This is the log of file operations and folder operations in the following drives that are performed in the client (CT):
Local drive
Network drive
Removable drive
Note
Functions may be restricted due to the environment being used
When setting the policy, functions may be restricted due to the environment being used.
For details, refer to "1.2.30 File Operation Log".
Set policy for collection
Set policy in the Terminal Initial Settings window or the window after the Management Console is started (CT policy settings window).
In Windows > Log collection operation, set File Operation Log to Yes.
In File operation, set the filtering conditions for file operation log.
The settings can be performed when File Operation Log is set to Yes.
In Extension, set whether to collect logs while operating files with which extension.
The settings can be performed when File Operation Log is set to Yes.
For details about the configuration value, refer to "2.4.1.2 File Operation" and "2.4.1.3 Extension".
Displayed content
The following log content can be viewed:
Name: name of the client (CT)
Occurrence Date and Time: time for collecting logs at client (CT)
User ID: the following information is displayed.
When logging on: logon user name of the client (CT)
When not logging on yet: SYSTEM (fixed)
Domain Name: the following information is displayed.
When logging on to domain: the domain name of client (CT).
When logging on to local computer: the computer name of client (CT).
When not logging on yet: the computer name of client (CT)
Type: File Operation (fixed value)
Classification: normal
Attachment: (not displayed)
Content: for details, refer to "Collected operation logs".
Example of Content:
Operation: [Rename], Source file name:[C:\Documents and Settings\Administrator\Desktop\New Microsoft Excel Worksheet.xls], Type of drive: [Fixed], Target file name: [C:\Documents and Settings\Administrator\Desktop\List of Customer Information.xls], Type of target drive: [Fixed], Program name: [Explorer.exe]
Note: the following information is displayed:
When file operation is View, Update, Create, Copy, Cut, Rename, Save As, the file size after operation will be displayed. When file size information cannot be obtained normally, single-byte blank (size (byte): [ ]) is displayed.
When performing file operation or Delete in file operation, the note column will be blank.
When a rename is performed during creation of a folder, a halfwidth space (size (byte): [ ]) may be displayed in the notes column of the folder "Create" log.
When performing keyword search in Log Viewer, numbers without commas can be specified as keyword.
Example:
When "0123" is specified in search condition, logs with "size (byte): 201,235" displayed in notes will be searched. Logs with "size (byte): 123" displayed in notes cannot be searched.
Also, when performing a keyword search in Log Viewer, and a keyword including any of the following operation types is specified, logs for which the operation type applies may be searched.
(Applicable operation types: "View", "Update", "Create", "Delete", "Copy", "Move", "Rename", "Save As")
Example:
When a single keyword such as "copy, source file name:G:\" is specified in the search criteria, and an "OR" search is selected, logs of the "Copy" operation type will also be searched regardless of the file name for which the operation was performed. To perform a search where the operation type is "Copy" and the file name includes "G:\", specify multiple keywords with an AND condition.
Collected operation logs
The following describes the logs collected when operating files and folders on the local drive and network drive in the client (CT) where file operation log policy has been set.
Note
The following software and commands are described
When running the following software or commands, operation logs displayed in the following table will be collected:
Explorer (*1)
Notepad (*1)
Tablet (*1)
Microsoft Word (2010, 2013 and 2016)
Microsoft Excel (2010, 2013 and 2016)
Microsoft PowerPoint (2010, 2013 and 2016)
Command in command prompt (COPY, XCOPY, MOVE, DEL, ERASE, RD, REN, MD) (*1)
*1: Does not collect "Save as" operation logs.
However, be aware of the following points:
"Update" operation of Microsoft Word will be collected as Create log.
Like Explorer and XCOPY, in File operation, View log of the process that has been registered as Get Operations Apart from Viewing will not be collected.
Even if the software and commands above are used, redundant logs may be collected.
When using software and commands other than the above ones, operation logs not corresponding to the actual operation (for example, "Copy" and "Cut" logs cannot be collected, but they can be collected as View, Create, Delete or Rename logs) may be collected.
When the "Move" operation is performed in the above software or commands, "Copy" and "Create" (move source) logs may be collected.
When using the redirection command (> or >>) and MD command in command prompt, logs may not be output.
When operating file and folder in the client (CT), the types of logs collected are as follows.
