Secure Audit
Overview
Secure Audit saves audited events to the database. Audit data is first saved on the Clients, then transferred from the Agent to the Server and finally deleted on the Clients. The Server saves the data in the database. You can activate Secure Audit for a computer and for a user. The audit data about device connection and Wi-Fi is available only for the computer.
Activating Secure Audit
Before activating
To avoid performance problems, pay attention to the following before activating:
- Audit data size. Make sure to have enough space in the database. 1 million of Secure Audit entries takes space of about 500 MB. To avoid database overfilling, handle Secure Audit data properly by specifying the settings for archiving or removing of old audit data under Administration | Administrator | Database maintenance.
- SQL Server transaction log. Specify the transaction log settings to avoid a Full Transaction Log error. For details, see the Microsoft article Troubleshoot a Full Transaction Log (SQL Server Error 9002) (external link).
- SQL Express. Use SQL Express with enabled Secure Audit carefully. EgoSecure recommends SQL Express only for demonstration purposes and for very small organizations due to the fact that SQL Express raw size of the database is only 10 GB. It may lead to the database filling, which influences Secure Audit performance.
Enabling audit and selecting audit data
Activating Secure Audit for a user/computer occurs in several steps:
- Enabling Secure Audit in Console
- Setting up password protection (optional)
- Selecting audit data (used for default user/computer)
- Adjusting audit data for user/computer (optional)
- Activating Secure Audit for user/computer
Enabling Secure Audit
- Under Product settings, go to Audit | Secure Audit.
- Click on the button Secure Audit is now disabled.
- The audit is now enabled and can be configured.
- To prevent unauthorized access, protect audit data with one password/two passwords:
Setting up password protection
- Go to Product settings | Audit | Secure Audit.
- In the Access to the auditing database area, enable Protect all audit data with the same password set.
- Enable the button with the desired number of passwords for protection.
- The corresponding number of password fields appears.
- To change the password, click Change, near the password field.
- In the dialog, enter the password and click OK to confirm.
- You have now set up a single scheme of protection for all audit data types. The password will be requested each time when accessing any audit data tab under User management/Computer management | Audit and under Reports | Audit.
- To enable an individual scheme of protection for each audit data type, disable the Protect all audit data with the same password set check box.
- Select the scheme of protection for each audit data type in the Access to the audit data column.
- You have now set up an individual scheme of protection for each audit data type. The password will be requested each time when accessing a password-protected audit data tab under User management/Computer management | Audit and under Reports | Audit.
- To allow access to password-protected audit data under Reports | Audit, but to hide user/computer names, enable the Show auditing data without the user information unprotected. For audit data tabs under User management/Computer management | Audit the password will continue to be requested.
- When clicking Show user data button, a password is requested. Once the password is successfully entered, user/computer data appears.
- Click Save.
- Access to Secure Audit data is now password-protected. As a supervisor, you can change the password by entering a new one and then saving. Being an administrator or a super administrator, you must first enter the old password to set a new password.
The following table gives an overview of data collected by Secure Audit:
Files | |
External storage, Network share, Thin client storage, Cloud storage |
Logs access to files and related processes, drives, network folders or thin client storage media. A distinction is made between read, write, delete and rename accesses. For details, see: Logged access types.
|
Internet | |
HTTP- and HTTPS connections |
Logs the page visits via any Internet browser. The HTTP protocol option audits only unencrypted pages. The HTTPS protocol option audits only encrypted pages.
