This is the log when the following operations are performed in the client (CT).
Logon
Logoff
PC Startup
PC Shutdown
PC Sleep
PC Restoration
PC Connection
PC Disconnection
How to apply
When collecting logon/logoff log, the following application can be performed:
Illegal operations performed by malicious third party such as file export, etc., after the PC is started in safe mode (records will not be left in Systemwalker Desktop Keeper) can be found.
Compliance with operation guidelines such as powering off after completing business and starting sleep mode when the PC is not in use for a long time can be confirmed.
The user who has used the PC for a long time after power on can be found.
Set policy for collection
Set policy in the Terminal Initial Settings window or the window after the Management Console is started (CT policy settings window).
In Windows > Log collection operation, set Logon/Logoff Log to Yes.
Collected information
This section describes the information collected in the logon/logoff log.
The corresponding operations in the following cases are collected as logs.
PC startup log
Information when starting the OS of the client (CT).
Information of any of the following startup modes is obtained:
Start in Normal Mode
Start in Safe Mode (including the safe mode with command prompt)
Start in Safe Mode with Network Connection
Logon log
Information when logging on to Windows in the client (CT).
The computer name of the authentication target is obtained.
PC sleep log
Information when the client (CT) enters standby mode or sleep mode.
Time from power on the last time to PC sleep is obtained.
PC restoration log
Information when the client (CT) restores from standby mode or sleep mode.
Logoff log
Information when logging off from Windows in the client (CT).
PC shutdown log
Information when shutting down the OS in client (CT).
Time from last power on to the shutdown is obtained.
In addition, time from OS startup to shutdown is also obtained.
PC connection log
Information when connecting to the remote terminal.
PC disconnection log
Information when disconnecting from the remote terminal.
How to search
When illegal operations performed by malicious third parties such as file export are found after the PC is started in safe mode (record will not be remained in Systemwalker Desktop Keeper)
By setting the following conditions in the log list window of Log Viewer, only the PC startup log of startup in safe mode can be searched.
Enter "Safe" in Keyword.
Set Logon/Logoff in Type.
When confirming power off after business has been completed, starting sleep mode when the PC has not been in use for a long time, whether the PC is being used according to the system operation guideline
By setting the following conditions in the log list window of Log Viewer, PC sleep log and PC restoration log can be searched.
The PC in which sleep mode has been set can be identified through these logs.
Enter "Sleep" and "Restoration" in Keyword.
Select the OR Condition button.
Set Logon/Logoff in Type.
If the PC on which PC sleep log and PC restoration log are collected on the second day still exists, whether or not the power of the PC has been cut off can be predicted.
When the user who has used the PC for a long time after power on is found
By setting the following conditions in the log list window of Log Viewer, PC shutdown log and PC sleep log can be searched.
PC that is in use for a long time can be identified through OS Startup Time of PC shutdown log.
In addition, by aggregating Startup Time of PC shutdown log and PC sleep log, startup time other than sleep time can be known.
Enter "PC Shutdown" and "PC Sleep" in Keyword.
Select the OR Condition button.
Set Logon/Logoff in Type.
The search can be performed in PC startup log by using strings such as "Startup in Normal Mode", "Startup in Safe Mode" and "Startup in Safe Mode with Network Connection".
Enter a keyword in double-byte when searching for the first time. Strings input previously can be selected in the drop-down menu starting from the next search.
The search can be performed in the PC shutdown log by using string "XX hours YY minutes". Time is searched for under partial match or complete match. Size search cannot be performed.
Enter the numerals ("XX" and "YY") in single-byte.
Enter "hour" and "minute" in double-byte.
