2.10 Managing operation logs
You can collect operation logs from a target computer if you set collection of operation logs in a security policy and assign the security policy to the target computer.
To collect operation logs, an agent must be installed on the target computer. Also, to save the collected operation logs on the management server, Setup must be configured on the management server so that operation logs can be collected.
You can change the types of operation logs to be collected in the security policy settings. You can also change the setting of whether to detect suspicious operations in the security policy settings.
The following table shows the categories of suspicious operations and how to confirm them.
Category |
Operations selected as suspicious in the security policy |
Confirmation methods |
||
---|---|---|---|---|
Security module > Operation Logs > Operation Log List view |
Events module > Events > Event List |
Suspicious Operations panel |
||
Suspicious file operations |
Send/Receive E-mail with Attachments |
|
In the Type column, Suspicious is displayed. |
Send E-mail with Attachments is displayed. |
Use Web/FTP Server |
|
In the Type column, Suspicious is displayed. |
Use Web/FTP Server is displayed. |
|
Copy/Move the File to External Device |
|
In the Type column, Suspicious is displayed. |
Copy/Move the File to External Device is displayed. |
|
Suspicious print operation |
Large Number of Printing Jobs |
-- |
In the Type column, Suspicious is displayed. |
-- |
Legend: --: Not displayed.
If conditions for suspicious file movement operations are set in the security policy, you can track the history of such operations using the operation logs.
For details about suspicious file movements, see 2.10.4 Investigating suspicious movements of files from systems using operation logs. For details about suspicious print operation, see 2.10.6 Collecting logs for suspicious print operations.
In a multi-server configuration system, the management server cannot collect operation logs. To collect operation logs in a multi-server configuration system, collect distributed operation logs on site servers.
- Tip
-
Collecting all types of operation logs might consume large amount of disk capacity. You can reduce consumption of disk capacity by collecting only the operation logs directly related to information leakage, or by specifying the target operations.
- Tip
-
When many devices are used, if you manage operation logs on the management server alone, the management server and the network might be overloaded. If many devices are used or if there is a remote site, we recommend that you configure a site server to distribute the load.
Note that you cannot view the operation logs saved on a site server and the operation logs saved on the management server at the same time. Therefore, when you use a site server, we recommend that you save operation logs only on the site server and you do not save operation logs on the management server.
- Organization of this section
-
-
2.10.2 Managing operation logs on the management server in a single-server configuration system
-
2.10.4 Investigating suspicious movements of files from systems using operation logs
-
2.10.5 Conditions for determining whether a file is to be monitored for suspicious file movements
-
2.10.7 Conditions for checking for large numbers of print jobs