Secure Audit

Last updated
Save as PDF

Overview

Secure Audit saves audited events to the database. Audit data is first saved on the Clients, then transferred from the Agent to the Server and finally deleted on the Clients. The Server saves the data in the database. You can activate Secure Audit for a computer and for a user. The audit data about device connection and Wi-Fi is available only for the computer.

Activating Secure Audit

Before activating

To avoid performance problems, pay attention to the following before activating:

Audit data size. Make sure to have enough space in the database. 1 million of Secure Audit entries takes space of about 500 MB. To avoid database overfilling, handle Secure Audit data properly by specifying the settings for archiving or removing of old audit data under Administration | Administrator | Database maintenance.
SQL Server transaction log. Specify the transaction log settings to avoid a Full Transaction Log error. For details, see the Microsoft article Troubleshoot a Full Transaction Log (SQL Server Error 9002) (external link).
SQL Express. Use SQL Express with enabled Secure Audit carefully. EgoSecure recommends SQL Express only for demonstration purposes and for very small organizations due to the fact that SQL Express raw size of the database is only 10 GB. It may lead to the database filling, which influences Secure Audit performance.

Enabling audit and selecting audit data

Activating Secure Audit for a user/computer occurs in several steps:

Enabling Secure Audit in Console
Setting up password protection (optional)
Selecting audit data (used for default user/computer)
Adjusting audit data for user/computer (optional)
Activating Secure Audit for user/computer

Enabling Secure Audit

Under Product settings, go to Audit | Secure Audit.
Click on the button Secure Audit is now disabled.
The audit is now enabled and can be configured.

To prevent unauthorized access, protect audit data with one password/two passwords:

Setting up password protection

Go to Product settings | Audit | Secure Audit.
In the Access to the auditing database area, enable Protect all audit data with the same password set.
Enable the button with the desired number of passwords for protection.
The corresponding number of password fields appears.
To change the password, click Change, near the password field.
In the dialog, enter the password and click OK to confirm.
You have now set up a single scheme of protection for all audit data types. The password will be requested each time when accessing any audit data tab under User management/Computer management | Audit and under Reports | Audit.
To enable an individual scheme of protection for each audit data type, disable the Protect all audit data with the same password set check box.
Select the scheme of protection for each audit data type in the Access to the audit data column.
You have now set up an individual scheme of protection for each audit data type. The password will be requested each time when accessing a password-protected audit data tab under User management/Computer management | Audit and under Reports | Audit.
To allow access to password-protected audit data under Reports | Audit, but to hide user/computer names, enable the Show auditing data without the user information unprotected. For audit data tabs under User management/Computer management | Audit the password will continue to be requested.
When clicking Show user data button, a password is requested. Once the password is successfully entered, user/computer data appears.

Click Save.
Access to Secure Audit data is now password-protected. As a supervisor, you can change the password by entering a new one and then saving. Being an administrator or a super administrator, you must first enter the old password to set a new password.

The following table gives an overview of data collected by Secure Audit:

Files
External storage, Network share, Thin client storage, Cloud storage	Logs access to files and related processes, drives, network folders or thin client storage media. A distinction is made between read, write, delete and rename accesses. For details, see: Logged access types. To audit on network shares and thin client storage, additionally enable the Allow thin client storage control and Allow network shares control options for a computer under Computer management \| Settings \| Client settings. To audit on clouds, additionally define the clouds to control under User management \| Settings \| Cloud storage. To additionally define specific network shares for data collection, go to Product settings \| Audit \| Network share and add either the network shares from where the data is collected (in case of a white list) or only the network shares from where the data collection is blocked (in case of a black list).
Internet
HTTP- and HTTPS connections	Logs the page visits via any Internet browser. The HTTP protocol option audits only unencrypted pages. The HTTPS protocol option audits only encrypted pages. If you have set up a proxy server, page visits are not logged.
WLAN	Logs the connection data of the WLAN and indicates whether it is secure or not secure (open). For details, see: Defining permitted WLANs
Applications
Applications launch	Logs running applications.
Use of applications	Logs the use of applications (duration of use, date of use).
DLL launch	Logs started program libraries (DLLs).
Java archives launch	Logs started Java archives (jar files).
General
Device connections	Logs the connection and removal of devices (can only be activated for computers).
System events	Logs events such as starting, shutting down, or locking a computer. For details, see List of logged system events
Unencrypted files transfer	Logs files that have been transferred unencrypted to devices (external storage media and CD/DVD) or to clouds. The option can only be activated if an encryption product is available and encryption is activated. Make sure that Removable Device Encryption or Cloud Storage Encryption are activated. If you have activated shadowcopy for the user, you can download unencrypted files from the SC column under User management \| Audit \| Unencrypted.
Blocked access	Logs attempts to access files that are blocked due to the lack of access rights, filter settings, etc.
Shadowcopy
Shadow copies of read and/or written files	Saves a copy of all files that have been read, written or deleted by the user on external media, in clouds, network folders or on thin client storage media. For details, see: Enabling Shadowcopy. Here you can access shadow copies: User management/Computer management \| Audit, File access and Unencrypted tabs, column SC. Reports \| Audit \| File access and Unencrypted file transfer, column SC.

