2.10.8 Importing HIBUN logs into the management server
If the product links with HIBUN version 10-00 or later versions, you can import HIBUN logs into JP1/IT Desktop Management 2.
The imported HIBUN logs can be examined in the Operations Logs view of the Security module, together with JP1/IT Desktop Management 2 operation logs.
- Organization of this subsection
(1) List of the information leak prevention functions of JP1/IT Desktop Management 2 and HIBUN
You can prevent information leaks by combining the functions of JP1/IT Desktop Management 2 and HIBUN. The following table lists the information leak prevention functions of JP1/IT Desktop Management 2 and HIBUN.
Information leak prevention function |
JP1/IT Desktop Management 2 function |
HIBUN function |
---|---|---|
Prevent unauthorized taking out of data |
Restrict prohibited operations
Watch suspicious operations
|
Data-reproduction control Device control Permitted network control |
Keep logs of file operations by users of computers |
Keep logs of operations
Watch suspicious operations
|
Acquiring HIBUN extended operation log
|
Keep logs of window operations and Web access by users of computers |
Keep logs of operations
|
Acquiring HIBUN extended operation log
|
Keep logs of startups and shutdowns of computers and logons to and logoffs from computers |
Keep logs of operations
|
Acquiring event log |
Keep logs of access to devices and logs of starting and stopping programs |
Keep logs of operations
|
Acquiring access log |
- Important
-
-
If you use the same information leak prevention function in both JP1/IT Desktop Management 2 and HIBUN, the same operation log can be displayed in the Operation Log List view.
-
If you use a function listed in the row of Keep logs of file operations by users of computers, use either a JP1/IT Desktop Management 2 function or a HIBUN function alone. Do not use both functions together.
-
If the Only operations that divulge information (recommended). check box is selected in the policy for operation log, do not use the HIBUN functions listed in Keep logs of file operations by users of computers.
If you want to use these HIBUN functions, clear the Only operations that divulge information (recommended). check box in the policy for operation log.
Do not use both functions together.
-
(2) HIBUN logs that can be imported into JP1/IT Desktop Management 2
The table below describes the types of HIBUN logs that can be imported into JP1/IT Desktop Management 2. Use a CSV-format file for HIBUN logs.
Type of HIBUN log |
Description |
---|---|
Access log |
|
Event log |
History of events that occurred on HIBUN clients, such as logins, logouts, and password changes |
HIBUN extended operation log |
Logs of application and file operations performed on client PCs by users |
(3) Importing HIBUN logs
For details about how to importing HIBUN logs, see the description about importing HIBUN logs in the JP1/IT Desktop Management 2 Administration Guide.
Storing the storage location of the operation logs
As with the operation logs collected by JP1/IT Desktop Management 2, the HIBUN logs imported into JP1/IT Desktop Management 2 are stored in the storage location of the operation logs. If you enable the automatic restoration of HIBUN operation logs, the logs can be imported automatically into the operation log database. After the operation logs are stored in the backup folder, you can view them by importing them from that folder into the database.
- How the data is stored
-
The HIBUN logs are stored in different folders depending on the type of log and the date, as shown below.
operation-log-backup-folder-specified-in-the-setup\EXLOG\type-of-log\date-of-operation(YYYYMMDD)
- Disk space needed for storage
-
For details, see 4.5.3 Guidelines for disk space requirements for operation log backup folder and 4.5.4 Guidelines for disk space requirements for the operation log database.
Importing into the operation log database
You can view the HIBUN logs after they are imported into the operation log database. As with the operation logs collected by JP1/IT Desktop Management 2, you can use the automatic restoration and manual restoration.
- Automatic restoration
-
The HIBUN logs are imported according to the period for storing logs specified in Settings for Operation Logs of the Settings module.
- Manual restoration
-
You can import the HIBUN logs from the storage location of the operation logs by specifying the period in which the operation log you want to examine is included. You can also import them by specifying a target computer.
