The first step for Best Practices on how to setup Secured eCollaboration is to get an overview in the actual Management Console.
1. Sort the events that you want in SEP MC (Management Console)
There are a lot of different logs that you can take part of.
Go to SEP Management Console, Auditcenter.
We suggest to minimize the sorting to the following tabs.
Tick eCollaboration events and eFile events ant right click on the activate pane and select to show:
- Domain User
- File GOID
- Destination path
This should give you a great overview of the most interesting events that is happening in Secured eCollaboration.
2. The second step is to setup SEP Server to log to windows event log, scroll down for a video on how to accomplish this.
Once that is done everything that happens in the SEP eco-system is now logged into Windows eventlog. Under Applications and Services logs you find:
SEP Server Events
3. Filter on Event IDs
As you have setup logging to windows event log you can sort and filter on event.
There are MANY Event IDs that are logged the most important ones are:
Event ID 1091 Source Synchronization
This Event informs that there has been an error in the synchronization from SEP server to a remote source, which could be AD or SP.
Event ID: 1240 MC Login
This event infomrs about which domain user has accessed the SEP Server, which SEPuser, from which IP adress, port, from which machine and which version of SEP Management Console. - If this is not you, you want to know about it.
Event ID: 1260 Rule Settings
This event informs that rules has been modified by a user,and the URL
Event ID: 1320 Unsecure
This event informs the that documents has been unsecured, which user, which filename, FILE GOID, EPM GOID, WHich trigger and how the user accessed it. This could be combined with timetrigger and GOID to create granular alerts for SEPadmins.
Event ID: 1340 Intrusion
This event informs there hs been a failed attempt to access a certain file. Which user, from which machine, GOIDs, source, destination and of course which trigger: (example: eCollaboration PDF view). This ID should definitely have an action.
Event ID: 1530 Master Password view
When someone views the Master Password for a policy. User, policy, IP, port, Machine, client is logged.
4. Automatically Send emails when events occur:
Once you have found your events you can directly in the eventlog create tasks that is triggered every time the event happens.
The action can be, start a program, send an e-mail or display a message
5. You can also forward these event to a SIEM
Security Information and Event Management (SIEM) technology provides real-time analysis of security alerts generated by network hardware and applications. One SIEM solution that some use are System Center Operations Manager (SCOM).
SCOM easily aggregates Windows Event logs and you can create all kinds of alerts based.
If you have any questions or want to share how you are using logging for SEP, please let us know.
Here is a short video on how to enable logging to Windows Event log from the SEP Management Console:
Secured eCollaboration - enable logging to Windows event logs