2.10.8 Importing HIBUN logs into the management server

If the product links with HIBUN version 10-00 or later versions, you can import HIBUN logs into JP1/IT Desktop Management 2.

The imported HIBUN logs can be examined in the Operations Logs view of the Security module, together with JP1/IT Desktop Management 2 operation logs.

Organization of this subsection

(1) List of the information leak prevention functions of JP1/IT Desktop Management 2 and HIBUN
(2) HIBUN logs that can be imported into JP1/IT Desktop Management 2
(3) Importing HIBUN logs
(4) Viewing HIBUN logs imported into JP1/IT Desktop Management 2
(5) Configuring settings for HIBUN log import
(6) Note on importing the HIBUN logs

(1) List of the information leak prevention functions of JP1/IT Desktop Management 2 and HIBUN

You can prevent information leaks by combining the functions of JP1/IT Desktop Management 2 and HIBUN. The following table lists the information leak prevention functions of JP1/IT Desktop Management 2 and HIBUN.

Information leak prevention function	JP1/IT Desktop Management 2 function	HIBUN function
Prevent unauthorized taking out of data	Restrict prohibited operations Printing Restriction Restriction of Device Usage Software Restriction Watch suspicious operations Large Number of Printing Jobs	Data-reproduction control Device control Permitted network control
Keep logs of file operations by users of computers	Keep logs of operations File Operation/Print Operation Folder Operation Watch suspicious operations Send/Receive E-mail with Attachments Use Web/FTP Server Copy/Move the File to External Device	Acquiring HIBUN extended operation log File operation log Drive operation log
Keep logs of window operations and Web access by users of computers	Keep logs of operations Window Operation Web Access	Acquiring HIBUN extended operation log Application operation log
Keep logs of startups and shutdowns of computers and logons to and logoffs from computers	Keep logs of operations Startups and shutdowns of computers, and logons to and logoffs from computers	Acquiring event log
Keep logs of access to devices and logs of starting and stopping programs	Keep logs of operations Program Execution/Termination Device Operation Restriction log	Acquiring access log

Important

If you use the same information leak prevention function in both JP1/IT Desktop Management 2 and HIBUN, the same operation log can be displayed in the Operation Log List view.
If you use a function listed in the row of Keep logs of file operations by users of computers, use either a JP1/IT Desktop Management 2 function or a HIBUN function alone. Do not use both functions together.
If the Only operations that divulge information (recommended). check box is selected in the policy for operation log, do not use the HIBUN functions listed in Keep logs of file operations by users of computers.

If you want to use these HIBUN functions, clear the Only operations that divulge information (recommended). check box in the policy for operation log.

Do not use both functions together.

To Page Top

(2) HIBUN logs that can be imported into JP1/IT Desktop Management 2

The table below describes the types of HIBUN logs that can be imported into JP1/IT Desktop Management 2. Use a CSV-format file for HIBUN logs.

Type of HIBUN log	Description
Access log	Access operations performed on HIBUN clients by users, such as access to the shared confidential folder or taking out a file to a removable media including a USB memory device Operations performed on HIBUN clients by programs, such as starting or exiting programs
Event log	History of events that occurred on HIBUN clients, such as logins, logouts, and password changes
HIBUN extended operation log	Logs of application and file operations performed on client PCs by users

To Page Top

(3) Importing HIBUN logs

For details about how to importing HIBUN logs, see the description about importing HIBUN logs in the JP1/IT Desktop Management 2 Administration Guide.

Storing the storage location of the operation logs

As with the operation logs collected by JP1/IT Desktop Management 2, the HIBUN logs imported into JP1/IT Desktop Management 2 are stored in the storage location of the operation logs. If you enable the automatic restoration of HIBUN operation logs, the logs can be imported automatically into the operation log database. After the operation logs are stored in the backup folder, you can view them by importing them from that folder into the database.

How the data is stored

The HIBUN logs are stored in different folders depending on the type of log and the date, as shown below.

operation-log-backup-folder-specified-in-the-setup\EXLOG\type-of-log\date-of-operation(YYYYMMDD)

Disk space needed for storage

For details, see 4.5.3 Guidelines for disk space requirements for operation log backup folder and 4.5.4 Guidelines for disk space requirements for the operation log database.

Importing into the operation log database

You can view the HIBUN logs after they are imported into the operation log database. As with the operation logs collected by JP1/IT Desktop Management 2, you can use the automatic restoration and manual restoration.

Automatic restoration: The HIBUN logs are imported according to the period for storing logs specified in Settings for Operation Logs of the Settings module.
Manual restoration: You can import the HIBUN logs from the storage location of the operation logs by specifying the period in which the operation log you want to examine is included. You can also import them by specifying a target computer.

Related Topics:

To Page Top

(4) Viewing HIBUN logs imported into JP1/IT Desktop Management 2

HIBUN logs imported into the operation log database of JP1/IT Desktop Management 2 are displayed in the Operation Log List view of the Security module. The following table lists and describes what items are displayed:

Display item in the Operation Log List view	When HIBUN logs are displayed
Trace button	Becomes unavailable.
Suspicious Operations column	Becomes empty.
Operation Date/Time (Browser) column Operation Date/Time (Source) column Operation Time (Source) column	The following date and time are displayed with the time zone for JP1/IT Desktop Management 2 - Manager: Access log Access date and time Event log Date and time when the event occurred HIBUN extended operation log Date and time when the log was created
Source column	Displays the name of the client computer that created the log. When the source can be identified as the device information managed by JP1/IT Desktop Management 2, it is displayed as a link. When you click the link, the Device Inventory view is displayed. Operation logs of JP1/IT Desktop Management 2 are displayed as fully-qualified domain names (FQDNs) of computers. Therefore, these names may be different from computer names that were output in the HIBUN logs.
Host ID column	When the host ID can be identified as the device information managed by JP1/IT Desktop Management 2, it is displayed as the host ID of the device. When it is not identified, the column will be empty.
User Name column	Displays the Windows user name.
Operation Type column	See What is displayed in Operation Type.
Operation Type (Detail) column	See What is displayed in Operation Type (Detail).
Target column	The following information is displayed: Access log The file name is displayed. However, the process name is displayed for Process generation, Process permission update, and Process termination. Event log The target of the event is displayed. HIBUN extended operation log The file name is displayed.
Operation Details column	The following information is displayed: Access log Status, Process name, Message 1, Message 2, and Message 3 are displayed, separated by commas (,). Event log Status HIBUN extended operation log Status, Process name, Message 1, Message 2, and Message 3 are displayed, separated by commas (,).
File Created Date/Time column File Last Modified Date/Time column Original File Created Date/Time column	Becomes empty.
File Size column Destination File Drive Type column	Are displayed only for file operation logs of the HIBUN extended operation log. These must be configured in HIBUN.
Printed Page Count column	Becomes empty.
Serial # column	Is displayed for the device connection log. It is also displayed for the device-specific log and when the action value in the HIBUN log is `CFL`, `OPN`, `WRI`, `DEL`, `CDR`, `DDR`, or `REN`. It must be configured in HIBUN. If the serial number is assigned automatically by the OS, `[*]` is appended to the number.
Device Category column	Is displayed only for the device connection log.

Identifying the computer name in the HIBUN log with the host name of the device

When a HIBUN log is imported, the computer name in the HIBUN log is associated with the host name of the JP1/IT Desktop Management 2 device. When it is successfully associated with (identified with) the host name, the HIBUN log is related to the JP1/IT Desktop Management 2 device. If the association (identification) fails, the host ID is not displayed for the HIBUN log in the Operations Logs view of the Security module.

What is displayed in Operation Type

What is displayed in Operation Type	Log type value in the HIBUN access log or HIBUN extend operation log	Searched Filter
[HIBUN]Access to an encrypted file	MYS	Operated File name (Operation Type is File Operation)
[HIBUN]Access to a network or controlled media	RES	Operated File name (Operation Type is File Operation)
[HIBUN]Access to a permitted controlled media (encrypted file)	CMD	Operated File name (Operation Type is File Operation)
[HIBUN]Access to a permitted controlled media (unencrypted file)	PMD	Operated File name (Operation Type is File Operation)
[HIBUN]Access to internal hard disk	NRD	Operated File name (Operation Type is File Operation)
[HIBUN]Output to a printer	PRT	Printed document name (Operation Type is Print Operation)
[HIBUN]Access for HIBUN data reproduction, or creation of a HIBUN confidential file	VFL	Operated File name (Operation Type is File Operation)
[HIBUN]Access to a shared confidential folder	NET	Operated File name (Operation Type is File Operation)
[HIBUN]Access for data reproduction by email	TCP
[HIBUN]Connection of a device	CON	Device name (Operation Type is Device Operation) Device categorye (Operation Type is Device Operation)
[HIBUN]Network access	NAC
[HIBUN]File protection	EFP
[HIBUN]Program start/exit	CLS	Process name (Operation Type is Process/Program Operation)
[HIBUN]Malware detection (CylancePROTECT)	CYL
[HIBUN]Event logs	--
[HIBUN]Application operation logs	OMA	Window title (Operation Type is Window Operation)
[HIBUN]File operation logs	OMF	Destination File Drive Type (Operation Type is File Operation) Operated File name (Operation Type is File Operation)
Unknown	--

