The Forcepoint DLP audit log
Use the
page in the Data Security module of the Security Manager to review actions performed by administrators in the system. For example, the audit log can show when administrators:- Export incidents to a PDF or CSV file
- Email incidents to a manager or other recipient
- Make changes to a user account, such as user name or password
- View incident details such as trigger values and forensics (Configure auditing for viewing incident details on the page. Select Audit incident detail views
The audit log can be used to investigate unauthorized or irregular changes to the system that might jeopardize employee privacy or breach an IT security compliance policy.
By default, the displayed actions are sorted by date and time. If a filter is used, the number of displayed actions is shown at the top of the list.
To send Audit log data to the syslog server, enable the check box Send syslog
message.
Note: To use this feature, the syslog server
details must be configured.
To configure Syslog Settings, navigate to
. For more details, see Remediation section.Column | Description |
---|---|
Action ID | ID number of the action. You can quickly jump to an Audit Log action by entering the ID number in the Find Action ID field and clicking Find. |
Date & Time | Date and time the action occurred. |
Administrator | Name and user name of the administrator that initiated the action in the Forcepoint Security Manager. |
Access Role | Role of the administrator. |
Topic |
You can filter the Audit Log by topic types.
|
Action Performed | Description of the action performed by the administrator—for example, “exported DLP incident to PDF file”. |
Details | Additional information about the action. For example, for an action such as adding a policy, rule, or exception, this shows the policy, rule, or exception name. For actions such as previewing or exporting a report, it includes the report name. |
Modified Item | Identifies the object that was changed, added, or deleted. For actions performed on incidents (e.g., viewing incident details), it includes the incident ID. For report generation, it includes a task number. Click the link to view additional details. |