2.10 Managing operation logs

You can collect operation logs from a target computer if you set collection of operation logs in a security policy and assign the security policy to the target computer.

To collect operation logs, an agent must be installed on the target computer. Also, to save the collected operation logs on the management server, Setup must be configured on the management server so that operation logs can be collected.

Important

The management of the operation logs is not available for API-controlled devices.

You can change the types of operation logs to be collected in the security policy settings. You can also change the setting of whether to detect suspicious operations in the security policy settings.

The following table shows the categories of suspicious operations and how to confirm them.

Category	Suspicious operations to be reported in the security policy	Confirmation methods
		Security module > Operation Logs > Operation Log List view	Events module > Events > Event List	Suspicious Operations panel
Suspicious file operations	Send/Receive E-mail with Attachments	Suspicious column An icon is displayed. Operation Type (Detail) column Send Mail (Attachment File) is displayed.	In the Type column, Suspicious is displayed.	Send E-mail with Attachments is displayed.
	Use Web/FTP Server	Suspicious column An icon is displayed. Operation Type (Detail) column Web Access (Upload) or Web Access (Download) is displayed.	In the Type column, Suspicious is displayed.	Use Web/FTP Server is displayed.
	Copy/Move the File to External Device	Suspicious column An icon is displayed. Operation Type (Detail) column Copy file or Move file is displayed.	In the Type column, Suspicious is displayed.	Copy/Move the File to External Device is displayed.
Suspicious print operation	Large Number of Printing Jobs	--	In the Type column, Suspicious is displayed.	--

Legend: --: Not displayed.

If conditions for suspicious file movement operations are set in the security policy, you can track the history of such operations using the operation logs.

For details about suspicious file movements, see 2.10.3 Investigating suspicious movements of files from systems using operation logs. For details about suspicious print operation, see 2.10.5 Collecting logs for suspicious print operations.

Tip

Collecting all types of operation logs might consume large amount of disk capacity. You can reduce consumption of disk capacity by collecting only the operation logs directly related to information leakage, or by specifying the target operations.

Important

An agent for UNIX or Mac is excluded from operation log collection.

Important

When the number of managed computers is more than 30,000 and you want to collect operation logs, you must use a multi-server configuration so that management relay servers can collect the information. Do not collect the information by using the primary management server. In addition, configure the settings so that the operation logs are not sent from a management relay server to the primary management server.

Important

There might be a discrepancy between the number of suspicious operations (each day) displayed in the Suspicious Operations panel and the number of suspicious operations displayed in the operation log list (which is accessed from the anchor). This problem occurs in any of the following cases:

• There is a time lag in sending suspicious operations notifications to the management server from the agent.

  Time lags can occur due to an agent-installed computer shutting down or due to network connection problems.

• The system clocks on the agent-installed computer and the management server don't coincide.

  Operation logs might be registered as the operations that happened before or after the date of notification to the management server.

• Operation logs are enabled, but the operation logs for that day are not restored.

In this case, cross-check the suspicious operations of that day by viewing the Events module, and check the operation logs of each corresponding computer (the operation source) in the operation log list or check the operation logs before and after that day in the operation log list.

Important

If an agent's OS is Windows 7, collection of operation logs cannot be performed on Windows XP Mode.

Important

If 16-bit software is used, operation logs of Program Execution, Program Termination, and Window Operation cannot be collected.

Organization of this section

• 2.10.1 Types of operation logs that can be collected

• 2.10.2 Managing operation logs on the management server

• 2.10.3 Investigating suspicious movements of files from systems using operation logs

• 2.10.4 Conditions for determining whether a file is to be monitored for suspicious file movements

• 2.10.5 Collecting logs for suspicious print operations

• 2.10.6 Conditions for checking for large numbers of print jobs

• 2.10.7 Prerequisites and notes on collecting operation logs

• 2.10.8 Importing HIBUN logs into the management server

To Page Top