You are viewing limited content. For full access, please sign in.

Question

Question

Audit Trail

Audit Trail
Updated March 10, 2014
asked on March 5, 2014

Hi,

 

I have an installation of LF Rio Server 9.0.2 and audit trail 9.0.3 is installed on a separate web server.

LF Audit 9.0.3 includes a fix for 'change entry permissions' and this is why this update was installed on the web server. I have enabled the necessary audit parameters on the 'everyone' group and the client has chosen to audit both success and failure for the respective classes.

 

I have noticed the following and can't understand this behaviour:

 

 - Some users who have never had the right to delete ( the delete Feature Right is disabled) have popped up on the audit report. The users are shown to have successfully deleted some items.

- A user in admin group has deleted a file for testing purposes but the corresponding entry does not appear in the report.

I've selected all the 'Delete Parameters' in the Entry and Electronic Data categories and I have events before and after the said event.

 

Please advise.

 

Regards,

 

 

0 0

Replies

replied on March 5, 2014

1. Feature rights are inherited from the user's group. Have you checked the user's effective feature rights?

 

2. Have you checked the audit settings for this user?

0 0
replied on March 5, 2014

For your first question, I recall that if you cancel a document import at some stage the server will audit that as a deletion of the document.  Are there "Create Document" events immediately before the unexplained "Delete Entry"s?

 

Miruna's suggestions for the second question are good; also note that if you have the recycle bin enabled, recycling entries has its own set of events.

0 0
replied on March 5, 2014

Hi Andrew,

 

Your point is very interesting indeed. We are implementing the solution and the client is mass migrating their documents in phases. There are cases where there are crashes and the import is aborted. Is that recorded as a delete or a failed import? If it is recorded as a delete, then how do we differentiate from a genuine delete case.

 

Moreover, if the user generates pages and the older pages are overwritten, how is this event considered?

 

Recycle bin is also enabled for the users.

 

When I checked on the individual users, they appear to inherit the settings from the everyone group. Are there other places where I can countercheck the effective features & audit?

 

Thanks

 

 

 

Untitled.jpg
Untitled.jpg (38.67 KB)
Download
0 0
replied on March 6, 2014

Without knowing more about the process used to migrate the documents, and when in that process the crashes occur, I couldn't say how it would be audited.

 

With the 9.1 Client doing PDF page extraction and the recycle bin enabled, you will see a number of "Modify Page" events and a "Recycle Pages" event if there are fewer pages generated than were previously in the document.  Page generation via Snapshot appears similar.  I'm not sure whether older versions work the same way.
 

0 0
replied on March 6, 2014

They are just copying from their Windows fileserver to the respective folders in Laserfiche - copy/paste or drag and drop. The imports stop when the Laserfiche client crashes (where most reasons are related to their OS - WinXP, lack of resources on PC) or they may also cancel the import.

 

The other issue which I just checked was the user whose delete actions were not appearing on the audit report. The user just deleted the item and the item was sent in the recycle bin. Same has still not appeared in the report. The account is a Windows account. I attached the user's effective audit actions in my previous post. Please also advise which parameter to select on the report (I've tried all the delete parameters in Entry & Electronic data) or where can I countercheck for the user's audited action. 

 

Thanks

0 0
replied on March 10, 2014

If the client application is crashing, I'm not sure how the server will treat that, audit-wise, but I would guess that they would be left with a partially-imported document (if it was in the middle of one when it crashed).  If they cancel the import themselves, that might show up as an entry deletion.

 

If the user deleted something and it ended up in the recycle bin, I would expect it to show up as a Recycle Entry event (under Entry in the reporter).  The effective audit settings do look like they should include such events.

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Attachments
Related Posts
Loading ...