DLP audit logs to extract user specific information
Article ID: 251937
Updated On:
Products
Issue/Introduction
I would like to be able to check the following example information: DLP system user-id, login date & time and logout date & time (from the system) for the last couple of months. Is that possible with DLP?
Resolution
That depends on what logon/logoff information you are looking for.
If you would like to get endpoint logon/logoff information, from endpoint machines where the DLP Agent is installed, then that information is not tracked by DLP.
The DLP Agent does not capture end user's Windows login/logoff time because that is not DLP Agent's usage. This is outside of DLP's scope.
Below is some additional information for your review.
On the above screenshot, none of the two dates are login/logoff. Only Reporting and Last Update timestamps are stored and shown on Enforce for endpoints.
Another possibility is that you are looking for user login/logoff information to the Enforce console. That information is available in the DLP DB table AUDITLOG. Please note that we only track logins, not logoffs.
Below example SQL query would provide you with a list of all recent logins to Enforce, sorted by date in a descending order (from the latest):
SELECT * FROM AUDITLOG WHERE Entity LIKE '%Login%' ORDER BY TIME DESC;
The above query includes date, username, IP address, whether the login was successful or not. As stated, this is only available for login, not for logoff. The table also contains other information about most actions that can be performed by an Enforce user.
Note: starting from DLP version 16.0 RU1, Audit Logs are also available for view in the Enforce console, as described in the below documentation link:
Additional Information
Note: For logoff, you may likely have to comb through the localhost logs using i.e. Splunk software.
Feedback