Legend: --: Not applicable

What is displayed in Operation Type (Detail)

What is displayed in Operation Type (Detail)	Action value in the HIBUN log	Type of the HIBUN log
[HIBUN]A file was opened, created, or printed.	CFL	A
[HIBUN]A file was opened.	OPN	A
[HIBUN]A file was opened, or a file was opened in write mode.	WRI	A
[HIBUN]A file was deleted.	DEL	A
[HIBUN]A folder was created.	CDR	A
[HIBUN]A folder was deleted.	DDR	A
[HIBUN]The name of a folder or a file was changed, or a folder or a file was moved to a location on the same drive. Alternatively, a folder was moved within a shared confidential folder.	REN	A
[HIBUN]A shared confidential folder was copied.	CPD	A
[HIBUN]A subfolder in a shared confidential folder was moved to a folder other than a local folder.	MVD	A
[HIBUN]A file was copied by the replicated file acquisition functionality.	CPY	A
[HIBUN]CD/DVD authoring software was started.	MED	A
[HIBUN]HIBUN data reproduction (outside use)	VFO	A
[HIBUN]HIBUN data reproduction (view-only)	VFV	A
[HIBUN]HIBUN data reproduction (HIBUN unencrypted-data reproduction)	VFP	A
[HIBUN]A HIBUN confidential file was created.	ARC	A
[HIBUN]An email was sent.	MAL	A
[HIBUN]Connection of removable media	REM	A
[HIBUN]Connection of an external hard disk	EXD	A
[HIBUN]Connection of a CD or DVD drive	CDD	A
[HIBUN]Connection of an infrared device	IRD	A
[HIBUN]Connection of a Bluetooth device	BTH	A
[HIBUN]Connection of a wireless LAN	WLN	A
[HIBUN]Connection of a modem	MDM	A
[HIBUN]Connection of an imaging device	IMG	A
[HIBUN]Connection of a Windows portable device	WPD	A
[HIBUN]Connection of a Windows Mobile device	WML	A
[HIBUN]Connection of a Palm handheld device	PLM	A
[HIBUN]Connection of a BlackBerry device	BBY	A
[HIBUN]Connection of a serial or parallel port	SPP	A
[[HIBUN]Other connection of a controlled device	OTR	A
[HIBUN]Connection of a Wired LAN (USB connections)	ULN	A
[HIBUN]Connection of a Wired LAN (non-USB connections)	OLN	A
[HIBUN]Wired LAN connection	LCN	A
[HIBUN]Wireless LAN connection (network communication (TCP/IP) log)	WCN	A
[HIBUN]Reconnection via roaming to wireless LAN	WRA	A
[HIBUN]Network communications (TCP/IP)	COM	A
[HIBUN]File access	CRF	A
[HIBUN]Network Communication	NWA	A
[HIBUN]Process creation	CRP	A
[HIBUN]Process permissions update	UPP	A
[HIBUN]Process termination	TEP	A
[HIBUN]Program file load	LOD	A
[HIBUN]Malware detection event occurrence (CylancePROTECT)	MDE	A
[HIBUN]Memory protection event or script prohibition event occurrence (CylancePROTECT)	MWE	A
[HIBUN]Other event occurrence (CylancePROTECT)	COE	A
[HIBUN]Unknown event occurrence (CylancePROTECT)	CUK	A
[HIBUN]Login to HIBUN DC or HIBUN DE	LOGIN	E
[HIBUN]Logout of HIBUN DC or HIBUN DE	LOGOUT	E
[HIBUN]Failure to log in to HIBUN DC or HIBUN DE	LOGERR	E
[HIBUN]Login to HIBUN DE (FS)	FSLOGIN	E
[HIBUN]Logout of HIBUN DE (FS)	FSLOGOUT	E
[HIBUN]Failure to log in to HIBUN DE (FS)	FSLOGERR	E
[HIBUN]Login to HIBUN IC	ICLOGIN^#	E
[HIBUN]Logout of HIBUN IC	ICLOGOUT^#	E
[HIBUN]Login to HIBUN IS	ISLOGIN^#	E
[HIBUN]Logout of HIBUN IS	ISLOGOUT^#	E
[HIBUN]Failure to log in to HIBUN IS	ISLOGERR^#	E
[HIBUN]Login to HIBUN IF	IFLOGIN^#	E
[HIBUN]Logout of HIBUN IF	IFLOGOUT^#	E
[HIBUN]Failure to log in to HIBUN IF	IFLOGERR^#	E
[HIBUN]Executing an administrator's command	MNGCMD^#	E
[HIBUN]Changing a client setting	CNFUPDATE^#	E
[HIBUN]Changing the password for HIBUN DC, HIBUN DE (FS), HIBUN IF, or HIBUN IS	CHGPASLOC	E
[HIBUN]The screen was locked.	SCLOCK	E
[HIBUN]Screen locking was canceled.	SCUNLOCK	E
[HIBUN]The terminal was locked.	PCLOCK	E
[HIBUN]Terminal locking was canceled.	PCUNLOCK	E
[HIBUN]Type-based device control settings update	DEVUPDATE	E
[HIBUN]Permitted network control settings update	NETUPDATE	E
[HIBUN]Switch to office mode	INTCHG	E
[HIBUN]Switch to public mode	EXTCHG	E
[HIBUN]File protection settings update	EFPUPDATE	E
[HIBUN]PC startup	PON	E
[HIBUN]PC shutdown	POF	E
[HIBUN]Windows logon	WSI	E
[HIBUN]Windows logoff	WSO	E
[HIBUN]Extension log settings update	TLSUPDATE	E
[HIBUN]Window active	ACT	H
[HIBUN]Start engine	EST	H
[HIBUN]Inactive or on standby	PWR	H
[HIBUN]Logoff and shutdown	END	H
[HIBUN]Start log acquisition	LST	H
[HIBUN]End engine	EEN	H
[HIBUN]Engine abnormality	OME	H
[HIBUN]Create file	FCR	H
[HIBUN]Copy file	FCP	H
[HIBUN]Move file	FMV	H
[HIBUN]Change file name	FRE	H
[HIBUN]Delete file	FDE	H
[HIBUN]Open file	FOP	H
[HIBUN]Overwrite and save file	FUD	H
[HIBUN]Add drive	ADD	H
[HIBUN]Delete drive	DED	H
Unknown	--	--

