UAM log filter

After applying a filter, the user activity monitor sessions are listed in the console according to the filter settings. To access the settings, use the Filter command from the shortcut menu of the UAM log viewer, which opens a dialog box to set, view, or change the filter settings.

•Include - Display only the sessions that match the condition specified. To set up and apply these conditions, select the Enable filter check box on the Include tab and specify conditions on that tab.

•Exclude - Do not display the sessions that match the conditions specified. To set up and apply these conditions, select the Enable filter check box on the Exclude tab and specify conditions on that tab.

Note: The mark next to the tab name turns green if the filter on that tab is enabled. Otherwise, the mark is gray.

When the filter is enabled, its conditions are defined by entering values in the following fields:

Important:

•If only the Video check box is selected, the filter matches only sessions with video recording without keystrokes recording.

•If only the Keylogger check box is selected, the filter matches only sessions with keystrokes recording without video recording.

•If both check boxes are selected, the filter matches sessions with video and/or keystrokes recording.

•Computer - The name of the computer on which the monitoring session was recorded. You can use wildcards, as well as specify multiple names separated by semicolons.

The Computer field is only available in the log filter on the DeviceLock Enterprise Server. This field is not available in the log filter on the DeviceLock Service.

•Rule - The name of the rule that caused the recording. You can use wildcards, as well as specify multiple rules separated by semicolons.

•Reason - Description of the reason of triggering the rule that caused the recording. You can use wildcards, as well as specify multiple reasons separated by semicolons.

•Duration - The time span (days, hours, minutes, and seconds) during which recording continued. Possible settings: greater than, less than or equal to the specified value, or in the interval between the specified pair of values.

The value is entered in the format days:hours:minutes:seconds. Non-significant zeros can be omitted. For example, 00:00:30:00 is equivalent to 30:00, and means 30 minutes.

•User - The name of the user whose activity was recorded in the monitoring session. You can use wildcards, as well as specify multiple names separated by semicolons.

•Server - The name of the DeviceLock Enterprise Server computer that received the session recording from the DeviceLock Service. You can use wildcards, as well as specify multiple names separated by semicolons.

The Server field is only available in the log filter on the DeviceLock Enterprise Server. This field is not available in the log filter on the DeviceLock Service.

•Keylogger - Filtering by data that the user entered from the keyboard during the monitoring session:

•Window title - The title of the application window into which the user typed. You can use wildcards, as well as specify multiple titles separated by semicolons.

•Keyboard input - The words/phrases the user typed. You can use wildcards, as well as specify multiple phrases separated by semicolons.

Note:

•Filtering applies to typed characters only. Filter disregards the names of non-character keys pressed, such as Shift, Alt, Del, Left, Right, End, etc., which are also recorded in the keylog. For example, the serial number filter string matches serial number as well as serial [Shift]number in the keylog.

•To configure a filter that matches records containing passwords, specify the following mask in the Keyboard input field: *<password>*</password>*

•Process name - The name and path of the executable file of the application into which the user typed. You can use wildcards, as well as specify multiple processes separated by semicolons.

•From, To - The time range settings to filter by record start date and time. These settings are available in the log filter on the DeviceLock Service.

•Generated Date/Time - The time range settings to filter by record start date and time on the DeviceLock Service. These settings are available in the DeviceLock Enterprise Server’s log filter.

•Received Date/Time - The time range settings to filter records by date and time they were received from the DeviceLock Service. These settings are available in the DeviceLock Enterprise Server’s log filter.

•Consolidation - The fields to filter by log consolidation-related data (see Consolidating Logs):

•Server - The name of the remote server from which the record was last received during log consolidation. You can use wildcards, as well as specify multiple names separated by semicolons.

•From, To - The time range settings to filter records by time they were last received from the remote server during log consolidation.

The consolidation-related fields are only available in the log filter on the DeviceLock Enterprise Server. In the log filter on the DeviceLock Service, these fields are not available.

•First Record - Filter starting with the earliest date and time in the respective log field.

•Filter conditions are combined by AND logic, that is, a given session matches the filter if it matches each of the filter conditions. Clear the fields that are not to be used in the filter conditions.

•Filter string fields may include wildcards, such as an asterisk (*) or a question mark (?). An asterisk represents zero or more characters; a question mark represents any single character.

•Filter string fields may include multiple values separated by a semicolon (;). In this case, the values are combined by OR logic, that is, a given session matches the filter condition on a particular field if it matches at least one of the values specified in that field.

•The Clear button in the Filter dialog box provides the option to remove all the defined filter conditions and start setting up a new filter from scratch.

•The Save and Load buttons in the Filter dialog box are used to save the filter conditions to a file and to load previously saved filter conditions from a file.