Job Management Partner 1/Asset Information Manager Description

[Contents][Glossary][Index][Back][Next]

2.9 Checking user operations by means of operation logs

With Asset Information Manager, you can search for and check user operations by means of operation logs. With operation logs, you can check operations such as when and where files were copied or file names were changed, and trace these operations chronologically. By totaling operation log entries, you can also gain an understanding from the totals of the state of each group.

For example, you can perform the following operations based on operation logs:

Using as an example the copying of the EmployeeList.xls file, which contains confidential information, we will explain in the following subsections how to perform each of the above operations by checking the operation log entries for this file.

Before you check operation logs, you must use JP1/Software Distribution to collect operation logs from the managed devices.

Organization of this section
(1) Checking whether a file containing confidential information was copied
(2) Determining the operation log state for each group based on the totals
(3) Tracing and investigating user operations

(1) Checking whether a file containing confidential information was copied

This subsection explains how to search the operation logs to determine if EmployeeList.xls, which contains confidential information, was copied.

The Operation Log List window can be used to search for operation log entries.

The following figure shows the Operation Log List window.

Figure 2-23 Operation Log List window

[Figure]

From the operation log entries that are displayed in the search results, you can check the date and time, type, and other information about each operation.

The following figure shows the operation flow for specifying search conditions and for searching operation logs to determine if ExployeeList.xls was copied.

Figure 2-24 Operation flow for specifying search conditions and searching operation logs

[Figure]

To search operation logs:

  1. Collect operation logs.
    Before you can search for file copying operations in operation logs, you must use JP1/Software Distribution to collect operation logs on file operations.
  2. Specify search conditions and search the operation logs.
    In the Operation Log List window, specify the conditions listed below, and click the Search button. To minimize the search time, we recommend that you narrow down the scope of the search by specifying as many conditions as possible.
    • Search period (start) and Search period (end): Specify these options to limit the search period.
      The search operation might take a while if you either do not specify a search period or if you specify a long search period.
    • Logs to display: Select the File operation log check box.
    • Type: Select the Copied check box.
    • File name: Enter EmployeeList.xls in the File name text box.
    • Drive type: Select all of the check boxes.
    For details and notes about how to specify search conditions, see 2.7.1(1) Searching for operation logs in the Administrator's Guide.
  3. Check the operation log entries.
    From the operation log entries displayed in the search results, check the account, host name, and other information about the user who copied the file.
  4. Register the specified search conditions as a search pattern.
    If you plan to use the same search conditions to search operation logs again, register the specified search conditions as a search pattern. The search period is not registered as part of the search pattern, so you can reuse the search conditions without having to reuse the search period. We recommend that you register a search pattern name that makes it easy to determine the name and type of the search file, such as Copy of the Employee List. For details about how to register search patterns, see 2.7.1(2)(b) Registering or updating a search pattern in the Administrator's Guide.

(2) Determining the operation log state for each group based on the totals

You can use the totals from the operation log entries to determine how many users in a group have copied EmployeeList.xls. You can also check how the number of incidents detected in the operation logs has changed over time for each group.

You can use the Operation Log Total window to check the operation log entry totals.

The following figure shows the Operation Log Total window.

Figure 2-25 Operation Log Total window

[Figure]

The totals display how many operation log entries were detected for each search pattern.

The following figure shows the operation flow for scheduling that operation log entries indicating the copying of EmployeeList.xls are to be totaled once per week, and for determining the state thereof by group.

Figure 2-26 Operation flow for totaling copy operation log entries and determining their state

[Figure]

  1. Determine which type of operation log entries to total.
    Determine which type of operation logs that you want to check for each group, such as operation logs on unauthorized operations. In this example, we plan to total the operation log entries regarding the copying of EmployeeList.xls.
  2. Register the search pattern in the Operation Log List window.
    Register the search pattern to use when performing totaling. The search conditions are the same as those specified in step 2 of the procedure described in subsection (1) above. For details about how to register search patterns, see 2.7.1(2)(b) Registering or updating a search pattern in the Administrator's Guide.
  3. Register the operation log entry totaling command as a task.
    In order to periodically check totals, register the operation log entry totaling command as a task in Windows Task Scheduler. When you register the task, specify that the command be executed once a week. Also, specify the following value as the file to run:
    • File to run
      Asset-Information-Manager-installation-folder\exe\jamOperationLogAddUp.exe -p "Copy of EmployeeList"
    In this example, the task executes once a week, so you do not need to specify any options other than the -p option. For details about how to register tasks, see 5.9.10 Notification of device information change in the Planning and Setup Guide.
  4. Execute the registered task.
    Execute the task to total the operation log entries.
  5. In the Operation Log Total window, use the totals to determine the status of each group.
    From the totals, for each group determine the number of operation log entries that indicate copying of EmployeeList.xls. You can also display a graph of the change through time in the number of operation log entries, which you can use to determine if the number of copy operations is declining. For details about how to display the totals, see 2.7.2(1) Specifying conditions and displaying totals in the Administrator's Guide. For details about how to display a graph, see 2.7.2(4) Displaying the operation log totals in graph format in the Administrator's Guide.
  6. Warn the group administrator.
    If necessary, you can warn the administrator of a group where a problem might exist, such as a group in which a large number of suspicious operation log entries are detected, or if the percentage of suspicious devices detected does not decrease.

Note
If you execute an Asset Information Manager task on a 64-bit OS, you must execute it from the 32-bit command prompt. For details about how to execute commands, see F(2) Notes on executing commands and tasks in a 64-bit OS in the Planning and Setup Guide.

(3) Tracing and investigating user operations

You can check the operations performed on the EmployeeList.xls file after it was copied. Based on the operation logs from the target device, you can also trace operations performed across the network from other devices.

You can use the File Operation Trace dialog box to trace user operations.

The following window shows the File Operation Trace dialog box.

Figure 2-27 File Operation Trace dialog box

[Figure]

You can use a similar dialog box to trace operations performed across the network from another device.

The following figure shows the operation flow for tracing user operations related to copying EmployeeList.xls.

Figure 2-28 Operation flow for tracing user operations related to copying the EmployeeList.xls file

[Figure]

  1. In the Operation Log List window, specify the search conditions and search the operation logs.
    Search for operation log entries that indicate copying of EmployeeList.xls. Specify the same conditions as specified in step 2 of the procedure described in subsection (1) above.
  2. Trace the file operations based on the search results.
    Use the File Operation Trace dialog box to trace the operations, and to check if the name of the copied EmployeeList.xls file was changed or if the file was copied to external media. For details about how to trace operations, see 2.7.3 Tracing user operations in the Administrator's Guide.
  3. Warn the user.
    If necessary, warn the user.