Related Topics:
(4) Viewing HIBUN logs imported into JP1/IT Desktop Management 2
HIBUN logs imported into the operation log database of JP1/IT Desktop Management 2 are displayed in the Operation Log List view of the Security module. The following table lists and describes what items are displayed:
Display item in the Operation Log List view |
When HIBUN logs are displayed |
---|---|
Trace button |
Becomes unavailable. |
Suspicious Operations column |
Becomes empty. |
|
The following date and time are displayed with the time zone for JP1/IT Desktop Management 2 - Manager:
|
Source column |
Displays the name of the client computer that created the log. When the source can be identified as the device information managed by JP1/IT Desktop Management 2, it is displayed as a link. When you click the link, the Device Inventory view is displayed. Operation logs of JP1/IT Desktop Management 2 are displayed as fully-qualified domain names (FQDNs) of computers. Therefore, these names may be different from computer names that were output in the HIBUN logs. |
Host ID column |
When the host ID can be identified as the device information managed by JP1/IT Desktop Management 2, it is displayed as the host ID of the device. When it is not identified, the column will be empty. |
User Name column |
Displays the Windows user name. |
Operation Type column |
See What is displayed in Operation Type. |
Operation Type (Detail) column |
See What is displayed in Operation Type (Detail). |
Target column |
The following information is displayed:
|
Operation Details column |
The following information is displayed:
|
|
Becomes empty. |
|
Are displayed only for file operation logs of the HIBUN extended operation log. These must be configured in HIBUN. |
Printed Page Count column |
Becomes empty. |
Serial # column |
Is displayed for the device connection log. It is also displayed for the device-specific log and when the action value in the HIBUN log is CFL, OPN, WRI, DEL, CDR, DDR, or REN. It must be configured in HIBUN. If the serial number is assigned automatically by the OS, [*] is appended to the number. |
Device Category column |
Is displayed only for the device connection log. |
Identifying the computer name in the HIBUN log with the host name of the device
When a HIBUN log is imported, the computer name in the HIBUN log is associated with the host name of the JP1/IT Desktop Management 2 device. When it is successfully associated with (identified with) the host name, the HIBUN log is related to the JP1/IT Desktop Management 2 device. If the association (identification) fails, the host ID is not displayed for the HIBUN log in the Operations Logs view of the Security module.
What is displayed in Operation Type
What is displayed in Operation Type |
Log type value in the HIBUN access log or HIBUN extend operation log |
Searched Filter |
---|---|---|
[HIBUN]Access to an encrypted file |
MYS |
Operated File name (Operation Type is File Operation) |
[HIBUN]Access to a network or controlled media |
RES |
Operated File name (Operation Type is File Operation) |
[HIBUN]Access to a permitted controlled media (encrypted file) |
CMD |
Operated File name (Operation Type is File Operation) |
[HIBUN]Access to a permitted controlled media (unencrypted file) |
PMD |
Operated File name (Operation Type is File Operation) |
[HIBUN]Access to internal hard disk |
NRD |
Operated File name (Operation Type is File Operation) |
[HIBUN]Output to a printer |
PRT |
Printed document name (Operation Type is Print Operation) |
[HIBUN]Access for HIBUN data reproduction, or creation of a HIBUN confidential file |
VFL |
Operated File name (Operation Type is File Operation) |
[HIBUN]Access to a shared confidential folder |
NET |
Operated File name (Operation Type is File Operation) |