Legend: A: Access log, E: Event log, H: HIBUN extended operation log, --: Not applicable

#: It indicates the action for HIBUN version 10-50 and earlier versions.

To Page Top

(5) Configuring settings for HIBUN log import

If you import HIBUN logs, you need to modify the configuration file for the external log import command. By default, the command is configured not to import the HIBUN logs. For details about the configuration file for the external log import command, see ioutils importexlog (importing external logs) in the manual JP1/IT Desktop Management 2 Administration Guide.

Setting of the HIBUN logs that are not imported

You can specify HIBUN logs that are not imported at the time of HIBUN log import in the configuration file for the external log import command. By default, the following HIBUN logs are not imported:

Access log of an internal hard disk
File reference log
Network communication log (TCP/IP)

Importing unknown HIBUN logs

If you want to import unknown HIBUN logs that are not listed in the tables of What is displayed in Operation Type and What is displayed in Operation Type (Detail) described in (4) Viewing HIBUN logs imported into JP1/IT Desktop Management 2 into JP1/IT Desktop Management 2, you need to modify the configuration file for the external log import command. By default, the command is configured not to import the unknown HIBUN logs.

After the unknown HIBUN logs are imported into the operation log database, they are displayed as Unknown under Operation Type and Operation Type (Detail) in the Operation Log List view of the Security module. Then, action values in these unknown HIBUN logs are displayed in Target, separated by commas (,).

To Page Top

(6) Note on importing the HIBUN logs

The following is a note on importing the HIBUN logs:

If HIBUN logs are collected after the current time on a client computer is adjusted back, they are not imported into JP1/IT Desktop Management 2 because the system determines that the logs have already been imported.
In the setting view of operation logs, when you disable Automatically restore operation logs or reduce the value of Period for storing automatically restored operation logs, the operation logs that have been acquired to the database of operation logs are deleted. To acquire the HIBUN logs in the period on which the logs are deleted after restoring the setting, perform the acquisition after "Maintenance of the operation log database in which operation logs were automatically acquired" which is executed at 1:00 AM by default. You can specify the start time of "Maintenance of the operation log database in which operation logs were automatically acquired" on the configuration file.

To Page Top