The Log Viewer gives you access to all the events that have been captured by Impero. The Log Viewer gives administrators the ability to get comprehensive, in-depth data on computer/user usage and build reports based on various criteria.
Note: The logs displayed in Log Viewer will only go back as far as your network administrator defines. The retention period for log files is specified in the Impero Server.
- In order to access the Log Viewer, click on the 'Admin' toolbar and select 'Log Viewer'.
- You are then presented with the Log Viewer window, from which you can select to view the logs in a number of different ways.
- On the left-hand side of the window, you will see an 'Archive' drop-down list.
- This drop-down list contains each monthly archive that Impero has automatically created.
- If you are looking for a particular event, and know when it took place, select the relevant monthly archive here.
- The 'Current' selection will display all logs that are currently held by Impero.
- Once you have made a selection in the drop-down list, you can browse the 'Available Logs' panel below.
- You can browse the available logs by date, user, computer or the Impero groups that your user has access to.
- Click on the ‘+’ symbol next to each of these options to expand the list.
- The results on the right-hand side of the window will update based on your selection in the 'Available Logs' panel.
- If you expand the 'Date' option and select a date, you can quickly see all violations generated by all users on that date, and all printed documents from that date.
- If you expand further and select a specific user or computer, you can see a variety of activity information from that user/computer.
Violations
This tab will contain a list of all the violations generated by the selected user/computer on the selected date. There are a number of columns of information displayed in this tab:
Image - If a screenshot has been taken when the violation is triggered, it will display in this column. Click on it to view a larger version of the image.
Time - The time at which the violation was generated.
User - The user that generated the violation.
Computer - The computer on which the violation was generated.
Violation - The type of block that triggered this violation, i.e. Website, Window Caption, Application.
Reason - Details on the resource that was accessed to trigger this violation.
Notes -Any notes that have been added to this violation. This column will include a link to view any video recording that is taken as part of the violation.
Severity -The severity level applied to this violation.
Status -That status currently applied to this violation.
Keyword - The keyword that triggered this violation based on the created policy.
Policy Name - The name of the policy that triggered this violation.
Description - This field will populate with the 'Reason for this block/Glossary of Term', if one was added when the policy was created.
Window History
This tab will contain a list of the all the window captions that were opened by the selected user/computer on the selected date.
Applications Used
This tab will contain the path of all the applications that were opened by the selected user/computer on the selected date.
Websites Visited
This tab will contain the full URL of every website that was accessed by the selected user/computer on the selected date. You can double-click on any of these URLs in order to open the web address into your default browser to see what the page contains. For further information on website logging, please see 'Browser Extensions'.
Printed Documents
This tab will contain information on every page that was sent to a printer by the selected user/computer on the selected date.
Deleted Files
This tab will contain the filename of every file that was deleted from the 'My Documents' area by the selected user/computer on the selected date.
Timeline
This tab will combine all Violations, Window History, Applications Used, Websites Visited, Printed Documents and Deleted Files information from the previous tabs and display them in the order that they occurred.
- You can use the eight fields at the top of this window to filter the violations for more specific entries.
- In the Severity, Violation Type and Status fields, select an option from the drop-down list; the violation list will update dynamically to reflect your filters.
- In the User, Computer, Violation Reason, Keyword and Policy Name fields, type in the filter you wish to use; the violation list will update dynamically to reflect your filters.
- If you click on an entry in the Log Viewer to select it, you can then click on the 'Action' button to see a variety of actions that you are then able to carry out on the entry.
- You can also right-click with your mouse on any entry to perform the same actions.
Status
Change the status of the event to 'Unclassified', 'Requires Attention', 'Under Investigation', 'Escalated', 'Resolved as false positive' * or 'Resolved'.
Severity
Change the severity of the event to Minor, Moderate or Severe.
Add Note
You can add a note to the event which will then become visible on the main Log Viewer window, in the 'Notes' column.
View Image
If there is a thumbnail of the violation in the Log Viewer window, click 'View Image' to see a larger version of the image, with the options to 'Save' or 'Print' the image.
Export to PDF
Export the violation screenshot and a number of details relating to the violation to a PDF file.
* Resolved as false positive
The 'Resolved as false positive' option has its own contextual menu offering two further options.
OK
This will simply resolve the selected log event as a false positive. A note will automatically be added to the event to inform console users that it has been resolved, and display the name of the person who specified that the event has been resolved.
OK and Add to whitelist
Selecting this option will resolve the event as a false positive as above, but will also give you the additional option of adding the policy item to an existing whitelist. This will ensure that the false positive does not occur again. Select the whitelist that you would like to add to, which will open the 'Add/Edit Policy Item' window and pre-populate the whitelist item for you based on the event that you are currently viewing. You can then modify the policy item as you wish, and click the 'Add' button to add the event to the whitelist.
Note: The original policy item that created the violation will remain active, but the whitelist item will supersede it.
Comments
0 comments
Please sign in to leave a comment.