Actions taken in the Outlook Add-in are not properly recorded in the EV Audit log

Article:TECH209221  |  Created: 2013-07-31  |  Updated: 2014-05-02  |  Article URL http://www.symantec.com/docs/TECH209221
Article Type
Technical Solution


Issue



When a user performs an action on an EV item using the Outlook Add-in, the Audit
log is supposed to record the name of the user that performed it. However, in certain situations, it records the Vault Service Account or other incorrect users as having performed the action.


Error



No error is given. Instead, the auditing information is logged incorrectly to the auditing database.

Consider the following log from EV's AuditViewer:

In actuality, all of these deletions were performed by the user EV10\dagny, despite the fact that the Vault Service Account (EV10\evsa) is listed in the User Name column for some of them.


Environment



This issue only affects actions performed using the HTTP version of the EV Outlook Add-in. DCOM versions of the Add-in are not affected.

Additionally, the issue only affects actions invoked from the EV toolbar. It does not affect EV actions that are invoked based on the Add-in's interception of normal Outlook operations performed on EV shortcuts.

For example, deleting a shortcut via the Delete button on Outlook's Home toolbar, while the EV Desktop Policy's Shortcut Deletion setting is set to Delete Both, will result in the archived item's deletion being audited correctly, because the deletion was triggered from a normal Outlook operation. Deleting an item using the Delete button on the EV toolbar, however, will result in the archived item's deletion being audited incorrectly as having been performed by the Vault Service Account.


Solution



There is no known workaround at this time, aside from using the DCOM client where available.

Symantec Corporation has acknowledged that the above-mentioned issue is present in the current version(s) of the product(s) mentioned at the end of this article. Symantec Corporation is committed to product quality and satisfied customers.

There are currently no plans to address this issue by way of a hotfix or cumulative hotfix in the current or previous versions of the software at the present time. This issue may be resolved in a future major revision of the software at a later time. However, this particular issue is not currently scheduled for any release.  If you feel this issue has a direct business impact for you and your continued use of the product, please contact your Symantec Sales representative or the Symantec Sales group to discuss these concerns.  For information on how to contact Symantec Sales, please see http://www.symantec.com.


Supplemental Materials

SourceETrack
Value3252259
Description

Audit log shows incorrect user for user actions initiated in Outlook Add-in


SourceETrack
Value1593928
Description

Clients in 'HTTP-Only' mode shows VSA performed all actions in audit log (archive, restore, delete, etc), not the actual user



Article URL http://www.symantec.com/docs/TECH209221


Terms of use for this information are found in Legal Notices