Auditing

Auditing enables you to monitor changes in Enterprise Console configuration and other user or system actions. You can use this information for regulatory compliance and troubleshooting or, in the case of malicious activity, during a forensic analysis.

By default, auditing is disabled. After you enable auditing, an audit entry is written to the auditing database whenever certain configuration settings are changed or certain actions are performed.

Note If you use role-based administration, you must have the Auditing right to enable or disable auditing.

The audit entry includes the following information:

  • Action performed
  • User who performed the action
  • User's computer
  • User's sub-estate
  • Date and time of the action

Both successful and failed attempts at actions are audited, so the audit entries can show who performed actions on the system and who started actions that did not complete successfully.

Audited actions include:

Category

Actions

Computer actions

Acknowledge/resolve alerts and errors, protect a computer, update a computer, delete a computer, perform a full system scan on a computer.

Computer group management

Create a group, delete a group, move a group, rename a group, assign a computer to a group.

Policy management

Create a policy, rename a policy, duplicate a policy, edit a policy, assign a policy to a computer, reset a policy to factory defaults, delete a policy.

Role management

Create a role, delete a role, rename a role, duplicate a role, add a user to a role, remove a user from a role, add a right to a role, remove a right from a role.

Update manager management

Update an update manager, make an update manager comply with configuration, acknowledge alerts, delete an update manager, configure an update manager, add a new software subscription, delete a software subscription, rename a software subscription, edit a software subscription, duplicate a software subscription.

System events

Enable auditing, disable auditing.

You can use third-party programs, such as Microsoft Excel, Microsoft Access, Microsoft SQL Server Reporting Services, or Crystal Reports, to access and analyze data stored in the auditing database. For information about how to view audit entries, see the Sophos Enterprise Console auditing user guide.