The Forcepoint DLP audit log

Use the Main > Logs > Audit Log page in the Data Security module of the Security Manager to review actions performed by administrators in the system. For example, the audit log can show when administrators:

  • Export incidents to a PDF or CSV file
  • Email incidents to a manager or other recipient
  • Make changes to a user account, such as user name or password
  • View incident details such as trigger values and forensics (Configure auditing for viewing incident details on the Settings > Authorization > Administrators page. Select Audit incident detail views

The audit log can be used to investigate unauthorized or irregular changes to the system that might jeopardize employee privacy or breach an IT security compliance policy.

By default, the displayed actions are sorted by date and time. If a filter is used, the number of displayed actions is shown at the top of the list.

To send Audit log data to the syslog server, enable the check box Send syslog message.
Note: To use this feature, the syslog server details must be configured.

To configure Syslog Settings, navigate to Settings > General > Remediation. For more details, see Remediation section.

Column Description
Action ID ID number of the action. You can quickly jump to an Audit Log action by entering the ID number in the Find Action ID field and clicking Find.
Date & Time Date and time the action occurred.
Administrator Name and user name of the administrator that initiated the action in the Forcepoint Security Manager.
Access Role Role of the administrator.
Topic

You can filter the Audit Log by topic types.

  • Administration - Displays actions performed by administrators during the designated period, such as adding a new access role or configuring user directories. Also displays actions made on administrators, such as adding a new administrator or changing an administrator’s permissions.
  • Log on/Log out - Displays log on and log out actions so you know which administrators where active during the designated period.
  • Status - Displays actions performed on status reports and logs, such as deleting an entry or creating an audit record.
  • Policy management - Displays actions performed on policies, such as updating predefined policies, editing quick policies, or creating a new policy.
  • Reporting - Displays actions performed on reports during the designated period, such as editing or creating a new report.
  • Incident management - Displays actions performed on incidents, such as deleting incidents.
  • Archiving - Displays actions performed on incident archives, such as deleting or restoring an archive.
  • System modules - Displays actions performed on system modules, such as editing a configuration or adding a module.
Action Performed Description of the action performed by the administrator—for example, “exported DLP incident to PDF file”.
Details Additional information about the action. For example, for an action such as adding a policy, rule, or exception, this shows the policy, rule, or exception name. For actions such as previewing or exporting a report, it includes the report name.
Modified Item Identifies the object that was changed, added, or deleted. For actions performed on incidents (e.g., viewing incident details), it includes the incident ID. For report generation, it includes a task number. Click the link to view additional details.