[HIBUN]Access for data reproduction by email |
TCP |
|
[HIBUN]Connection of a device |
CON |
|
[HIBUN]Network access |
NAC |
|
[HIBUN]File protection |
EFP |
|
[HIBUN]Program start/exit |
CLS |
Process name (Operation Type is Process/Program Operation) |
[HIBUN]Malware detection (CylancePROTECT) |
CYL |
|
[HIBUN]Event logs |
-- |
|
[HIBUN]Application operation logs |
OMA |
Window title (Operation Type is Window Operation) |
[HIBUN]File operation logs |
OMF |
|
Unknown |
-- |
Legend: --: Not applicable
What is displayed in Operation Type (Detail)
What is displayed in Operation Type (Detail) |
Action value in the HIBUN log |
Type of the HIBUN log |
---|---|---|
[HIBUN]A file was opened, created, or printed. |
CFL |
A |
[HIBUN]A file was opened. |
OPN |
A |
[HIBUN]A file was opened, or a file was opened in write mode. |
WRI |
A |
[HIBUN]A file was deleted. |
DEL |
A |
[HIBUN]A folder was created. |
CDR |
A |
[HIBUN]A folder was deleted. |
DDR |
A |
[HIBUN]The name of a folder or a file was changed, or a folder or a file was moved to a location on the same drive. Alternatively, a folder was moved within a shared confidential folder. |
REN |
A |
[HIBUN]A shared confidential folder was copied. |
CPD |
A |
[HIBUN]A subfolder in a shared confidential folder was moved to a folder other than a local folder. |
MVD |
A |
[HIBUN]A file was copied by the replicated file acquisition functionality. |
CPY |
A |
[HIBUN]CD/DVD authoring software was started. |
MED |
A |
[HIBUN]HIBUN data reproduction (outside use) |
VFO |
A |
[HIBUN]HIBUN data reproduction (view-only) |
VFV |
A |
[HIBUN]HIBUN data reproduction (HIBUN unencrypted-data reproduction) |
VFP |
A |
[HIBUN]A HIBUN confidential file was created. |
ARC |
A |
[HIBUN]An email was sent. |
MAL |
A |
[HIBUN]Connection of removable media |
REM |
A |
[HIBUN]Connection of an external hard disk |
EXD |
A |
[HIBUN]Connection of a CD or DVD drive |
CDD |
A |
[HIBUN]Connection of an infrared device |
IRD |
A |
[HIBUN]Connection of a Bluetooth device |
BTH |
A |
[HIBUN]Connection of a wireless LAN |
WLN |
A |
[HIBUN]Connection of a modem |
MDM |
A |
[HIBUN]Connection of an imaging device |
IMG |
A |
[HIBUN]Connection of a Windows portable device |
WPD |
A |
[HIBUN]Connection of a Windows Mobile device |
WML |
A |
[HIBUN]Connection of a Palm handheld device |
PLM |
A |
[HIBUN]Connection of a BlackBerry device |
BBY |
A |
[HIBUN]Connection of a serial or parallel port |
SPP |
A |
[[HIBUN]Other connection of a controlled device |
OTR |
A |
[HIBUN]Connection of a Wired LAN (USB connections) |
ULN |
A |
[HIBUN]Connection of a Wired LAN (non-USB connections) |
OLN |
A |
[HIBUN]Wired LAN connection |
LCN |
A |
[HIBUN]Wireless LAN connection (network communication (TCP/IP) log) |
WCN |
A |
[HIBUN]Reconnection via roaming to wireless LAN |
WRA |
A |
[HIBUN]Network communications (TCP/IP) |
COM |
A |
[HIBUN]File access |
CRF |
A |
[HIBUN]Network Communication |
NWA |
A |
[HIBUN]Process creation |
CRP |
A |
[HIBUN]Process permissions update |
UPP |
A |
[HIBUN]Process termination |
TEP |
A |
[HIBUN]Program file load |
LOD |
A |
[HIBUN]Malware detection event occurrence (CylancePROTECT) |
MDE |
A |
[HIBUN]Memory protection event or script prohibition event occurrence (CylancePROTECT) |
MWE |
A |
[HIBUN]Other event occurrence (CylancePROTECT) |
COE |
A |
[HIBUN]Unknown event occurrence (CylancePROTECT) |
CUK |
A |
[HIBUN]Login to HIBUN DC or HIBUN DE |
LOGIN |
E |
[HIBUN]Logout of HIBUN DC or HIBUN DE |
LOGOUT |
E |
[HIBUN]Failure to log in to HIBUN DC or HIBUN DE |
LOGERR |
E |
[HIBUN]Login to HIBUN DE (FS) |
FSLOGIN |
E |
[HIBUN]Logout of HIBUN DE (FS) |
FSLOGOUT |
E |
[HIBUN]Failure to log in to HIBUN DE (FS) |
FSLOGERR |
E |
[HIBUN]Login to HIBUN IC |
