Auditing, Shadowing & Alerts (devices)


 

There is not much difference between setting up permissions and defining audit, shadowing and alert rules for devices, so at fist read the Permissions section of this manual.

 

DeviceLock Service can use the standard Windows event logging subsystem to log a device's information. It is extremely useful for system administrators because they can use any event log reading software to view the DeviceLock audit log. You can use the standard Event Viewer, for example. Also, DeviceLock Service can use its own protected proprietary log. The data from this log is sent to DeviceLock Enterprise Server and stored centrally in the database. To define what log should be used set the Audit log type parameter in Service Options.

 

To define rules for a device type, highlight it (use Ctrl and/or Shift to select several types simultaneously) and select Set Auditing, Shadowing & Alerts from the context menu available by the right mouse click. Alternatively, you can press the appropriate button on the toolbar.

 

There are two types of user access that can be logged to the audit log:

 

 

 

To enable logging to the audit log for one or both of these access types, check Audit Allowed and/or Audit Denied. To enable notification of successful and/or failed attempts to access a device, check Alert Allowed and/or Alert Denied. All these flags are not linked to users/groups, they are related to a whole device type.

 

DeviceLock sends alerts on the basis of alert settings. Before enabling alerts for specific events, you must configure alert settings in Service Options. 

 

The names of the users and user groups assigned to a device type are shown in the list of accounts on the top left-hand side of the Auditing, Shadowing & Alerts dialog box.

 

To add a new user or user group to the list of accounts, click on the Add button. You can add several accounts simultaneously.

 

To delete a record from the list of accounts, use the Delete button. Using Ctrl and/or Shift you can highlight and remove several records simultaneously.

 

Use the Set Default button to set default rules for devices: members of the Users group and the Everyone account have Read and Write audit rights and shadowing is disabled for them.

 

Using special time control, you can define a time when the rule for the selected user or user group will or will not be active. Time control appears at the top-right side of the Auditing, Shadowing & Alerts dialog box. Use the left mouse button and select the time when the rule is active (active time). To select a time when the rule is not active (inactive time), use the right mouse button. Also, you can use the keyboard to set times - arrow keys for navigation and the spacebar to toggle active/inactive time.

 

To define which user's actions on devices are to be logged to either the audit or shadow log or which actions will trigger alert notifications, set the appropriate rights. In the upper-left pane of the dialog box, under Users, select the user or group that you added. In the lower-left pane of the dialog box, under User's Rights, select either Allow or Deny to directly allow or deny a right.

 

All rights are divided into three groups: Audit, Shadowing and Alert. Each group has its own set of rights:

 

- Audit - rights that belong to this group are responsible for actions logged into the audit log.

 

NOTE: Until either Audit Allowed or Audit Denied is checked for the device type, logging to the audit log is disabled for that device in spite of defined audit rules.

 

Also logging to the audit log is disabled for devices that are in the white list and for a whole class of devices if the access control for that class is turned off in Security Settings.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

- Shadowing - rights that belong to this group are responsible for actions logged into the shadow log.

 

 

 

 

 

 

 

 

- Alert - rights that belong to this group are responsible for alert notifications.

 

NOTE: Until either Alert Allowed or Alert Denied is checked for the device type, notifications are disabled for that device in spite of defined rules.