|
WLAN | Logs the connection data of the WLAN and indicates whether it is secure or not secure (open). For details, see: Defining permitted WLANs |
Applications | |
Applications launch |
Logs running applications. |
Use of applications | Logs the use of applications (duration of use, date of use). |
DLL launch |
Logs started program libraries (DLLs). |
Java archives launch |
Logs started Java archives (jar files). |
General | |
Device connections |
Logs the connection and removal of devices (can only be activated for computers). |
System events |
Logs events such as starting, shutting down, or locking a computer. For details, see List of logged system events |
Unencrypted files transfer |
Logs files that have been transferred unencrypted to devices (external storage media and CD/DVD) or to clouds. The option can only be activated if an encryption product is available and encryption is activated. Make sure that Removable Device Encryption or Cloud Storage Encryption are activated. If you have activated shadowcopy for the user, you can download unencrypted files from the SC column under User management | Audit | Unencrypted. |
Blocked access |
Logs attempts to access files that are blocked due to the lack of access rights, filter settings, etc. |
Shadowcopy | |
Shadow copies of read and/or written files |
Saves a copy of all files that have been read, written or deleted by the user on external media, in clouds, network folders or on thin client storage media. For details, see: Enabling Shadowcopy. Reports | Audit | File access and Unencrypted file transfer, column SC. |
Access types of the Access column. In some cases, read/write/delete access can take place simultaneously. In the Access column of an audit table, all types of access are shown. This does not necessarily have to be manual access performed by the user. For example, a process can simultaneously perform a read/write access or a write/delete access. Some programs such as Microsoft Office applications often create temporary files that are then deleted.
List of logged system events
Event type | Description |
---|---|
Unknown event |
System event, which is not identified. |
Computer start |
Computer was turned on. |
Computer shutdown |
Computer was shut down. |
Suspend |
Computer was preparing for a sleep or hibernate. This is the stage when the screen blinks off but neither sleep, nor hibernation happened yet. |
Sleep mode |
Computer went to sleep. |
Hibernation |
Computer was hibernated. |
Exit sleep mode |
Computer was woken from sleep. |
Exit hibernation |
Computer was started after hibernation. |
Computer lock |
Lock screen for a user who is currently logged in to computer. |
Computer unlock |
Unlock computer for which the lock action was performed. |
System login |
Log in to a user account when starting a computer, switching users, exiting sleep mode etc. |
System logout |
Log out from a current account when a user, e.g., clicked the Sign out option. |
Tray login |
Login to the EgoSecure Tray application when a user, e.g., clicked the Login… option. |
Tray logout |
Logout from the EgoSecure Tray application when a user, e.g., clicked the Logoff [current login] option. |
Selecting audit data
- Go to Product settings | Audit | Secure Audit.
- Enable the audit data that becomes available for activating on users and computers.
- Click Save.
- The selected logging data is applied to the default user and the default computer and then to the registered user/computer. You can disable some points for them individually. However, you cannot individually activate points that are not activated in the product settings.
Activating Secure Audit for user or computer
- Go to User management/Computer management | Audit.
- In the User management/Computer management work area, right-click the user/computer and select Activate/deactivate products | Secure Audit.
- In the Active products column of the user/computer, there appears the short name SA. The settings of the default user/computer are applied to the object.
- You can also adjust audit settings for an individual computer/user. To adjust,
- Enable the Activate individual settings check box under Audit | Settings.
- The previously inherited options remain enabled. Uncheck them, if necessary.
- Edit the settings.
- Click Save.
- Secure Audit is now enabled and configured. Audit data is saved to the database and will become reachable in the Console.
Specifying size limit for Audit data
You can set a maximum size of audit data per tenant. Once the limit is reached, audit data is stored on the Agent computer until a capacity is available in the database again (e.g. after Archiving or deleting old audit data). Via IntellAct Automation you can create a rule that notifies administrators about clients who reached the limit. For details, see: Monitoring server activity with IntellAct
Specifying size limit for tenant
- Go to Administration | Superadmin | Tenants.
- Select a tenant. To select multiple tenants, hold down Ctrl and click.
- Right-click the tenant and select Set Audit data limit from the context menu.
- The File size dialog appears.
- Specify a limit and click OK to confirm.
- Click Save.
Working with Secure Audit
Showing audit data
Under User management | Audit and Computer management | Audit as well as under Reports | Audit you can see the audit data in a tabular form. You can configure the displaying and filter the records.
Audit table display limitation. Each Secure Audit table can display only up to 100 thousand records.
