Audit Log Filter (Service)
You can filter data in
Audit Log Viewer (Service) so that only records that meet specific conditions are displayed in the list.
To open the
Filter dialog box, choose
Filter from the shortcut menu of
Audit Log Viewer or click
on the toolbar.
There are two types of filters:
•Include - Only the entries that match conditions specified on the Include tab are shown in the list.
•Exclude - The entries that match conditions specified on the Exclude tab are not shown in the list.
To use any filter, you should activate it first. Select the Enable filter check box to make a filter active. To temporary deactivate the filter, clear the Enable filter check box.
Note: The mark next to the tab name turns green if the filter on that tab is enabled. Otherwise, the mark is gray. |
When the filter is enabled, its conditions are defined by entering values in the following fields:
•Event types - Select check boxes to filter events by type:
•Success - DeviceLock has allowed a certain action, such as read, write or transfer a file or data.
•Failure - DeviceLock has not allowed a certain action, such as read, write or transfer a file or data.
•Information - DeviceLock has successfully applied a Content-Aware Rule for content detection.
•Warning - DeviceLock encountered a condition that may cause a problem unless action is taken.
•Name - The text that matches a value in the Audit Log Viewer’s Name column. This field is case-insensitive.
•Source - The text that matches a value in the Audit Log Viewer’s Source column. This field is case-insensitive.
•Action - The text that matches a value in the Audit Log Viewer’s Action column. This field is case-insensitive.
•Information - The text that matches a value in the Audit Log Viewer’s Information column. This field is case-insensitive.
•Reason - The text that matches a value in the Audit Log Viewer’s Reason column. This field is case-insensitive.
•User - The text that matches a value in the Audit Log Viewer’s User column. This field is case-insensitive.
•Process - The text that matches a value in the Audit Log Viewer’s Process column. This field is case-insensitive and allows the use of wildcards.
•PID - The number that matches a value in the Audit Log Viewer’s PID column. To enter multiple values, separate them with a semicolon (;).
•From - The beginning of the range of events to filter. Select First Event to filter events from the earliest one in the log. Select Events On to filter events that occurred no earlier than a specific date and time.
•To - The end of the range of events to filter. Select Last Event to filter events up to the latest one in the log. Select Events On to filter events that occurred no later than a specific date and time.
Note: To assist with configuring a filter, string setting fields store previous entries and suggest matches for what is being typed. Previous entries are also available on the drop-down list of options for the setting field. |
When configuring a filter, consider the following:
•Filter conditions are combined by AND logic, that is, a given record matches the filter if it matches each of the filter conditions. Clear the fields that are not to be used in the filter conditions.
•Filter string fields may include wildcards, such as an asterisk (*) or a question mark (?). An asterisk represents zero or more characters; a question mark represents any single character.
•A filter string field may include multiple values separated by a semicolon (;). In this case, the values are combined by OR logic, that is, a given record matches the filter condition on a particular field if it matches at least one of the values specified in that field.
•The Clear button in the Filter dialog box provides the option to remove all the defined filter conditions and start setting up a new filter from scratch.
•The Save and Load buttons in the Filter dialog box are used to save the filter conditions to a file and to load previously saved filter conditions from a file.
