Tracking Activity via DataCove’s Audit Log

 

What is an Audit Log?

Audit Logs, also commonly known as audit trails, are records of activities performed by users of a system or application. In DataCove’s context, all user activity pertinent to changing system settings, searching or viewing emails and even simply logging into the system are tracked and recorded for posterity. In the case of any questions of propriety arising in the future, these logs can be used to identify who was doing what and when they were doing it.

Given the immense amount of information contained in emails and the extreme privilege any Human Resources employee, Legal team member, Compliance Officer or System Administrator has in breadth of access, there are obvious concerns that the temptation of looking at more content than what the person should be looking for will occur at some point.

Tangent has deeply considered this collision point of curiosity and privacy, with devising the Audit Log system being a core development priority in the original build of DataCove nearly some twenty years ago.

All activities on the system are tracked in chronological order (datestamp and timestamp are tracked in local system time), with user login events being further traced to the IP address used as the origin point. These logs are not only useful for finding out what has been occurring on the system when a question arises, but also for regular quarterly or annual audits to ensure that all user behavior is in accordance with the organization’s policies on administrative etiquette for data review.

 

Understanding the Log Entries

To better understand the ‘what the entry means’ and ‘why it could have been invoked’ of any given log, a sampling of what DataCove tracks in the Audit Logs is below, along with what changes to the tracked activity may imply.

  • Login - Found whenever a user logs into the system. IP address of system used to log into the system will be listed. Remote logins from systems not on the local network will display the gateway used by the remote workstation.

  • Run Search - Whenever a search is run on the system, all details about that search’s parameters, such as who the search was targeting in either the To or From fields, which words was used for search upon (including any Boolean operators or search limiters) and which locations in an email (body, subject line, attachments, etc) were being searched through. Search run from the Outlook Connector will also appear under this entry.

  • Access Email Content - When a user views an email on the system. DataCove tracks this action and even backlinks to the specific email that was viewed, so that an auditor can then review exactly what the user was checking on and determine whether it was relevant to their purpose in the system.

  • Export Email List - For email content that is being exported from the system as a .ZIP, .PST or .CSV file, the instruction to export data and the user-specified filename used to create the the exports are recorded to know what was being exported.

  • Install Updates - DataCove receives quarterly software releases to enhance and add new features and functions to the system. This activity is tracked for which update packages are being downloaded and when they were executed.

  • Retention Policy - Changes made to the DataCove’s Retention Policy feature, which purges emails after a specified duration, can be found here. This will also list what the Policy was changed to. As this is a particularly dangerous function due to its ability to remove data, this is considered a high value log to watch out for.

  • Power Control - Tracks power up, reboot and shutdown events of the DataCove system.

  • Migration Management - When a DataCove is used to execute a migration of any sort, including DataCove-to-DataCove migration, PST uploads, EML uploads or any other sort of large scale data movement, with the exception of the Exchange Crawler, those entries and the details surrounding them will be listed under this entry.

  • Fetcher Configuration - Changes made to the IMAP or POP fetcher mechanisms that are used to import data from a mail server are reported under this header. This includes additions, deletions or edits to existing fetchers. Changes to the fetchers can and will affect mail flow to the DataCove and can cause the system to not receive new emails for archiving.

  • Account Administration - Local user account creation, modification or deletion are held here. This includes LDAP Authenticator entries for large scale user access. User access changes, including their permission controls, are considered a high value log to watch due to the potential scope for impacts later.

  • Comment And Tag Administrator - Comments, Tags and Legal Holds that are applied to messages for better tracking or binning of them for eDiscovery or investigation purposes are recorded here.

Many more Audit Log entries and contexts can exist also, but the commonly desired ones are slated above. For insight into any of the more esoteric logs, contact DataCove Support for a deeper explanation of what they are and what they could mean.

 

Using DataCove’s Audit Log

DataCove’s Audit Log can be accessed by logging into the system and selecting Status in the top header bar, then clicking on Audit Log on the left hand side menu.

The Audit Log page will spawn with the entries immediately available on today’s date, including any logins and actions taken on that day.

  1. The default Date Range in the Show Dates filter will also display today’s date dynamically as the default filter for data to display.

  2. The Username filter limits the Log results shown down to an individual user, allowing an auditor to hunt down just what any individual user was using the system for. This is set to All by default, showing the activities of all users.

  3. The Action filter trims the activity being observed down to the specified type, such as the ones listed in the previous section. It is set to All by default.

