Monitoring events monitoring-events

Last update: Thu Mar 14 2024 00:00:00 GMT+0000 (Coordinated Universal Time)

Topics:
Document Security

When the auditing capability is enabled, document security enables you to monitor certain types of events. The events that you can see depend on your role:

Users: Can view audited events for their policy-protected documents and for any protected documents that they receive and use.

Policy set coordinators: Can view audited events, including document and policy events, for documents that are protected by policies from their policy sets.

Administrators: Can view audited events that are related to all policy-protected documents and users. Administrators can also track other types of events, including user, document, policy, and system events.

NOTE

Events that are performed on a copy of a policy-protected document are also tracked as events on the original protected document.

(See Event auditing options.)

A failed event is recorded if an unauthorized user attempts to view a document or attempts to log in using an incorrect user name or password.

NOTE

Failed anonymous access events for documents may be logged if a policy is edited to remove anonymous access. When an authorized recipient attempts to access a document that the edited policy protects, anonymous access is still attempted but will fail.

If a policy allows anonymous user access but the administrator later turns off anonymous access for document security, anonymous access will fail for documents protected with the policy and the event will not be logged.

Enable event auditing enable-event-auditing

These setup requirements must be met for event auditing to take place:

The system or administrator must enable the auditing capability for the server.

(See Configuring event auditing and privacy settings.)
The policy you use to protect the document must have auditing enabled. (See Creating and editing policies.)

Search for an event search-for-an-event

You can search the events list and view more detailed descriptions about events. The detailed descriptions include information such as the event ID, description, IP address, organization, user affected, date and time the event occurred, denied activities, and offline events (when users attempt to use a document when not connected to document security).

You can search for events on the Events page by using a combination of event search criteria and the dates the events occurred. The events that you can search for depend on your role:

Users: Can view audited events for their policy-protected documents and for any protected documents that they receive and use. These search options are available:

Events related to me: Users can find events for any policy-protected document that they created or received. For example, if a user opens, views, or prints a document that another person protected, the user sees only these events for that document.

Events related to my documents: Users can find all events that are related to their own policy-protected documents. The users see the events that are generated by every person who handled their documents.

Policy set coordinators: Can view audited events, including document and policy events, for documents that are protected by policies from their policy sets. These options are available:

Document events where I am a policy set coordinator: Policy set coordinators who have the view event permission can find events that are related to documents that policies from their policy sets protect.

Policy events where I am a policy set coordinator: Policy set coordinators who have the view events permission can find events that are related to policies from their policy sets.

Administrators: Can view audited events that are related to all policy-protected documents and users. Administrators can also track other types. Also, administrators can further subdivide event searches according to the type of user:

Known users: Users are in the source directories or are registered as external users.

Anonymous users: Unknown users who access a document that is protected with a policy that permits anonymous access.

System users: Server-initiated events, such as a directory synchronization.

On the document security page, click Events.
In the Find list, select the search criteria you want to use. Depending on your selection in the Find list, a second list is displayed that provides additional search criteria. If applicable, in the text box, type the search criteria.

For more details about the specific event types, see Event auditing options.
In the User list, select the user type who performed the event:
- If you select Known User, a second search box is displayed, where you must type the user name or email address of the user.
- If you do not know these values, click the Address book search icon to search for the user by either the user name or the email address.
In the Date list, select a date range option. If you select Custom Dates, boxes appear, where you type the date in the format yyyy/mm/dd, or you can use the Date Picker to specify the date range:
- Click the calendar to open the Date Picker.
- Use the arrows to find a year and month.
- Click a day of the month on the calendar.
- Click OK to close the Date Picker.
In the Display list, select the number of search results to display per page.
Click Find.

Any failed events are highlighted in the list with a denied icon.
To view details about an event, click the description of the event in the list.

Sort the event list sort-the-event-list

You can sort the events list by column heading to find events more easily. Triangle icons next to the column heading indicate which column is currently used to sort. An upward-pointing triangle indicates ascending order, while a downward-pointing triangle indicates descending order.

Click the appropriate column heading.
To change the sort order, click the column heading again.

recommendation-more-help

19ffd973-7af2-44d0-84b5-d547b0dffee2