Auditing, Shadowing & Alerts (protocols)

 

DeviceLock provides the capability to audit and shadow copy data/file transfers via different protocols. Also, you can enable alerts that are sent when a specific user attempts to access a specific protocol.

 

For auditing and shadow copying at the transport level, DeviceLock uses two types of logging: Audit Logs and Shadow Logs. The Audit Log is used to audit access to protocols and track what individual users do. Audit data can be written to the Windows Event Log, to the DeviceLock proprietary log, or both. To define what log should be used, set the Audit log type parameter in Service Options. To view audit log data, use either DeviceLock Service Audit Log Viewer or DeviceLock Enterprise Server Audit Log Viewer.

 

The Shadow Log is used to store a full copy of data/files transferred via specified protocols. To view shadow log data, use either DeviceLock Service Shadow Log Viewer or DeviceLock Enterprise Server Shadow Log Viewer.

 

Auditing, shadow copying of data transferred via specified protocols and alert notifications are enabled by defining audit, shadowing and alerts rules. Each rule associated with a protocol specifies users or groups the rule applies to and appropriate audit/shadowing/alerts rights which determine which user actions to audit/shadow copy and which events will trigger alert notifications. 

 

You can specify the following audit, shadowing and alerts rights (alerts rights are exactly the same as audit rights):

 

- File Sharing: 

 

- FTP: 

 

- HTTP: 

 

- ICQ/AOL Messenger: 

 

- IRC: 

 

- Jabber: 

 

- Mail.ru Agent: 

 

- MAPI: 

 

- Skype: 

 

- SMB: 

 

- SMTP: 

 

- Social Networks: 

 

- Telnet: 

 

- Web Mail: 

 

- Windows Messenger: 

 

- Yahoo Messenger: 

 

 

To define the default audit and shadowing rules

 

1. In the upper-left area of the dialog box, specify which events are written to the Audit Log. Select the Audit Allowed check box to audit successful attempts to gain access to a protocol. Select the Audit Denied check box to audit unsuccessful attempts to gain access to a protocol.

 

2. In the upper-left pane of the dialog box, under Users, click Set Default. The default audit and shadowing rules apply to the Users and Everyone groups.

 

To define audit, shadowing and alerts rules for an additional user or group

 

1. In the upper-left area of the dialog box, specify which events are written to the Audit Log. Select the Audit Allowed check box to audit successful attempts to gain access to a protocol. Select the Audit Denied check box to audit unsuccessful attempts to gain access to a protocol. To enable notification of successful and/or failed attempts to access a protocol, check Alert Allowed and/or Alert Denied. All these flags are not linked to users/groups, they are related to a whole protocol.

 

DeviceLock sends alerts on the basis of alert settings. Before enabling alerts for specific events, you must configure alert settings in Service Options.

 

2. In the upper-left pane of the dialog box, under Users, click Add. The Select Users or Groups dialog box appears.

 

3. In the Select Users or Groups dialog box, in the Enter the object names to select box, type the name of the user or group, and then click OK. The users and groups that you added are displayed under Users in the upper-left pane of the Auditing, Shadowing & Alerts dialog box.

 

4. In the upper-left pane of the Auditing, Shadowing & Alerts dialog box, under Users, select the user or group. You can select multiple users or groups by holding down the SHIFT key or the CTRL key while clicking them.

 

5. In the lower-left pane of the Auditing, Shadowing & Alerts dialog box, under User's Rights, select either Allow or Deny to directly allow or deny the appropriate rights. 

 

In the right pane of the Auditing, Shadowing & Alerts dialog box, you can specify days and hours (for example, from 7 AM to 5 PM Monday through Friday) when the rule for the selected user or group will or will not be active. Use the left mouse button to select days and hours when the rule is active (active time). Use the right mouse button to mark days and hours when the rule is not active (inactive time).