Log Type | Content Display of Log Viewer |
---|---|
View | Operation: View, File name: (*1), Type of drive: (*2), Program name: (*5) |
Update | Operation: Update, File name: (*1), Type of drive: (*2), Program name: (*5) |
Create | Operation: Create, File name: (*1), Type of drive: (*2), Program name: (*5) |
Delete | Operation: Delete, File name: (*1), Type of drive: (*2), Program name: (*5) |
Copy | Operation: Copy, Source file name: (*1), Type of drive: (*2), Target file name: (*3), Type of target drive: (*4), Program name: (*5) |
Cut | Operation: Cut, Source File Name: (*1), Type of drive: (Drive 2), Target file name: (*3), Type of target drive: (*4), Program name: (*5) |
Rename | Operation: Rename, Source File Name: (*1), Type of drive: (*2), Target file name: (*3), Type of target drive: (*4), Program name: (*5) |
Save as | Operation: Save as, Source file name: (*1), Source drive type: (*2). Target file name: (*3), Target drive type: (*4), Program name: (*5) |
*1: The name of the file or folder in the local drive is described in full path, the name of the file or folder in the network drive is described with UNC or UNC and the machine name part is the IP address
*2: Type of source drive
*3: The name of the file or folder in the local drive is described in full path, the name of the file or folder in the network drive is described by UNC or UNC and the machine name part is the IP address
The name of the file of folder is described in full path in the following cases:
Allocate drive letter for the network drive and perform rename operation in the allocated letter
Allocate drive letter for the network drive and perform cut operation in the allocated letter
Allocate drive letter for the network drive and access the network drive directly for performing cut operation of folder
*4: Type of target drive
*5: Name of the application that performs the operation
Under what kind of conditions and operations the above "log type" can be collected is displayed as follows:
Condition | File and Folder Operations | |||||||||
---|---|---|---|---|---|---|---|---|---|---|
View | Update | Create | Delete | Copy | Cut | Rename | Save as | |||
File Operation | Log for files | In the same drive (*1) | View (*3) | Update (*3) | Create | Delete | Copy | Rename | Rename | Save as |
In the same drive | - | - | - | - | Copy | Cut | - | Save as | ||
Folder Operation | Log for files under a folder | In the same drive (*1) | - | - | - | Delete | Copy | x(*4) | - | - |
Between different drives | - | - | - | - | Copy | Cut | - | - | ||
Log for folders | In the same drive (*1) | - | - | Create | Delete | Create | Rename | Rename | - | |
Between different drives | - | - | - | - | Create | Create | - | - |
-: Operation is not possible.
x: Operation log cannot be collected.
View/update/create/delete/copy/cut/rename/Save as: indicates the type of collected operation log.
(): indicates the type of the collected operation file when files or folders with the same name exist in copying target or moving target. When there is no ( ), the type of recorded log will be collected.
*1: Operations in the same local drive or network drive. For example, see following case:
Operation from C drive to C drive in the local drive
Operation in the network drive "\\dtk\common\" (if the server name and the shared name are the same then they are considered as being the same network drive)
*2: Operations between different local drives, between the local drive and network drive or between different network drives. For example, see the following case:
Operations from C drive to D drive in the local drive
Operations between the local drive and network drive.
Operations from the network drive "\\dtk\common\" to the network drive "\\dtk\com\" (if the server name and the shared name are not the same then they are considered as different network drives)
*3: Viewing of file properties in Explorer and command prompt is not a log target.
*4: When the folder name of the moving source is the same as that of the moving target, Rename log is collected only for files existing in the moving source folder but not in the moving target folder.
The meaning of the above table and the output logs are illustrated as follows:
When viewing files in the same local drive, logs displayed in View of type of log above are collected.
The window for viewing logs in Log Viewer is displayed as follows. Logs collected in this case are shown in the frame part.
The content displayed in the Content column in the frame of the above window is as follows:
Operation: [View], File name: [D:\report.doc], Type of drive: [Fixed], Program name: [winword.exe]
This indicates that file "report.doc" in D disk root directory is viewed through Word.
When copying files in the same local drive, no matter whether files with the same name exist in the directory of copy target, log displayed in Copy of the above log type will be collected.
Log displayed in the Content column of Log Viewer is as follows:
Operation: [Copy], Source File Name: [D:\report.doc], Type of drive: [Fixed], Target file name: [D:\tmp\report.doc], Type of Target Drive: [Fixed], Program name: [Explorer.exe]
This indicates that file "report.doc" in the root directory of D drive is copied to "D:\tmp" through Explorer.
When moving an empty folder from the local drive to a different drive and there is no folder with the same name in the moving target, two logs displayed in Delete and Create of the above log type are collected.
Log displayed in the Content column of Log Viewer is as follows:
Operation: [Create], Folder Name: [D:\log], Type of drive: [Fixed], Program name: [Explorer.exe] Operation: [Delete], File name: [C:\log], Type of drive: [Fixed], Program name: [Explorer.exe]
This indicates that folder "log" in the root directory of C drive is moved to the root directory of D drive through Explorer.
When moving an empty folder from the local drive to a different drive and there is folder with the same name in the moving target, log displayed in Delete of the above log type is collected.
Log displayed in the Content column of Log Viewer is as follows:
Operation: [Delete], File name: [C:\log], Type of drive: [Fixed], Program name: [Explorer.exe]
This indicates that folder "log" in the root directory of C drive is moved to a different drive through Explorer and there is folder with the same name in moving targets.
When viewing files in the same network drive, log displayed in View of the above log type is collected.
Log displayed in the Content column of Log Viewer is as follows:
Operation: [View], File name: [\\dtk\common\report.doc], Type of drive: [Remote], Program name: [winword.exe]
This indicates that file "report.doc" in Shared Folder "common" under the root directory of machine "dtk" is viewed through Word.