ICLOGIN# |
E |
[HIBUN]Logout of HIBUN IC |
ICLOGOUT# |
E |
[HIBUN]Login to HIBUN IS |
ISLOGIN# |
E |
[HIBUN]Logout of HIBUN IS |
ISLOGOUT# |
E |
[HIBUN]Failure to log in to HIBUN IS |
ISLOGERR# |
E |
[HIBUN]Login to HIBUN IF |
IFLOGIN# |
E |
[HIBUN]Logout of HIBUN IF |
IFLOGOUT# |
E |
[HIBUN]Failure to log in to HIBUN IF |
IFLOGERR# |
E |
[HIBUN]Executing an administrator's command |
MNGCMD# |
E |
[HIBUN]Changing a client setting |
CNFUPDATE# |
E |
[HIBUN]Changing the password for HIBUN DC, HIBUN DE (FS), HIBUN IF, or HIBUN IS |
CHGPASLOC |
E |
[HIBUN]The screen was locked. |
SCLOCK |
E |
[HIBUN]Screen locking was canceled. |
SCUNLOCK |
E |
[HIBUN]The terminal was locked. |
PCLOCK |
E |
[HIBUN]Terminal locking was canceled. |
PCUNLOCK |
E |
[HIBUN]Type-based device control settings update |
DEVUPDATE |
E |
[HIBUN]Permitted network control settings update |
NETUPDATE |
E |
[HIBUN]Switch to office mode |
INTCHG |
E |
[HIBUN]Switch to public mode |
EXTCHG |
E |
[HIBUN]File protection settings update |
EFPUPDATE |
E |
[HIBUN]PC startup |
PON |
E |
[HIBUN]PC shutdown |
POF |
E |
[HIBUN]Windows logon |
WSI |
E |
[HIBUN]Windows logoff |
WSO |
E |
[HIBUN]Extension log settings update |
TLSUPDATE |
E |
[HIBUN]Window active |
ACT |
H |
[HIBUN]Start engine |
EST |
H |
[HIBUN]Inactive or on standby |
PWR |
H |
[HIBUN]Logoff and shutdown |
END |
H |
[HIBUN]Start log acquisition |
LST |
H |
[HIBUN]End engine |
EEN |
H |
[HIBUN]Engine abnormality |
OME |
H |
[HIBUN]Create file |
FCR |
H |
[HIBUN]Copy file |
FCP |
H |
[HIBUN]Move file |
FMV |
H |
[HIBUN]Change file name |
FRE |
H |
[HIBUN]Delete file |
FDE |
H |
[HIBUN]Open file |
FOP |
H |
[HIBUN]Overwrite and save file |
FUD |
H |
[HIBUN]Add drive |
ADD |
H |
[HIBUN]Delete drive |
DED |
H |
Unknown |
-- |
-- |
Legend: A: Access log, E: Event log, H: HIBUN extended operation log, --: Not applicable
#: It indicates the action for HIBUN version 10-50 and earlier versions.
(5) Configuring settings for HIBUN log import
If you import HIBUN logs, you need to modify the configuration file for the external log import command. By default, the command is configured not to import the HIBUN logs. For details about the configuration file for the external log import command, see ioutils importexlog (importing external logs) in the manual JP1/IT Desktop Management 2 Administration Guide.
Setting of the HIBUN logs that are not imported
You can specify HIBUN logs that are not imported at the time of HIBUN log import in the configuration file for the external log import command. By default, the following HIBUN logs are not imported:
-
Access log of an internal hard disk
-
File reference log
-
Network communication log (TCP/IP)
Importing unknown HIBUN logs
If you want to import unknown HIBUN logs that are not listed in the tables of What is displayed in Operation Type and What is displayed in Operation Type (Detail) described in (4) Viewing HIBUN logs imported into JP1/IT Desktop Management 2 into JP1/IT Desktop Management 2, you need to modify the configuration file for the external log import command. By default, the command is configured not to import the unknown HIBUN logs.
After the unknown HIBUN logs are imported into the operation log database, they are displayed as Unknown under Operation Type and Operation Type (Detail) in the Operation Log List view of the Security module. Then, action values in these unknown HIBUN logs are displayed in Target, separated by commas (,).
(6) Note on importing the HIBUN logs
The following is a note on importing the HIBUN logs:
-
If HIBUN logs are collected after the current time on a client computer is adjusted back, they are not imported into JP1/IT Desktop Management 2 because the system determines that the logs have already been imported.