What Is Audit Log?
Overview
Audit log records operations performed by the system.
The administrator must analyze the data stored in the system, when it is illegally accessed or falsified or after a set period has passed (roughly once a month).
NOTICE
The following setting is required to use this function.
- Set [Enhanced Security Mode] to [ON].
Reference
- For details about [Enhanced Security Mode], refer to [Enhanced Security Mode].
NOTICE
- Passwords should be changed immediately if the results of the analysis on the audit log reveal that the password is compromised.
- It is also possible that the password has been tampered with and that the original owner is no longer able to access it. The administrator must contact the affected users to check whether this is the case and support them to change their password or delete the saved data.
- If the document that was supposed to have been be saved has not been saved, or its contents have been changed, this could be due to illegal activity. Same type of response is required.
The following information is provided in audit logs.
date/time | The date and time at which the target operations were stored in the log |
device | Indicates the model name. |
sn | Indicates the serial number of this system. |
logtype | Indicates the type of audit log. |
action | Description of action For details, refer to "Table of Items Saved in Audit Log". |
id | Indicates the person who performed the operation, or the data to be securely protected. "-1": Operation by a customer engineer (CE) "-2": Operation by administrator "-3": Operation by an unregistered user Integers other than the above: Each target of a secured connection User ID: 1 to 1000 numeric characters Security User ID (Set on computer during secure printing): 1 to 5 numeric characters (number set by user) |
result | Shows the results of operations. Successful or unsuccessful password entries are displayed as OK and NG respectively. The results of operations that do not require password authentication are listed as successful (OK). |
Setting Items
Screen access
Control panel - Utility/Counter - [Administrator Setting] - [Security Setting] - [Audit Log Setting]
Setting item | Description |
|---|---|
Set the address of the syslog server to send audit logs. | |
Manually send audit logs. |
Table of Items Saved in Audit Log
Stored Action | Description of Operation | Audit ID | Audit Result |
|---|---|---|---|
User authentication and Identification | |||
1 | Execute CE authentication | CE ID | OK/NG |
5 | Change or register CE password | CE ID | OK |
2 | Execute administrator authentication | Administrator ID | OK/NG |
6 | Change/registration of [Administrator Password] | CE ID/Administrator ID | OK |
11 | Execution of [User Authentication] | User ID*1/Non-registered ID*2 | OK/NG |
User alteration | |||
7 | Creation of user by administrator | User ID | OK |
8 | Change/registration of [Password] by administrator | User ID | OK |
9 | Deletion of user by administrator | User ID | OK |
10 | Changes in user attribute by administrator | User ID | OK |
12 | User attribute changes by user (Change of [Password], etc.) | User ID | OK |
Use of administration functions and changes in [Security Setting] | |||
3 | Setting/change of [Enhanced Security Mode] | Administrator ID | OK/NG |
41 | Change of [Password Rules Setting] | Administrator ID | OK |
42 | Change of [Network Setting] | Administrator ID | OK |
43 | Change of [Service Login Allow Setting] | Administrator ID | OK |
Use of administration functions and security audit | |||
4 | Output of audit log (syslog server connection check) | Administrator ID | OK/err No |
44 | Change audit log destination setting | Administrator ID | OK |
Use of administration functions and encryption support | |||
45 | Start [Storage Encryption Setting] | Non-registered ID | OK |
46 | Change of [Storage Encryption Setting] | Administrator ID | OK |
47 | Changing the password for [Storage Encryption Setting] | Administrator ID | OK |
Use of administration functions and protection of the operating environment for security functions | |||
49 | Execution of [ISW] | CE ID/Administrator ID | OK/NG |
50 | Execution of [Firmware Diagnosis] | Administrator ID/Non-registered ID | OK/NG |
51 | Execution of [Device Diagnosis] | Administrator ID/Non-registered ID | OK/NG |
Change in time (use of administration functions and protection of the operating environment for security functions) | |||
20 | Set time and date | User ID | OK |
Start and/or end audit function | |||
52 | Power-on (start audit function) | Non-registered ID | OK |
53 | Power-off (complete audit function) *Sub-power | Non-registered ID | OK |
54 | Power-off (End audit function) *Main power | Non-registered ID | OK |
Job termination / operation | |||
16 | Delete saved jobs | User ID | OK |
21 | Print copy jobs | User ID/Non-registered ID | OK/NG |
22 | Save copy jobs | User ID/Non-registered ID | OK/NG |
23 | Print print jobs | User ID/Non-registered ID | OK/NG |
25 | Execute scan jobs | User ID/Non-registered ID | OK/NG |
26 | Print saved jobs | User ID/Non-registered ID | OK/NG |
27 | Change or re-save saved jobs (move or copy) | User ID/Non-registered ID | OK/NG |
28 | Recall saved jobs | User ID/Non-registered ID | OK/NG |
29 | Output saved job files | User ID/Non-registered ID | OK/NG |
*1: The audit log ID is saved as a user ID when [User Authentication] succeeds or when the user name is registered, but the password does not match.
*2: The audit log ID is saved as an unregistered user ID when [User Authentication] fails with an unregistered user name.
The purpose of analyzing audit logs is to find out the following information and implement countermeasures.
Whether or not the data was accessed and/or tampered with
Target of the attack
Details of the attack
Result of the attack
If the log shows "NG" as a result of the password authentication attempt (action 01, 02, 11), the target password-protected item may have been the subject of an attack.
Log entries showing failed password authentication (NG) identify the operator via the "id" and show whether there were any unauthorized actions when the password authentication failed.
Even if the password authentication succeeded (OK), you can still check whether the action was performed by the legitimate user. Careful checks are recommended especially when a successful (OK) authentication is done after a series of failed (NG) attempts or when the password authentication attempt occurs outside of normal operating hours. This is likely to be an illegal act.
Since all operation results other than password authentication are listed as successful (OK), use the "id" and "action" to determine if any unauthorized actions were made.
Check the time of the operation to see if the person who operated the identified target made any unauthorized actions.
in the upper-right of a page, it turns into 
and is registered as a bookmark.