Environment
Novell ZENworks Endpoint Security Management
Situation
A policy has been published to the ZESM agent with reporting enabled to show what files are copied from the hard drive to a removable storage device but the data is not being displayed in ZESM endpoint auditing.
Resolution
- Publish a policy with the report “Storage Devices – Files Copied to Removable Device” turned on.
- Copy a file from the machine’s hard drive to a USB device, in the example a file called “HDD to USB.doc"was copied from the desktop to a Lexar USB device.
- Depending on how reporting is setup it will take some time for the client machine to copy up the data to the server, In this example reporting is set to “Generate Reports every 4 minutes”
- The reports are not real time so it takes some time for the Distribution database and the Reporting database to sync, if you want to force the databases to sync stop the “Novell ZESM Distribution Server Agent”, stop the “Novell ZESM Management Server Agent” and start both services. Wait 5 minutes and than open the Management Console and view the endpoint auditing/Reporting.
- Expand out “Outbound Content Compliance"
- Select “Removable Storage Activity by Account”
- Click the configure button, select a date range and click View
- Double click on the location
- A report will be displayed that shows the File Name “HDD to USB.doc" and the device it was copied to “Lexar JD Secure USB Device”
- The files copied from the hard drive to the USB device will also be displayed in the “Removable Storage Activity by Device”
- Open the report and double click on the location and the data will be displayed.
