This is the log of file operations and folder operations in the following drives that are performed in the client (CT):
Local drive
Network drive
Removable drive
Note
Functions may be restricted due to the environment being used
When setting the policy, functions may be restricted due to the environment being used.
For details, please refer to “1.2.27 File Operation Log ”.
Set policy for collection
Set policy in the [Terminal Initial Settings] window or the window after the Management Console is started (CT policy settings window).
In the [Log Switches] tab, set [File Operation Log] to [Yes].
In the [File Operation Process] tab, set the filtering conditions for file operation log.
The settings can be performed when [File Operation Log] is set to [Yes].
In the [File Operation Extension] tab, set whether to collect logs while operating files with which extension.
The settings can be performed when [File Operation Log] is set to [Yes].
For details about the configuration value, please refer to “2.4.1.6 Settings of [File operational process] Tab” and “2.4.1.7 Settings of [File operation extension] Tab”.
Displayed content
Logs that can be viewed are as follows:
[Name]: name of the client (CT)
[Occurrence Date and Time]: time for collecting logs at client (CT)
[User ID]: the following information is displayed.
When logging on: logon user name of the client (CT)
When not logging on yet: SYSTEM (fixed)
[Domain Name]: the following information is displayed.
When logging on to domain: the domain name of client (CT).
When logging on to local computer: the computer name of client (CT).
When not logging on yet: the computer name of client (CT)
[Type]: [File Operation] (fixed value)
[Classification]: normal
[Attachment]: (not displayed)
[Content]: for details, please refer to “Collected operation logs”.
Example of [Content]
Operation: [Rename], Source file name:[C:\Documents and Settings\Administrator\Desktop\New Microsoft Excel Worksheet.xls], Type of drive: [Fixed], Target file name: [C:\Documents and Settings\Administrator\Desktop\List of Customer Information.xls], Type of target drive: [Fixed], Program name: [Explorer.exe]
[Note]: the following information is displayed:
When file operation is [View], [Update], [Create], [Copy], [Cut], [Rename], the file size after operation will be displayed. When file size information cannot be obtained normally, single-byte blank (size (byte): [ ]) is displayed. In addition, when the file size exceeds 2147483647 bytes, “size (byte) [2147483647]” is displayed.
When performing file operation or [Delete] in file operation, the note column will be blank.
When performing keyword search in Log Viewer, numerals can be specified as keyword.
0 to 2147483647 can be specified.
[Example]
When “0123” is specified in search condition, logs with “size (byte): [201,235]” displayed in notes will be searched. Logs with “size (byte): [123]” displayed in notes cannot be searched.
Collected operation logs
The following describes the logs collected when operating files and folders on the local drive and network drive in the client (CT) where file operation log policy has been set.
Note
The following software and commands are described
When running the following software or commands, operation logs displayed in the following table will be collected:
Explorer
Notepad
Tablet
Microsoft® Word (2000, 2002, 2003, 2007 and 2010) (Note)
Microsoft® Excel (2000, 2002, 2003, 2007 and 2010) (Note)
Microsoft® PowerPoint® (2000, 2002, 2003, 2007 and 2010) (Note)
Command in command prompt (COPY, XCOPY, MOVE, DEL, ERASE, RD, REN, MD)
Note: In case of Windows Vista®, Windows Server® 2008 or Windows® 7, only 2003, 2007 and 2010 are supported.
However, please be aware of the following points:
[Update] operation of Microsoft® Word will be collected as [Create] log.
Like Explorer and XCOPY, in the [File Operation Process] tab, [View] log of the process that has been registered as [Get Operations Apart from Viewing] will not be collected.
Even if the software and commands above are used, redundant logs may be collected.
When using software and commands other than the above ones, operation logs not corresponding to the actual operation (eg, [Copy] and [Cut] logs cannot be collected, but they can be collected as [View], [Create], [Delete] or [Rename] logs) may be collected.
When using the redirection command (> or >>) and MD command in command prompt, logs may not be output.
When operating file and folder in the client (CT), the types of logs collected are as follows.
