Specify Criteria Type
You can view the device access event types by specifying log entry Type criteria.
The Computer, Traced on, and Transferred on fields are shown in the logs for every event associated with input/output device access, as described in the following table.
Criteria by Type |
Logged Event |
Additional Information |
---|---|---|
MEDIUM-INSERTED |
Occurs when a user inserts a CD/DVD in the computer drive or removable media reader. |
Device type name of the device medium. |
Volume label is the medium tag. |
||
Medium hash is the hash number for the inserted medium. |
||
Other is the inserted medium serial number. |
||
DEVICE-ATTACHED |
Occurs when a device is connected to a computer. |
None. |
DEVICE-DETACHED |
Occurs when a device is disconnected from a computer. |
None. |
READ-DENIED |
Occurs when a user attempts to access an unauthorized device. |
Device type name of the device medium. |
Volume label is the medium tag. |
||
File Name is the name of the file the user attempted to read. |
||
User Name is the name of the user who attempted to access the device. |
||
Process Name is the application used to access the device. |
||
Other is the exact access mask, in hexadecimal format, used to access the device. |
||
WRITE-DENIED |
Occurs when a user attempts to write a file to a read-only device. |
Device type name of the device medium. |
Volume label is the medium tag. |
||
File Name is the name of the file the user attempted to write to removable media. |
||
User Name is the name of the user who attempted to access the device. |
||
Process Name is the application used to access the device. |
||
Other is the exact access mask, in hexadecimal format, used to access the device. |
||
READ-GRANTED |
Occurs when a user accesses an authorized device. |
None. |
WRITE-GRANTED |
Occurs when a user copies data to an authorized device. |
None. |
ERROR |
Occurs for errors created when a user accesses or encrypts a device. |
Error details specific to the user action are shown. |
KEYBOARD-DISABLED |
Occurs when the user keyboard is disabled because a keylogger may be present. |
None. |
KEYLOGGER-DETECTED |
Occurs when a keylogger is detected. |
None. |
MEDIUM-ENCRYPTED |
Occurs when removable storage medium is encrypted. |
None. |
ADMIN-AUDIT |
Occurs when an administrator performs an action through the Management Console. |
User Name is the name of the administrator. |
Audit Event is the type of action performed by the administrator. |
||
Target is the device that permissions were changed for. |
||
Target Computer is the name of the computer that the administrator changed permissions for. |
||
Target User is the user name that the administrator changed permissions. |