Auditing

Log events for BitLocker

Events reported by the BitLocker Client are logged, just as for any other SafeGuard Enterprise Client. It is not especially mentioned that the event refers to a BitLocker Client. The events reported are the same as for any SafeGuard Enterprise client.

Log event for recovery with BitLocker recovery key ID

An event is logged when the BitLocker recovery key ID is displayed to an officer (event 2088).

Log events for asynchronous encryption

Events are logged when:
  • Asynchronous encryption encrypted a file (event 3018)
  • Asynchronous encryption decrypted a file (event 3019)

You can view a list of these events in the SafeGuard Management Center under Reports in the Event viewer.

Log events for unconfirmed users

Events are logged when:

  • users are added to the Unconfirmed Users group (event 2801)
  • users have been confirmed successfully (event 2800)

  • the Automatically confirm users that cannot be authenticated against Active Directory option is activated (event 2802)

  • the Automatically confirm users that cannot be authenticated against Active Directory option is deactivated (event 2803)

  • users have been confirmed automatically (event 2804)

You can view a list of these events in the SafeGuard Management Center under Reports in the Event viewer.

Log events for deletion of domains, OU nodes and workgroups

Events are logged when:

  • the Prevent deletion of domains, OU nodes and workgroups option is activated. The message shows the security officer who activated it (event 2805).

  • the Prevent deletion of domains, OU nodes and workgroups option is deactivated. The message shows the security officer who deactivated it (event 2806).

You can view a list of these events in the SafeGuard Management Center under Reports in the Event viewer.

Log events for users, computers or workgroups

Successful/unsuccessful registrations of users, computers or workgroups are logged. You can view a list of these events in the SafeGuard Management Center under Reports in the Event viewer.

Log Events for disabling/enabling policy deployment

Events are logged when:

  • policy deployment is disabled by a security officer. The message shows the security officer who disabled policy deployment (event 2770).
  • policy deployment is enabled by a security officer. The message shows the security officer who enabled policy deployment (event 2771).
  • policy deployment is disabled by license management (event 2773). Possible reasons:
    • invalid licenses
    • expired license
    • exceeded licenses
  • Policy deployment is enabled by license management (event 2771)

You can view a list of these events in the SafeGuard Management Center under Reports in the Event viewer.

Log events for service account lists

 FDE

Actions performed regarding service account lists are reported by the following log events:

SafeGuard Management Center

  • Service account list <name> created
  • Service account list <name> modified
  • Service account list <name> deleted

SafeGuard Enterprise protected endpoint

  • Windows user <domain/user name> logged on at <timestamp> to machine <domain/workstation name> as SGN service account.
  • New service account list <name> imported.
  • Service account list <name> deleted.

Log events for Task Scheduler

Events concerning task execution can be logged to provide useful information, for example for troubleshooting. You can define the following events to be logged:

  • Scheduler task executed successfully

  • Scheduler task failed

  • Scheduler service thread stopped due to an exception.

The events include the script console output to facilitate troubleshooting.

For further information on logging, see Reports.

Track files accessed in cloud storage

You can track files accessed in cloud storage by using the Reports function of the SafeGuard Management Center. Files accessed can be tracked regardless of any encryption policies applied to them.

In a policy of the type Logging you can define the following:

  • To log an event when a file or directory is created on a removable media device.
  • To log an event when a file or directory is renamed on a removable media device.
  • To log an event when a file or directory is deleted from a removable media device.

For further information, see File access report for removable media and cloud storage.

Track files accessed on removable media

 DX

You can track files accessed on removable media by using the Reports function of the SafeGuard Management Center. Files accessed can be tracked regardless of any encryption policy applying to files on removable media.

In a policy of the type Logging you can define the following:

  • An event to be logged when a file or directory is created on a removable media device.
  • An event to be logged when a file or directory is renamed on a removable media device.
  • An event to be logged when a file or directory is deleted from a removable media device.

For further information, see File access report for removable media and cloud storage.