Video Screencast Help

Have more details in the logs regarding computer accounts moved/copied/deleted events

Created: 01 Mar 2012 • Updated: 01 Mar 2012 | 10 comments
John Q.'s picture
21 Agree
0 Disagree
+21 21 Votes
Login to vote
Status: Reviewed

When we look at system logs in SEPM 11.0 (Monitors > Logs > Log type: System, Log content: Administrative), we can see traces of computers moved, copied or deleted:

 

 

Time Stamp Admin Name Event Type Domain Name Server Name Site Name
01/03/2012 17:30 MyAdminName Computer is deleted MyDomainName MyServerName MySiteName
01/03/2012 17:28 MyAdminName Computer is moved MyDomainName MyServerName MySiteName
01/03/2012 17:27 MyAdminName Computer is copied MyDomainName MyServerName MySiteName

 

 

However, we do not have detailled information regarding group membership.
For instance, in the case of computer moved, it would be very interesting to see from which group to which group.
In the case of copy, it would be interesting to know to which group.
In the case of deletion, it would be interesting to know from which group.

This would allow us to have more relevant information about administrative operations and to identify unexpected/incorrect move/copy/delete actions.

 

NOTE: this idea can apply to SEPM 12.1 as well (Event Type strings are slightly different - i.e The computer account has been moved to a different group - but still there is no field for group membership).

Comments 10 CommentsJump to latest comment

Elisha's picture

Hello John, Thanks for your suggestion.

0
Login to vote
dcats's picture

Indeed! Well spotted

0
Login to vote
Vikram Kumar-SAV to SEP's picture

If Audit logs do not please the auditors then it becomes a problem.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

0
Login to vote
ajhay.siingh's picture

HI John,

Good Idea by you and we administrator also want this log availability as you mentioned above in any fixes or new version of SEPM.

 

Regards,

Ajay Kumar Singh (Consultant- Information Security)

 

 

0
Login to vote
Chetan Savade's picture

It's a really good idea.

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

0
Login to vote
Chetan Savade's picture

Similar idea: https://www-secure.symantec.com/connect/forums/auditmonitoring#comment-8843861

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

0
Login to vote