Log Type | [Content] Display of Log Viewer |
|---|---|
View | Operation: [View], File name: [(Note 1)], Type of drive: [(Note 2)], Program name: [(Note 5)] |
Update | Operation: [Update], File name: [(Note 1)], Type of drive: [(Note 2)], Program name: [(Note 5)] |
Create | Operation: [Create], File name: [(Note 1)], Type of drive: [(Note 2)], Program name: [(Note 5)] |
Delete | Operation: [Delete], File name: [(Note 1)], Type of drive: [(Note 2)], Program name: [(Note 5)] |
Copy | Operation: [Copy], Source file name: [(Note 1)], Type of drive: [(Note 2)], Target file name: [(Note 3)], Type of target drive: [(Note 4)], Program name: [(Notes5)] |
Cut | Operation: [Cut], Source File Name: [(Note 1)], Type of drive: [(Drive 2)], Target file name: [(Note 3)], Type of target drive: [(Note 4)], Program name: [(Note 5)] |
Rename | Operation: [Rename], Source File Name: [(Note 1)], Type of drive: [(Note 2)], Target file name: [(Note 3)], Type of target drive: [(Note 4)], Program name: [(Note 5)] |
Note 1: The name of the file or folder in the local drive is described in full path, the name of the file or folder in the network drive is described with UNC or UNC and the machine name part is the IP address
Note 2: Type of source drive
Note 3: The name of the file or folder in the local drive is described in full path, the name of the file or folder in the network drive is described by UNC or UNC and the machine name part is the IP address
The name of the file of folder is described in full path in the following cases:
Allocate drive letter for the network drive and perform rename operation in the allocated letter
Allocate drive letter for the network drive and perform cut operation in the allocated letter
Allocate drive letter for the network drive and access the network drive directly for performing cut operation of folder
Note 4: Type of target drive
Note 5: Name of the application that performs the operation
Under what kind of conditions and operations the above “log type” can be collected is displayed as follows:
Condition | File and Folder Operations | ||||||||
|---|---|---|---|---|---|---|---|---|---|
View | Update | Create | Delete | Copy | Cut | Rename | |||
File Operation | Log for files | In the same drive (Note 1) | View (Note 3) | Update (Note 3) | Create | Delete | Copy | Rename | Rename |
In the same drive | - | - | - | - | Copy | Cut | - | ||
Folder Operation | Log for files under a folder | In the same drive (Note 1) | - | - | - | Delete | Copy | ×(Note 4) | - |
Between different drives | - | - | - | - | Copy | Cut | - | ||
Log for folders | In the same drive (Note 1) | - | - | Create | Delete | Create | Rename | Rename | |
Between different drives | - | - | - | - | Create | Create | - | ||
-: impossible operations.
×: operation log cannot be collected.
View/update/create/delete/copy/cut/rename: indicates the type of collected operation log.
(): indicates the type of the collected operation file when files or folders with the same name exist in copying target or moving target. When there is no ( ), the type of recorded log will be collected.
Note 1: Operations in the same local drive or network drive. For example, see following case:
Operation from C drive to C drive in the local drive
Operation in the network drive “\\dtk\common\”
Note 2: Operations between different local drives, between the local drive and network drive or between different network drives. For example, see the following case:
Operations from C drive to D drive in the local drive
Operations between the local drive and network drive.
Operations from the network drive “\\dtk\common\” to the network drive “\\dtk\com\”
Note 3: Viewing of file properties in Explorer and command prompt is not a log target.
Note 4: When the folder name of the moving source is the same as that of the moving target, [Rename] log is collected only for files existing in the moving source folder but not in the moving target folder.
The meaning of the above table and the output logs are illustrated as follows:
When viewing files in the same local drive, logs displayed in [View] of type of log above are collected.
The window for viewing logs in Log Viewer is displayed as follows. Logs collected in this case are shown in the frame part.
The content displayed in the [Content] column in the frame of the above window is as follows:
Operation: [View], File name: [D:\report.doc], Type of drive: [Fixed], Program name: [winword.exe]
This indicates that file “report.doc” in D disk root directory is viewed through Word.
When copying files in the same local drive, no matter whether files with the same name exist in the directory of copy target, log displayed in [Copy] of the above log type will be collected.
Log displayed in the [Content] column of Log Viewer is as follows:
Operation: [Copy], Source File Name: [D:\report.doc], Type of drive: [Fixed], Target file ame: [D:\tmp\report.doc], Type of Target Drive: [Fixed], Program name: [Explorer.exe]
This indicates that file “report.doc” in the root directory of D drive is copied to “D:\tmp” through Explorer.
When moving an empty folder from the local drive to a different drive and there is no folder with the same name in the moving target, two logs displayed in [Delete] and [Create] of the above log type are collected.
Log displayed in the [Content] column of Log Viewer is as follows:
Operation: [Create], Folder Name: [D:\log], Type of drive: [Fixed], Program name: [Explorer.exe] Operation: [Delete], File name: [C:\log], Type of drive: [Fixed], Program name: [Explorer.exe]
This indicates that folder “log” in the root directory of C drive is moved to the root directory of D drive through Explorer.
When moving an empty folder from the local drive to a different drive and there is folder with the same name in the moving target, log displayed in [Delete] of the above log type is collected.
Log displayed in the [Content] column of Log Viewer is as follows:
Operation: [Delete], File name: [C:\log], Type of drive: [Fixed], Program name: [Explorer.exe]
This indicates that folder “log” in the root directory of C drive is moved to a different drive through Explorer and there is folder with the same name in moving targets.
When viewing files in the same network drive, log displayed in [View] of the above log type is collected.
Log displayed in the [Content] column of Log Viewer is as follows:
Operation: [View], File name: [\\dtk\common\report.doc], Type of drive: [Remote], Program name: [winword.exe]
This indicates that file “report.doc” in Shared Folder “common” under the root directory of machine “dtk” is viewed through Word.