Logged access type

Access types of the Access column. In some cases, read/write/delete access can take place simultaneously. In the Access column of an audit table, all types of access are shown. This does not necessarily have to be manual access performed by the user. For example, a process can simultaneously perform a read/write access or a write/delete access. Some programs such as Microsoft Office applications often create temporary files that are then deleted.

List of logged system events

Event type	Description
Unknown event	System event, which is not identified.
Computer start	Computer was turned on.
Computer shutdown	Computer was shut down.
Suspend	Computer was preparing for a sleep or hibernate. This is the stage when the screen blinks off but neither sleep, nor hibernation happened yet.
Sleep mode	Computer went to sleep.
Hibernation	Computer was hibernated.
Exit sleep mode	Computer was woken from sleep.
Exit hibernation	Computer was started after hibernation.
Computer lock	Lock screen for a user who is currently logged in to computer.
Computer unlock	Unlock computer for which the lock action was performed.
System login	Log in to a user account when starting a computer, switching users, exiting sleep mode etc.
System logout	Log out from a current account when a user, e.g., clicked the Sign out option.
Tray login	Login to the EgoSecure Tray application when a user, e.g., clicked the Login… option.
Tray logout	Logout from the EgoSecure Tray application when a user, e.g., clicked the Logoff [current login] option.

Selecting audit data

Go to Product settings | Audit | Secure Audit.
Enable the audit data that becomes available for activating on users and computers.
Click Save.
The selected logging data is applied to the default user and the default computer and then to the registered user/computer. You can disable some points for them individually. However, you cannot individually activate points that are not activated in the product settings.

Activating Secure Audit for user or computer

Go to User management/Computer management | Audit.
In the User management/Computer management work area, right-click the user/computer and select Activate/deactivate products | Secure Audit.

In the Active products column of the user/computer, there appears the short name SA. The settings of the default user/computer are applied to the object.
You can also adjust audit settings for an individual computer/user. To adjust,
Enable the Activate individual settings check box under Audit | Settings.
The previously inherited options remain enabled. Uncheck them, if necessary.

Edit the settings.
Click Save.
Secure Audit is now enabled and configured. Audit data is saved to the database and will become reachable in the Console.

Specifying size limit for Audit data

You can set a maximum size of audit data per tenant. Once the limit is reached, audit data is stored on the Agent computer until a capacity is available in the database again (e.g. after Archiving or deleting old audit data). Via IntellAct Automation you can create a rule that notifies administrators about clients who reached the limit. For details, see: Monitoring server activity with IntellAct

Specifying size limit for tenant

Go to Administration | Superadmin | Tenants.
Select a tenant. To select multiple tenants, hold down Ctrl and click.
Right-click the tenant and select Set Audit data limit from the context menu.

The File size dialog appears.
Specify a limit and click OK to confirm.
Click Save.

Working with Secure Audit

Showing audit data

Under User management | Audit and Computer management | Audit as well as under Reports | Audit you can see the audit data in a tabular form. You can configure the displaying and filter the records.

