT-4o, Google Gemini, Anthropic Claude, or DeepSeek, administrators can generate natural-language reports tailored to specific operational needs.

This feature enables on-demand creation of detailed reports based on log data collected across various integrated systems—such as VPN, badging access, and client applications. Example use cases include identifying employee arrival times, distinguishing between remote and on-site work, detecting login activities, or highlighting potential security anomalies like suspicious authentication attempts.

To ensure data privacy, all information transmitted to the language models is anonymized by WebADM before being sent. Reports can be generated through AI API Keys for third-party models or via credits linked to an RCDevs customer license using RCDevs’ cloud infrastructure.

This integration empowers IT teams with a powerful, flexible tool to analyze log data more efficiently, with natural language prompts and zero need for complex scripting or manual log inspection.

If you are using your own LLM account, you must configure the model in /opt/webadm/conf/webadm.conf and set the API key using the following settings:

#  The generation of AI reports is compatible with Cloud LLM models or engines.
# By default RCDevs CloudAI is used and requires license activation and credits.
# Any AI model from Coogle Gemini, OpenAI GPT-4o, Anthropic Claude and DeepSeek
# is supported (ex. Gemini-1.5-Flash, GPT-4o-Mini or Clause-3.5-Haiku-latest).
ai_engine "Gemini-1.5-Flash"
ai_apikey "YOUR-AI-PROVIDER-APIKEY"

Activity Reports Object Creation

Log in to the WebADM Administrator Portal as a super administrator, click on the Admin tab, and you will see the Activity Reports box.
On the next page, click the Add Report button.

Activity Reports Menu

Provide a name that identifies the report you are creating. In this example, I will create a report for devices authenticating on my network. Click Proceed, then click Create Object.

Activity Reports object Creation
Activity Reports object Creation

You are now entering the configuration menu.

Activity Reports Object Settings

Below is the description of the available settings.

Disable Report
Yes / No (default)
Enable or disable this report. If set to Yes, the report is not generated or executed.

User Search Base
Example: ou=Users,o=RCDevs
Defines the LDAP subtree used to search for users. Only users within this subtree will be included in the report.

SQL Datasource
Options: WebApp & WebSrv, Access, Network

Specifies the log source database:

  • WebApp & WebSrv: Logs from Web Applications and Web Services
  • Access: Mobile badging and time tracking logs
  • Network: Logs from network access control devices

Report Prompt
A natural language prompt used to guide AI in generating detailed reports.
Example:

  • Section 1: Summarise login success and failure for all users.
  • Section 2: List users who logged into Client VPN with access times.
  • Section 3: List first Wifi access times per user.
  • Section 4: List users/IPs with more than 10 failures, excluding 1.2.3.4.

Note: If left empty and no alert condition is set, the report will simply return the raw SQL dataset.

Report Period
In hours. Default: 0 (manual only)

Sets the frequency of report generation.

  • Use 1h for attack detection.
  • Use 24h for daily statistics.

Shorter intervals generate lighter reports and use fewer AI tokens.

Report Format
HTML (default)
Defines the output format. HTML is recommended for structured and readable reports.

Anonymize Request
Yes (default) / No
Replaces user DNs and source IPs with anonymized placeholders in AI requests.
Recommended for GDPR compliance.

Forward Email
Optional. Send a copy of the generated report to one or more configured email addresses.

Forward URL
Optional. Send a copy of the report to an external service via HTTP POST.

Extra Data
Options: GeoIP, Office, Local
Enhance the report with contextual information:

  • GeoIP: Adds country code based on source IP (public only)
  • Office: Indicates whether the user is remote or in-office (based on network/location)
  • Local: Identifies if the user account is local or from a cloud identity provider

Alerting Settings

Alert Condition
A natural language condition that defines when an alert should be raised.
Example: Trigger if any source IP produces more than 100 login failures.

Alert Email
Send the alert notification to the specified email addresses when conditions are met.

SQL Data Filtering

Grouped By
Default (default)

Enables grouping of similar log events (applicable for WebApp and WebSrv).
Reduces dataset size by counting occurrences while omitting timestamps.
Highly recommended to group failure events.

Include Details
Yes / No (default)
If enabled, includes detailed event information in the AI prompt.
Note: May expose usernames and user actions.

Applications
Example: OpenID, PwReset, SelfDesk, etc.
Restricts log extraction to events from selected Web Applications or Web Services.

Client Policies
Example: VPN, Mail, Wifi, Office365, etc.
Restricts log extraction to events associated with specific client policies.

Configuration Examples

Network Access

Below is a simple daily report of device authentications on your network. An alert is triggered if more than 10 authentication failures are detected.

Network Activity Reports Configuration
Network Activity Reports Configuration

Save your Report.

User Activity

This AI-generated report provides an overview of user authentication activity across multiple services.

Sections Included in the Report:

  • Section 1: Login Summary
    Presents a table summarizing the number of successful and failed login attempts for each user during the report period.

  • Section 2: VPN Access Log
    Lists all users who successfully authenticated to the Client VPN, along with the complete list of their access timestamps.

  • Section 3: Wifi Access Log
    Displays users who successfully connected to the Client Wifi, including the timestamp of their first successful access.

  • Section 4: Website Access Log
    Shows users who successfully logged into the Client Website, along with the timestamp of their first successful login.

  • Section 5: Repeated Failures
    Identifies users and source IP addresses (excluding x.x.x.x) that recorded more than 10 authentication failures. This section is useful for spotting brute-force or misconfigured client behaviors.

Alert Condition:

An alert is raised if any user or source IP (excluding x.x.x.x) experiences more than 100 authentication failures during the reporting period. This condition may indicate a possible attack or system misuse and should be investigated promptly.

User Activity Reports Configuration
User Activity Reports Configuration
User Activity Reports Configuration

User Presence

This AI-generated report provides a detailed view of user attendance based on badge access logs, helping to track punctuality, presence in the office, and potential anomalies in time tracking behavior.

Sections Included in the Report:

  • Section 1: Arrival Summary Table
    A structured table with the following columns:

    • User: Displays the username.
    • Arrived: Shows the time of the user's first badge-in of the day.
    • Office: Displays a colored check flag indicating if the user worked from the office (based on network or location detection).
    • Country: Shows the user's country based on GeoIP resolution.

  • Section 2: Late Arrivals
    Lists all users whose first badge-in time was after 11:00 AM. Each user is listed on a separate line.

  • Section 3: Missing Badge-Out
    Identifies users who badged in using time tracking but did not badge out by the end of the day. This may indicate forgotten check-outs or irregular activity. Users are listed one per line for clarity.

Alert Condition:

An alert is triggered if any user badges in after 11:00 AM. This allows supervisors or HR to monitor late arrivals in real time.

User Presence Reports Configuration
User Presence Reports Configuration

Generated Report Table Access

All AI generated reports are stored in the SQL databases configured with WebADM. To review it, access the WebADM Administrator Portal, click on Databases tab, then under SQL Data Tables section, click on User Activity & Incident Reports.

Database Viewer for User Activity & Incident Reports

Generated Reports Example

The example reports below were retrieved from a production system and anonymized to preserve confidentiality.

User Activity Report

User Activity

User Presence Report

User Presence