Given that the activities being audited may not be the ones for just today or from all users, the Audit Log has a few filters that can be used to narrow down the activities of interest accordingly. These filters can be mixed and matched to make for very precise searches and are discussed individually below.

The Show Dates filter uses a Date Range in order to limit results to just ones within the specified date range.

To use date range filtering, click on the Date text boxes to spawn a calendar view that allows for jumping between different years, months and individual days with a straightforward calendar appearance. The Date box on the left is the “start” date and the Date box on the right is the “end” date.

Once the appropriate date range filters have been set, click on Refresh to rerun the “search” of the Audit Log entries that match the newly defined date criterion.

Note that many new entries will appear in the Entries list below that coincide with the new date range specified.

Limiting results by an individual user can be performed by using the Username dropdown list.

All users who have ever logged into the DataCove will be present here, including LDAP-authenticated users, who will have the name of the LDAP Authenticator prefixed to their username.

Note: Users who have not logged into the DataCove before have no profiles or activities recorded and thusly will not appear on this list.

Limiting results down to an individual user is as simple as selecting their username from the list and clicking Refresh.

Once the filtering completes, a re-rendering of the results will appear with entries listed to only ones made by the selected username.

Lastly, the Action filter will trim down the Log entries to just the specific type of action desired.

Click on the Action dropdown menu and select the desired action type to filter for (the list of commonly searched for actions in the prior section can provide good context into what these mean), then click Refresh.

Once the results render, all log entries will be trimmed down to just the desired action type.

Depending on the scope of the various filters applied, many results may appear on the Entries list. These are paginated by the default entry display limit of 20 and can be jumped through by selecting the appropriate page on the bottom right hand corner of the screen.

For more efficient viewing of large swaths of entries, it is recommended to adjust the display limit to a larger number, even one exceeding the list of total entries, so that all data displays on a single page and can be searched through far more efficiently (including by CTRL+F “find” browser searches for specific keywords that may be getting hunted for).

To adjust the default display limit, type in a number larger than the default 20 results that is a workable “chunk” for the auditor or type a number that exceeds the total results that have been found, then click Enter.

This will now re-render the Log Entries by showing the maximum amount in the desired chunk, or total number of all results if configured that way.

Note that in this example image below, there is no longer a box allowing for a change in the total number of results to display, since all results are displaying. The page options that would show more results has also disappeared since the 65 additional results that were paginated out to them are now all merged into one log Audit Log page.

 

Exporting the Audit Log

In scenarios where viewing the Audit Log to find out what has been going on leads to a need to output a formal record for evidentiary purposes, DataCove’s Audit Log functionality also supports the export of the logs.

Note: Exporting a log is only making a copy of it; it is never removing the logs from the system at any point.

Once the results have been filtered to the desire data, select the Export Log To File button at the bottom of the screen.

In order to create this newly exported log, a filename related to the purpose of the log should be entered. This is recommended to be something related to the user or activity having taken place, or in the event of an eDiscovery event, perhaps the case name it is related to.

Then, select a format for the log output.

Spreadsheet files in the Microsoft Excel (.XLS) format are the most commonly used type, but text based Comma Separated Value (.CSV) and Tab Separated Value (.TSV) files are also supported.

Once the selections are made, select Save Log.

Depending on how many entries were in the logs that need to be exported, this process may take a few moments.

Once the export is complete, the page will automatically navigate over to the Browse Exported Results page, wherein the log file will become available for download.

Once downloaded, it is recommended that the file be deleted to reclaim the space it uses on the system. While these logs are not normally large or impactful, some very large exports can consume a significant amount of space.

While this Browse Exported Results page is normally navigated to automatically after an export, if there is a need to get back to it in the future, a button to get back to is located under the Audit Log page labeled as Browse Exported Log Files.

Upon downloading the log file, opening them up in an appropriate application will show the results from the DataCove’s audit logs in the specified format, replete with datestamps, timestamps, activity type, username and more.

Note that certain content, such as the email that the user viewed or backlinks to it, will not appear in this since those are all system-specific URLs that are not invokable from an exported file.


This concludes the DataCove Audit Log article. For any further questions, please contact DataCove Support.

Previous
Previous

Disabling Microsoft Office 365’s Exchange Web Services (EWS) Throttling

Next
Next

Quantifying User Mailbox Sizes in Microsoft 365’s Exchange Online