Audit table display limitation. Each Secure Audit table can display only up to 100 thousand records. See also Archiving or deleting old audit data

Database (drop-down menu): display audit data from the database (default) or from an archive file. For details, see: Archiving or deleting old audit data
- Request data: get the current data in the database
Creating and editing categories to filter entries by categories. For details, see: Using categories
Print or export a current table
Show only data records where a shadowcopy exists
Hide entries for data that was read out only partially (applies only to files with read access, not read/write)

Using categories

Categories allow for distinguishing between different types of files, storage, Internet pages and applications. Assigning a color and rules to a category helps to find an item more quickly. For example, for Files create Text and Picture, for Applications create Text editing and Picture editing.

Entries that match the category are marked in color. You can also filter entries based on categories:

Creating categories

Click Edit categories above an Audit table (not available under Shadowcopy filter and under System events).
The Categories editor dialog window opens.
In the Category type drop-down, select a type.

Click + Add.
The New category entry appears on the left.
Specify the new category on the right:
- Enter a short name that will be displayed in the Category drop-down.
- Select a color to mark audit entries in the list.
- In the Priority field, define the position of a category in the list.
- Click Add to add a rule for a category. For details, see: Defining rules for categories

Click OK to save the changes and close the Categories editor dialog.
The new category is active. Entries that comply with the rules are highlighted in color and can be filtered.

Defining rules for categories

Category type	Rule definition
Files	File types of the format .<ending> or specific files, e.g.: .xml, egon.png
Applications	Application file name, e.g.: chrome.exe
Storage	Hardware ID + serial number, e.g.: USB\VID_0951&PID_1666\60A44C3FAFE13090396D01E5&0
Internet pages	Web addresses, e.g.: www.google.com, EgoSecure.com
WiFi networks	Wireless network name

Archiving or deleting old audit data

If database is overfilled, new audit data can NOT be stored there anymore. The solution is to archive or delete a part of audit data once manually or set up the archiving/deleting of old audit data so that it is performed regularly according to the scheduler.

Archiving/deleting Audit data manually

Go to Administration | Administrator | Database maintenance.
Configure the settings in the Removing/archiving old audit data – manually area:
- In the Remove/archive data older than field, specify how old the data must be to be archived/deleted.
- In the Split archive file by drop-down, select whether the archive data is split in separate files for each day/week/month/year.
- In the Audit data selection drop-down, select the types of audit data for archiving/deleting.
To permanently delete old data, click Delete.

To archive old data, define an archive directory first and then click Archive.
Click OK in the warning dialog.
A message about data successfully archived/deleted appears under the Database statistics area.

Archiving/deleting Audit data automatically

Go to Administration | Administrator | Database maintenance.
In the Removing/archiving old audit data – automatically area, enable the Scheduled action check box and select the action from the drop-down menu (archive/delete).

Configure the action:
- In the Start at field, select the date and time when a synchronization process starts.
- In the Period field, define how often the synchronization is performed starting from the date defined in the previous step.
- In the Remove/archive data older than … days field, define how old the data must be to archive/remove it.
- In the Split archive file by drop-down, select whether the archive data is split in separate files for each day/week/month/year.
- In the Audit data selection drop-down, check the types of audit data for archiving/deleting.
- If you are using several EgoSecure Servers: In the Server drop-down, select the server that must perform the action.
Define an archive directory.
Save the settings.
The action is performed at the start time and is repeated according to the selected time interval.

Specifying directory for archive data

The selected directory must be NOT a mapped network drive.

Go to Administration | Administrator | Database maintenance.
In the Directory field, select where archive files with audit data will be stored.
If a network directory was defined in the previous step, enter the respective user and password.
Save the settings.

Showing archive audit data

Archived .dat audit files can be opened in Console under:

User management/Computer management | Audit
Reports | Audit

Troubleshooting

Problem: Audit data is not displayed in real time.

Possible solutions:

Check whether auditing functionality is enabled under Product settings | Audit | Secure Audit.
Check the connection between Server and Agent. For details, see: Testing connection
Check which audit data is enabled. For details, see: Selecting audit data, Activating Secure Audit for user or computer
Check, whether the Accept audit data option is enabled in the EgoSecure AdminTool.