DeviceLock Service : Managing DeviceLock Service for Windows : Audit Log Viewer (Service)
  
Audit Log Viewer (Service)
There is a built-in audit log viewer that allows you to retrieve DeviceLock audit log records from a computer’s local Windows event logging subsystem.
The standard Windows event logging subsystem is used to store audit records if Event Log is selected in the Audit log type parameter in Service Options. If DeviceLock Log is selected, audit records are stored in the server log and can be viewed using the server’s audit log viewer (see Audit Log Viewer (Server)).
The audit log stores events generated by a user’s device-related activities that fall under the audit rules. For more information, refer to the Auditing, Shadowing & Alerts (Regular Profile) section of this manual.
Also, changes in a DeviceLock Service’s configuration generate events in the audit log, if the Log Policy changes and Start/Stop events parameter is enabled in Service Options.
The columns of this viewer are defined as follows:
Type - The type of the event can be one of the following:
Success - DeviceLock has allowed a certain action, such as read, write or transfer a file or data.
Failure - DeviceLock has not allowed a certain action, such as read, write or transfer a file or data.
Information - DeviceLock has successfully applied a Content-Aware Rule for content detection.
Warning - DeviceLock encountered a condition that may cause a problem unless action is taken. A brief description of the issue or condition DeviceLock encountered can be found in the Reason or Action field.
For instance, a warning can be caused by an issue that occurred when applying a Content-Aware Rule for content detection, as a result of which DeviceLock was unable to inspect the content of the file indicated in the Name field of the event record.
Date/Time - The date and time that the event was received by DeviceLock Service.
Source - The type of the device or protocol involved. Service can also be indicated as the source if the event is caused by an action that affects DeviceLock Service.
Action - The action that caused the event.
Name - The name of the object (file, USB device, etc.).
Information - Other device- or protocol-specific information for the event, such as the access flags, the device or protocol name, device ID, device description from the USB Devices Database, and so on.
Reason - Indicates why the event occurred or what it was caused by. Possible values include:
Device Permissions - The event caused by an attempt to access, read or write data to a particular device.
Protocol Permissions - The event caused by an attempt to connect, send or receive data through a particular protocol.
Security Settings - The event caused by the triggering of a certain security setting for devices or protocols (see Security Settings Description for devices and Security Settings Description for protocols).
Rule - The event caused by the triggering of a certain Content-Aware Rule.
This value is normally followed by the name of the rule and a brief description of the content matches, keywords, and/or file types that led to its triggering. For instance, if a rule employs a Keywords group, the description lists the words that the rule had reacted to.
If the rule failed to execute due to an error, a brief description of the error is provided, such as “DeviceLock Server unreachable”, “DeviceLock Server is too busy”, “Corrupted data” or “Password protected”.
White List - The event caused either by a white-listed USB device, or by the triggering of a certain Protocol White List rule. This value is followed by the name of the respective device or rule.
IP Firewall - The event caused by the triggering of a certain rule of the Basic IP Firewall. This value is followed by the name of the respective rule.
Content-Aware Rule error - The event normally indicating that DeviceLock was unable to apply Content-Aware Rules to some file or data. As a result, the user was denied access to or transfer of that file or data.
Local Storage Quota Exceeded - DeviceLock was unable to apply a rule to or create a shadow copy of some file or data because the size of the local storage directory has exceeded the local storage quota (for details, see Local storage quota (%)). As a result, the user was denied access to or transfer of the file or data.
Shadowing error - DeviceLock was unable to create a shadow copy of some file or data due to an error accessing the local storage directory. As a result, the user was denied access to or transfer of the file or data.
Passthru - The event caused by any of the following conditions:
A device removed from a USB port.
A removable device has been mounted or unmounted.
A connection to a remote host has been performed that services multiple web-based protocols, in a situation where protocol permissions allow connection to that host while other connections through HTTP are blocked. In this case, HTTP is indicated as the event source.
User - The name of the user associated with this event.
PID - The identifier of the process associated with this event.
Process - The fully qualified path to the process executable file. In some cases, the process name may be displayed instead of the path.