About audit logs


About audit logs
Prev	Introducing Veritas Data Insight	Next

Veritas Data Insight collects and stores access events from file servers and SharePoint sites. These access events are used to analyze the user activity on various files, folders, and subfolders for a given time period. The audit logs provide detailed information about:

Users accessing the file or folder
The file type
The access types such as:
- Read
- Write
- Create
- Delete
- Rename
- Security Event - Logged when the access control entries of a file or folder are changed. This event helps to identify who changed the permissions.
- Permission Change - This event captures the details of permission changes to a folder.
The access timestamp
The IP address of the machine that the user has generated the access activity from.

The details of the Permission Change event provide information about the following:

If a trustee (user or group) is allowed or denied permission on a path.
If a trustee's permissions are removed on a path.
If a trustee is given additional permission or denied certain permission on a path. For example, if a user 'X' has Read and Write permissions on a folder. If the user is also subsequently allowed Modify permission on the folder, Data Insight records an Permission Change event.

Note:

Currently, Data Insight fetches only the file system permission changes for CIFS paths only. It does not fetch Permission Change events for NFS or SharePoint paths. Permission changes at the share level are not reported.

You can use these access events for the following purposes:

Audit permission changes on a folder.
Understand who are the most active users of a file or folder in the event of a data leak.
Carry out forensic investigations that help you understand the specific access events on sensitive data. For example, in case of a data leak, the information security team would want to know who accessed a particular file and the most active users of that file.
Provide information about orphan data, that is data owned by users who have left the organization or moved to a different business unit.
Provide information about the stale data that is never or rarely accessed.

For the purpose of calculating the access count, Data Insight records a read event when a user opens a file, reads it at least once, and closes it. Similarly, when a user writes to a file between an open and a close event, Data Insight considers it a write event. If there are read and write events, then one event is counted for each read and write.

Prev	Up	Next
About Box permissions	Home	About migrated domains