Description of Audit Logs
Audit log records operations performed by the system.
The administrator must analyze the data stored in the system, when it is illegally accessed or falsified or after a set period has passed (roughly once a month).
NOTICE
- Passwords should be changed immediately if the results of the analysis on the audit log reveal that the password is compromised.
- It is also possible that the password has been tampered with and that the original owner is no longer able to access it. The administrator must contact the affected users to check whether this is the case and support them to change their password or delete the saved data.
- If the document that was supposed to have been be saved has not been saved, or its contents have been changed, this could be due to illegal activity. Same type of response is required.
The following information is provided in audit logs.
date/time | The date and time at which the target operations were stored in the log |
id | Indicates the person who performed the operation, or the data to be securely protected. "-1": Operation by a customer engineer (CE) "-2": Operation by administrator "-3": Operation by an unregistered user |
Integers other than the above: Each target of a secured connection User ID: 1 to 1000 numeric characters Security User ID (Set on computer during secure printing): 1 to 5 numeric characters (number set by user) | |
action | Description of action For details, refer to "Audit log items list". |
result | Shows the results of operations. Successful or unsuccessful password entries are displayed as OK and NG respectively. The results of operations that do not require password authentication are listed as successful (OK). |
Table of Items Saved in Audit Log
Stored Action | Description of Operation | Audit ID | Audit Result |
|---|---|---|---|
User authentication and Identification | |||
1 | Execute CE authentication | CE ID | OK/NG |
5 | Change or register CE password | CE ID | OK |
2 | Execute administrator authentication | Administrator ID | OK/NG |
6 | Change or register administrator password | CE ID/Administrator ID | OK |
11 | Execute user authentication | User ID*1/Non-registered ID*2 | OK/NG |
User alteration | |||
7 | Creation of user by administrator | User ID | OK |
8 | Change or register user password by administrator | User ID | OK |
9 | Deletion of user by administrator | User ID | OK |
10 | Changes in user attribute by administrator | User ID | OK |
12 | Changes in user attribute by user (changing the user password, etc.) | User ID | OK |
Use of administration functions and changes in security settings | |||
3 | Configure or change Enhanced Security mode | Administrator ID | OK/NG |
41 | Change password setting rules | Administrator ID | OK |
42 | Change network settings | Administrator ID | OK |
43 | Change service login permission settings | Administrator ID | OK |
Use of administration functions and security audit | |||
4 | Output audit log (both manual and automatic) | Administrator ID | OK/err No |
44 | Change audit log destination setting | Administrator ID | OK |
Use of administration functions and encryption support | |||
45 | Start HDD encryption function | Non-registered ID | OK |
46 | Change HDD encryption settings | Administrator ID | OK |
47 | Change HDD encryption password | Administrator ID | OK |
Use of administration functions and protection of the operating environment for security functions | |||
49 | Execute ISW | CE ID/Administrator ID | OK/NG |
50 | Execute firmware diagnostic | Administrator ID/Non-registered ID | OK/NG |
51 | Execute device diagnostic | Administrator ID/Non-registered ID | OK/NG |
Change in time (use of administration functions and protection of the operating environment for security functions) | |||
20 | Set time and date | User ID | OK |
Start and/or end audit function | |||
52 | Power-on (start audit function) | Non-registered ID | OK |
53 | Power-off (complete audit function) *Sub-power | Non-registered ID | OK |
54 | Power-off (End audit function) *Main power | Non-registered ID | OK |
Job termination / operation | |||
16 | Delete saved jobs | User ID | OK |
21 | Print copy jobs | User ID/Non-registered ID | OK/NG |
22 | Save copy jobs | User ID/Non-registered ID | OK/NG |
23 | Print print jobs | User ID/Non-registered ID | OK/NG |
24 | Save print jobs | User ID/Non-registered ID | OK/NG |
25 | Execute scan jobs | User ID/Non-registered ID | OK/NG |
26 | Print saved jobs | User ID/Non-registered ID | OK/NG |
27 | Change or re-save saved jobs (move or copy) | User ID/Non-registered ID | OK/NG |
28 | Recall saved jobs | User ID/Non-registered ID | OK/NG |
29 | Output saved job files | User ID/Non-registered ID | OK/NG |
*1: The audit log ID will be saved as a user ID when a user successfully performs an authentication, or when the username does not match the registered password.
*2: The audit log ID will be saved as a non-registered user ID when a non-registered username is used and the user authentication fails.
The purpose of analyzing audit logs is to find out the following information and implement countermeasures.
- Whether or not the data was accessed and/or tampered with
- Target of the attack
- Details of the attack
- Result of the attack
If the log shows "NG" as a result of the password authentication attempt (action 01, 02, 11), the target password-protected item may have been the subject of an attack.
- Log entries showing failed password authentication (NG) identify the operator via the "id" and show whether there were any unauthorized actions when the password authentication failed.
- Even if the password authentication succeeded (OK), you can still check whether the action was performed by the legitimate user. Careful checks are recommended especially when a successful (OK) authentication is done after a series of failed (NG) attempts or when the password authentication attempt occurs outside of normal operating hours. This is likely to be an illegal act .
Since all operation results other than password authentication are listed as successful (OK), use the "id" and "action" to determine if any unauthorized actions were made.
- Check the time of the operation to see if the person who operated the identified target made any unauthorized actions.
in the upper-right of a page, it turns into 
and is registered as a bookmark.