Auditing, Shadowing & Alerts Dialog Box

To define online (regular) audit and shadowing rules for a device type, highlight it (use Ctrl and/or Shift to select several types simultaneously) and select Set Auditing, Shadowing & Alerts from the shortcut menu available by the right mouse click. Alternatively, you can click the appropriate button on the toolbar.

There are two types of user access that can be logged to the audit log:

•Allowed - All access attempts that were permitted by DeviceLock Service, that is, the user was able to access a device.

•Denied - All access attempts that were blocked by DeviceLock Service, that is, the user was not able to access a device.

To enable logging to the audit log for one or both of these access types, check Audit Allowed and/or Audit Denied. These flags are not linked to users/groups, they are related to a whole device type.

The names of the users and user groups assigned to a device type are shown in the list of accounts on the top left-hand side of the Auditing, Shadowing & Alerts dialog box.

To add a new user or user group to the list of accounts, click Add. You can add several accounts simultaneously.

To delete a record from the list of accounts, use the Delete button. Using CTRL and/or SHIFT you can select and remove several records simultaneously.

Use the Set Default button to set default audit and shadowing rules for devices: members of the Users group and the Everyone account have Read and Write audit rights and shadowing is disabled for them.

Using special time control, you can define a time when the audit rule for the selected user or user group will or will not be active. Time control appears at the top-right side of the Auditing, Shadowing & Alerts dialog box. Use the left mouse button and select the time when the rule is active (audit time). To select a time when the rule is not active (non-audit time), use the right mouse button. Also, you can use the keyboard to set times - arrow keys for navigation and the spacebar to toggle audit/non-audit time.

To specify the user actions subject to logging, set the appropriate rights. There are two categories of rights:

•Audit - Rights that govern the logging of user actions to the Audit log. For details, see “Audit” Rights Category.

•Shadowing - Rights that govern the logging of user actions to the Shadow log. For details, see “Shadowing” Rights Category.

Note: If data transmission is blocked by permissions, a shadow copy of this data is not created. In this case DeviceLock blocks the transmission of data before it is captured. Exception: If data is being inspected by Content-Aware Rules, then DeviceLock creates the shadow copy even if permissions block the transmission of that data.

Audit records may not be logged despite the existing audit rules. This issue is usually caused by the Audit Allowed and Audit Denied check boxes not selected in the audit rules settings. The existing logging configuration in this case is not correct, which leads to the absence of audit log records.

When configuring audit rules, make sure that at least one of the Audit Allowed and Audit Denied check boxes is selected.

Also note that audit events are not logged at the USB interface level for whitelisted devices (see USB Devices White List (Regular Profile)), as well as for devices excluded from access control by security settings (see Security Settings (Regular Profile)).