Viewing and exporting the audit log
Web protection software provides an audit trail showing which administrators have accessed the Web module of the Forcepoint Security Manager, as well as any changes made to policies and settings. This information is available only to Super Administrators who are granted policy permissions (see Super Administrator permissions).
Delegated administrators have significant control over the Internet activities of their managed clients. Monitoring their changes through the audit log enables you to ensure that this control is handled responsibly and in accordance with your organization’s acceptable use policies.
Use the page to view the audit log, and to export selected portions of it to an Excel spreadsheet (XLS) file, if desired. Optionally, configuration options exist on the page that support sending audit log records to the SIEM integration defined for the primary Policy Server. (See Integrating with a third-party SIEM solution.)
Audit records are saved for 60 days. To preserve audit records longer than 60 days, use the export option to export the log on a regular basis. Exporting does not remove records from the audit log.
When the Audit Log page opens, the most recent records are shown. Use the scroll bar and the paging buttons above the log to view older records.
The log displays the following information. If an item is truncated, click the partial entry to display the full record in popup window.
| Column | Description |
|---|---|
| Date |
Date and time of the change, adjusted for time zones. To assure consistent data in the audit log, be sure all machines running web protection components have their date and time settings synchronized. |
| User | User name of the administrator who made the change. |
| Server |
IP address or name of machine running the Policy Server affected by the change. This appears only for changes that affect the Policy Server, such as changes made using the Settings options. |
| Role |
Delegated administration role affected by the change. When a change affects a client explicitly assigned as a managed client in the delegated administrator's role, that change shows as affecting the Super Administrator role. If the change affects a client that is a member of a network range, group, domain or organizational unit assigned to the role, the change shows as affecting the delegated administrator's role. |
| Type | Configuration element that was changed, such as policy, category filter, or logon/logoff. |
| Element | Identifier for the specific object changed, such as the category filter name or role name. |
| Action | Type of change made, such as add, delete, change, log on, and so on. |
| Previous | Value before the change. |
| Current | New value after the change. |
Not all items are shown for all records. For example, the role is not displayed for logon and logoff records and the Previous and Current values for a password change are left blank.