See also Archiving or deleting old audit data
- Database (drop-down menu): display audit data from the database (default) or from an archive file. For details, see: Archiving or deleting old audit data
- Request data: get the current data in the database
- Creating and editing categories to filter entries by categories. For details, see: Using categories
- Print or export a current table
- Show only data records where a shadowcopy exists
- Hide entries for data that was read out only partially (applies only to files with read access, not read/write)
Using categories
Categories allow for distinguishing between different types of files, storage, Internet pages and applications. Assigning a color and rules to a category helps to find an item more quickly. For example, for Files create Text and Picture, for Applications create Text editing and Picture editing.
Entries that match the category are marked in color. You can also filter entries based on categories:
Creating categories
- Click Edit categories above an Audit table (not available under Shadowcopy filter and under System events).
- The Categories editor dialog window opens.
- In the Category type drop-down, select a type.
- Click + Add.
- The New category entry appears on the left.
- Specify the new category on the right:
- Enter a short name that will be displayed in the Category drop-down.
- Select a color to mark audit entries in the list.
- In the Priority field, define the position of a category in the list.
- Click Add to add a rule for a category. For details, see: Defining rules for categories
- Click OK to save the changes and close the Categories editor dialog.
- The new category is active. Entries that comply with the rules are highlighted in color and can be filtered.
Defining rules for categories
Category type | Rule definition |
---|---|
Files |
File types of the format *.<ending> or specific files, e.g.: *.xml, egon.png |
Applications |
Application file name, e.g.: chrome.exe |
Storage |
Hardware ID + serial number, e.g.: USB\VID_0951&PID_1666\60A44C3FAFE13090396D01E5&0 |
Internet pages |
Web addresses, e.g.: www.google.com, EgoSecure.com |
WiFi networks |
Wireless network name |
Archiving or deleting old audit data
If database is overfilled, new audit data can NOT be stored there anymore. The solution is to archive or delete a part of audit data once manually or set up the archiving/deleting of old audit data so that it is performed regularly according to the scheduler.
Archiving/deleting Audit data manually
- Go to Administration | Administrator | Database maintenance.
- Configure the settings in the Removing/archiving old audit data – manually area:
- In the Remove/archive data older than field, specify how old the data must be to be archived/deleted.
- In the Split archive file by drop-down, select whether the archive data is split in separate files for each day/week/month/year.
- In the Audit data selection drop-down, select the types of audit data for archiving/deleting.
- To permanently delete old data, click Delete.
- To archive old data, define an archive directory first and then click Archive.
- Click OK in the warning dialog.
- A message about data successfully archived/deleted appears under the Database statistics area.
Archiving/deleting Audit data automatically
- Go to Administration | Administrator | Database maintenance.
- In the Removing/archiving old audit data – automatically area, enable the Scheduled action check box and select the action from the drop-down menu (archive/delete).
- Configure the action:
- In the Start at field, select the date and time when a synchronization process starts.
- In the Period field, define how often the synchronization is performed starting from the date defined in the previous step.
- In the Remove/archive data older than … days field, define how old the data must be to archive/remove it.
- In the Split archive file by drop-down, select whether the archive data is split in separate files for each day/week/month/year.
- In the Audit data selection drop-down, check the types of audit data for archiving/deleting.
- If you are using several EgoSecure Servers: In the Server drop-down, select the server that must perform the action.
- Define an archive directory.
- Save the settings.
- The action is performed at the start time and is repeated according to the selected time interval.
Specifying directory for archive data
The selected directory must be NOT a mapped network drive.
- Go to Administration | Administrator | Database maintenance.
- In the Directory field, select where archive files with audit data will be stored.
- If a network directory was defined in the previous step, enter the respective user and password.
- Save the settings.
Showing archive audit data
Archived .dat audit files can be opened in Console under:
- User management/Computer management | Audit
- Reports | Audit
Troubleshooting
Problem: Audit data is not displayed in real time.
Possible solutions:
- Check whether auditing functionality is enabled under Product settings | Audit | Secure Audit.
- Check the connection between Server and Agent. For details, see: Testing connection
- Check which audit data is enabled. For details, see: Selecting audit data, Activating Secure Audit for user or computer
- Check, whether the Accept audit data option is enabled in the EgoSecure AdminTool.