DeviceLock Service : Managing DeviceLock Service for Windows : Shadow Log Viewer (Service)
  
Shadow Log Viewer (Service)
There is a built-in shadow log viewer that allows you to retrieve the shadow log from DeviceLock Service.
The typical DeviceLock configuration assumes that the shadow data is stored on DeviceLock Enterprise Server. In this case all shadow data which is originally logged and cached by DeviceLock Service on the local computer is periodically moved to the server. The local shadow log is cleared as soon as the data is successfully moved to the server, so to view this data, you should use the server’s shadow log viewer (see Shadow Log Viewer (Server)).
However, in some cases you may need to view the shadow log of a certain computer. This need arises when, for example, you do not use DeviceLock Enterprise Server at all or when the server is being used, but for some reason the data still exists on the client computer.
The columns of this viewer are defined as follows:
Status - Indicates the status of the record:
Success - Data is successfully logged.
Incomplete - Data is possibly not completely logged.
Failed - Applies to shadow copies of files checked by Content-Aware Rules and whose transmission was blocked.
If data transmission was blocked by permissions but was not checked by Content-Aware Rules, a shadow copy of the data is not created.
Date/Time - The date and the time when the data was transferred.
Source - The type of device or protocol involved.
Action - The user’s activity type.
File Name - The original path to the file or the auto-generated name of the data that originally was not a file (such as CD/DVD/BD images, data written directly to the media or transferred through the serial/parallel ports).
File Size - The size of the data.
File Type - The real file type of the file.
 
Note: When applied to files that have been transferred to Removable, Floppy, or Optical drive devices, this column is empty until a device or a disc the files were transferred to, are unplugged/removed.
Reason - Indicates why the event occurred or what it was caused by. For details, see description of this column in the audit log viewer.
Protected - Indicates the protection status of a file. Yes status indicates that the file is protected. No status indicates that the file is not protected. Empty status indicates that the file is not protected, and does not have protection features. Error <text> status indicates an error during protection status detection has occurred.
 
Note: Protection status can only be retrieved on Windows Vista or later operating systems. Retrieval attempts made on older operating systems result in the following error message in the Server log and Audit log: “Encryption Analyzer is not supported on this system.”
Information - Other device- or protocol-specific information for the event, such as the access flags, the device or protocol name, device ID, device description from the USB Devices Database, and so on.
User - The name of the user transferred the data.
PID - The identifier of the process used to transfer the data.
Process - Fully qualified path to the process executable file. In some cases, the process name may be displayed instead of the path.