Specify Criteria Type

You can view the device access event types by specifying log entry Type criteria.

The Computer, Traced on, and Transferred on fields are shown in the logs for every event associated with input/output device access, as described in the following table.

Criteria by Type Logged Event Additional Information
MEDIUM-INSERTED Occurs when a user inserts a CD/DVD in the computer drive or removable media reader. Device type name of the device medium.
Volume label is the medium tag.
Medium hash is the hash number for the inserted medium.
Other is the inserted medium serial number.
DEVICE-ATTACHED Occurs when a device is connected to a computer. None.
DEVICE-DETACHED Occurs when a device is disconnected from a computer. None.
READ-DENIED Occurs when a user attempts to access an unauthorized device. Device type name of the device medium.
Volume label is the medium tag.
File Name is the name of the file the user attempted to read.
User Name is the name of the user who attempted to access the device.
Process Name is the application used to access the device.
Other is the exact access mask, in hexadecimal format, used to access the device.
WRITE-DENIED Occurs when a user attempts to write a file to a read-only device. Device type name of the device medium.
Volume label is the medium tag.
File Name is the name of the file the user attempted to write to removable media.
User Name is the name of the user who attempted to access the device.
Process Name is the application used to access the device.
Other is the exact access mask, in hexadecimal format, used to access the device.
READ-GRANTED Occurs when a user accesses an authorized device. None.
WRITE-GRANTED Occurs when a user copies data to an authorized device. None.
ERROR Occurs for errors created when a user accesses or encrypts a device. Error details specific to the user action are shown.
KEYBOARD-DISABLED Occurs when the user keyboard is disabled because a keylogger may be present. None.
KEYLOGGER-DETECTED Occurs when a keylogger is detected. None.
MEDIUM-ENCRYPTED Occurs when removable storage medium is encrypted. None.
ADMIN-AUDIT Occurs when an administrator performs an action through the Management Console. User Name is the name of the administrator.
Audit Event is the type of action performed by the administrator.
Target is the device that permissions were changed for.
Target Computer is the name of the computer that the administrator changed permissions for.
Target User is the user name that the administrator changed permissions.

Related Information:

Related Tasks: