This is the log when the following operations are performed in the client (CT).
Logon
Logoff
PC Startup
PC Shutdown
PC Sleep
PC Restoration
PC Connection
PC Disconnection
How to apply
When collecting logon/logoff log, the following application can be performed:
Illegal operations performed by malicious third party such as file export, etc., after the PC is started in safe mode (records will not be left in Systemwalker Desktop Keeper) can be found.
Compliance with operation guidelines such as powering off after completing business and starting sleep mode when the PC is not in use for a long time can be confirmed.
The user who has used the PC for a long time after power on can be found.
Set policy for collection
Set policy in the [Terminal Initial Settings] window or the window after the Management Console is started (CT policy settings window).
In the [Log Switches] tab, set [Logon/Logoff Log] to [Yes].
Collected information
This section describes the information collected in the logon/logoff log.
The corresponding operations in the following cases are collected as logs.
PC startup log
Information when starting the OS of the client (CT).
Information of any of the following startup modes is obtained:
[Start in Normal Mode]
[Start in Safe Mode] (including the safe mode with command prompt)
[Start in Safe Mode with Network Connection]
Logon log
Information when logging on to Windows in the client (CT).
The computer name of the authentication target is obtained.
PC sleep log
Information when the client (CT) enters standby mode or sleep mode.
Time from power on the last time to PC sleep is obtained.
PC restoration log
Information when the client (CT) restores from standby mode or sleep mode.
Logoff log
Information when logging off from Windows in the client (CT).
PC shutdown log
Information when shutting down the OS in client (CT).
Time from last power on to the shutdown is obtained.
In addition, time from OS startup to shutdown is also obtained.
PC connection log
Information when connecting to the remote terminal.
PC disconnection log
Information when disconnecting from the remote terminal.
How to search
When illegal operations performed by malicious third parties such as file export are found after the PC is started in safe mode (record will not be remained in Systemwalker Desktop Keeper)
By setting the following conditions in the log list window of Log Viewer, only the PC startup log of startup in safe mode can be searched.
Enter “Safe” in [Keyword].
Set [Logon/Logoff] in [Type].
When confirming power off after business has been completed, starting sleep mode when the PC has not been in use for a long time, whether the PC is being used according to the system operation guideline
By setting the following conditions in the log list window of Log Viewer, PC sleep log and PC restoration log can be searched.
The PC in which sleep mode has been set can be identified through these logs.
Enter “Sleep” and “Restoration” in [Keyword].
Select the [OR Condition] button.
Set [Logon/Logoff] in [Type].
If the PC on which PC sleep log and PC restoration log are collected on the second day still exists, whether or not the power of the PC has been cut off can be predicted.
When the user who has used the PC for a long time after power on is found
By setting the following conditions in the log list window of Log Viewer, PC shutdown log and PC sleep log can be searched.
PC that is in use for a long time can be identified through [OS Startup Time] of PC shutdown log.
In addition, by aggregating [Startup Time] of PC shutdown log and PC sleep log, startup time other than sleep time can be known.
Enter “PC Shutdown” and “PC Sleep” in [Keyword].
Select the [OR Condition] button.
Set [Logon/Logoff] in [Type].
The search can be performed in PC startup log by using strings such as “Startup in Normal Mode”, “Startup in Safe Mode” and “Startup in Safe Mode with Network Connection”.
Please enter a keyword in double-byte when searching for the first time. Strings input previously can be selected in the drop-down menu starting from the next search.
The search can be performed in the PC shutdown log by using string “XX hours YY minutes”. Time is searched for under partial match or complete match. Size search cannot be performed.
Please enter the numerals (“XX” and “YY”) in single-byte.
Please enter “hour” and “minute” in double-byte.