Displayed content
The following log content can be viewed:
Name: name of the client (CT)
Occurrence Date and Time: time for collecting logs at client (CT)
User ID: the following information is displayed. (*1)
At PC startup: SYSTEM (fixed)
At PC shutdown: SYSTEM (fixed)
At PC sleep: SYSTEM(fixed)
At PC restoration: SYSTEM (fixed)
At logon: logon user name of the client (CT)
At logoff: logon user name of the client (CT)
At PC connection: logon user name for logon to the remote terminal
At PC disconnection: logon user name for logon to the remote terminal
Domain Name: the following information is displayed:
At PC startup: computer name of client (CT)
At PC shutdown: computer name of client (CT)
At PC sleep: computer name of client (CT)
At PC restoration: computer name of client (CT)
At logon: it is the domain name of the client when logging on to domain while the computer name of the client when logging on to the local computer
At logoff: it is the domain name of the client when logging on to domain while the computer name of the client when logging on to the local computer
At PC connection: it is the domain name when logging on to domain in the remote terminal while the computer name when logging on to the local computer
At PC disconnection: it is the domain name when logging on to domain in the remote terminal while the computer name when logging on to the local computer
Type: the following content is displayed according to log type (fixed):
PC Startup
PC Shutdown
PC Sleep
PC Restoration
Logon
Logoff
PC Connection
PC Disconnection
Classification: normal (fixed value)
Attachment: (not displayed)
Content: the following content is displayed:
At PC startup: the computer is started. Startup mode: Display Startup Mode (*1)
The following content is displayed in the Display Startup Mode.
Startup in Normal Mode
Startup in Safe Mode (including that with command prompt)
Startup in Safe Mode with network connection
At PC shutdown: the computer is powered off. Startup time: Display Startup Time (*1), OS startup time: Display Startup Time (*1)
The time and minutes are displayed in the format of xx hours xx minutes in Display Startup Time.
The seconds is displayed after it is carried over to the next place.
Example: 0 hour 3 minutes 0 second: output as 0 hours 03 minutes. 0 hour 3 minutes 1 second: output as 0 hour 04 minutes.
At PC sleep: the computer sleeps. Startup time: Display Startup Time (*1)
At PC restoration: the computer is restored.
At logon: the computer is logged on. Authentication target: Display Authentication Target (*1)
Computer Name (in local authentication) or Domain Name (in domain authentication) is displayed in the Display Authentication Target.
At logoff: the computer is logged off.
At PC connection: connect the computer Computer Name (Virtual PC) from the computer Computer Name (Physical PC).
At PC disconnection: disconnect the computer Computer Name (Physical PC) and the computer Computer Name (Virtual PC).
*1: When performing keyword search in Log Viewer, it can be specified as keyword.
Note: the following content is displayed.
When Type is Logon
Connection method (*1)
Operation terminal (*1)
Logon method (*1)
Logon authority (*1)
Session No (*1)
When Type is PC Shutdown and the power of PC is cut off by force
Shutdown action: Abnormal Shutdown (*1)
*1: When performing keyword search in Log Viewer, it can be specified as keyword.
Example of Notes:
When performing local logon to the client (CT) as user directly
Connection method: [Local], operation terminal: [This Computer Name], logon method: [Local Logon], logon authority: [User Authority], Session No: [Session ID]
When performing domain logon with administrator authority through terminal service
Connection method: [Remote], operation terminal: [Name of This Computer Performing Connection Operation], logon method: [Domain Logon], logon authority: [Administrator Authority], Session No: [Session ID]
When cutting off the power of PC by force
Shutdown action: [Abnormal Shutdown]
Example of log:
CLIENT1 2015/05/30 01:15 SYSTEM D-DOMAIN PC startup Normal Computer has been started.Startup mode [Normal mode startup] CLIENT1 2015/05/30 01:20 user01 D-DOMAIN Logon Normal Logged on.Authentication target: [D-DOMAIN] Connection method: [Local],Operation terminal: [CLIENT1],Logon method: [Domain Logon], Logon authority: [User Authority],Session No: [0] CLIENT1 2015/05/30 04:32 SYSTEM D-DOMAIN PC sleep Normal Computer has slept.Startup time: [3hours12minutes] CLIENT1 2015/05/30 05:15 SYSTEM D-DOMAIN PC restoration Normal Computer has been recovered. CLIENT1 2015/05/30 14:18 user01 D-DOMAIN Logoff Normal Logged off. CLIENT1 2015/05/30 07:43 SYSTEM D-DOMAIN PC Shutdown Normal Computer has been shut down Startup time: [2hours28minutes],OS startup time: [6hours28minutes]