DeviceLock provides the capability to audit and shadow copy data/file transfers via different protocols. Auditing and shadow copying are used to monitor and record security-critical data transfer operations. Regular analysis of log data is an effective way to detect and trace misuse of sensitive information and data breach incidents caused by data loss or theft.

When you select the Protocols > Auditing, Shadowing & Alerts node in the console tree, the details pane lists the protocols for which you can define audit and shadow copy rules (see Auditing, Shadowing and Alerts Management Tasks). Using this node you can also enable alerts that are sent when a specific user attempts to access a specific protocol (see Enabling alerts).

For auditing and shadow copying at the transport level, DeviceLock uses two types of logging: Audit Logs and Shadow Logs. The Audit Log is used to audit access to protocols and track what individual users do. Audit data can be written to the Windows Event Log, to the DeviceLock proprietary log, or both. It is also possible to send audit data to a syslog server. To specify where to store audit data, set the Audit log type parameter in Service Options. To view audit data, use either DeviceLock Service Audit Log Viewer (see Audit Log Viewer (Service)) or DeviceLock Enterprise Server Audit Log Viewer (see Audit Log Viewer (Server)).

The Shadow Log is used to store a full copy of data/files transferred via specified protocols. To view shadow log data, use either DeviceLock Service Shadow Log Viewer (see Shadow Log Viewer (Service)) or DeviceLock Enterprise Server Shadow Log Viewer (see Shadow Log Viewer (Server)).

Auditing and shadow copying of the data transferred via specified protocols are enabled by defining audit and shadowing rules. Each rule associated with a protocol specifies users or groups the rule applies to and appropriate audit/shadowing rights which determine which user actions to audit/shadow copy.

Audit events logged include a variety of information such as the event type, the date and time of the event, the associated protocol, the user associated with this event, process information and event-specific information.