Displayed content
Logs that can be viewed are as follows:
[Name]: name of the client (CT)
[Occurrence Date and Time]: time for collecting logs at client (CT)
[User ID]: the following information is displayed. (Notes)
At PC startup: SYSTEM (fixed)
At PC shutdown: SYSTEM (fixed)
At PC sleep: SYSTEM(fixed)
At PC restoration: SYSTEM (fixed)
At logon: logon user name of the client (CT)
At logoff: logon user name of the client (CT)
At PC connection: logon user name for logon to the remote terminal
At PC disconnection: logon user name for logon to the remote terminal
[Domain Name]: the following information is displayed:
At PC startup: computer name of client (CT)
At PC shutdown: computer name of client (CT)
At PC sleep: computer name of client (CT)
At PC restoration: computer name of client (CT)
At logon: it is the domain name of the client when logging on to domain while the computer name of the client when logging on to the local computer
At logoff: it is the domain name of the client when logging on to domain while the computer name of the client when logging on to the local computer
At PC connection: it is the domain name when logging on to domain in the remote terminal while the computer name when logging on to the local computer
At PC disconnection: it is the domain name when logging on to domain in the remote terminal while the computer name when logging on to the local computer
[Type]: the following content is displayed according to log type (fixed):
PC Startup
PC Shutdown
PC Sleep
PC Restoration
Logon
Logoff
PC Connection
PC Disconnection
[Classification]: normal (fixed value)
[Attachment]: (not displayed)
[Content]: the following content is displayed:
At PC startup: the computer is started. Startup mode: [Display Startup Mode] (*)
The following content is displayed in the [Display Startup Mode].
[Startup in Normal Mode]
[Startup in Safe Mode] (including that with command prompt)
[Startup in Safe Mode with network connection]
At PC shutdown: the computer is powered off. Startup time: [Display Startup Time] (*), OS startup time: [Display Startup Time] (*)
The time and minutes are displayed in the format of [×× hours ×× minutes] in [Display Startup Time].
The seconds is displayed after it is carried over to the next place.
[Example] 0 hour 3 minutes 0 second: output as [0 hours 03 minutes]. 0 hour 3 minutes 1 second: output as [0 hour 04 minutes].
At PC sleep: the computer sleeps. Startup time: [Display Startup Time] (*)
At PC restoration: the computer is restored.
At logon: the computer is logged on. Authentication target: [Display Authentication Target] (*)
[Computer Name] (in local authentication) or [Domain Name] (in domain authentication) is displayed in the [Display Authentication Target].
At logoff: the computer is logged off.
At PC connection: connect the computer [Computer Name (Virtual PC)] from the computer [Computer Name (Physical PC)].
At PC disconnection: disconnect the computer [Computer Name (Physical PC)] and the computer [Computer Name (Virtual PC)].
*) When performing keyword search in Log Viewer, it can be specified as keyword.
[Note]: the following content is displayed.
When [Type] is [Logon]
Connection method (*)
Operation terminal (*)
Logon method (*)
Logon authority (*)
When [Type] is [PC Shutdown] and the power of PC is cut off by force
Shutdown action: [Abnormal Shutdown (*)]
*) When performing keyword search in Log Viewer, it can be specified as keyword.
Example of [Notes]
When performing local logon to the client (CT) as user directly
Connection method: [Local], operation terminal: [This Computer Name], logon method: [Local Logon], logon authority: [User Authority]
When performing domain logon with administrator authority through terminal service
Connection method: [Remote], operation terminal: [Name of This Computer Performing Connection Operation], logon method: [Domain Logon], logon authority: [Administrator Authority]
When cutting off the power of PC by force
Shutdown action: [Abnormal Shutdown]
Example of log
CLIENT1 2007/11/1 14:15 SYSTEM D-GALAXY PC startup Normal The computer is started. Startup mode: [Startup in normal mode] CLIENT1 2007/11/1 14:20 higashi D-GALAXY Logon Normal Logged on. Authentication target: [D-GALAXY] Connection method: [Local], Operation terminal: [D-GALAXY] CLIENT1 2007/11/1 14:15 SYSTEM D-GALAXY PC sleep Normal Computer sleep. Startup time: [3 hours 12 minutes] CLIENT1 2007/11/1 14:15 SYSTEM D-GALAXY PC restoration Normal The computer is restored. CLIENT1 2007/11/1 14:18 higashi D-GALAXY Logoff Normal Logged off. CLIENT1 2007/11/1 14:15 SYSTEM D-GALAXY PC shutdown Normal The computer is shutdown. Startup time: [6 hours 28 minutes], OS startup time: [6 hours 28 minutes]
Notes:
Active Directory running in Windows Server® 2003 does not distinguish double-byte/single-byte, type of Kana (Hiragana/Katakana), and the Japanese phonetic symbol of the target. On the other hand, the log of Systemwalker Desktop Keeper is created according to the actual login information.
Thus, the user name registered in Active Directory may be different from that output from the log of Systemwalker Desktop Keeper log.
[Example]
The user name entered during registration to Active Directory is “fujitsu” (single-byte), when login by entering “FUJITSU” (double-byte), the user name that records logs will be “FUJITSU”(double-byte).
