bmonlog
Clients log unauthorized program access instances and send the logs to the server. A client that runs continuously aggregates the logs and sends them at specified intervals, which is every 60 minutes by default.
To keep the size of logs from occupying too much space on the hard disk, manually delete logs or configure a log deletion schedule. For more information about managing logs, see Managing Logs.
To view Behavior Monitoring logs:
Logs > Networked Computer Logs > Security Risks
Networked Computers > Client Management
In the client tree, click the root domain icon 
to include all clients or select specific domains or clients.
Click Logs > Behavior Monitoring Logs or View Logs > Behavior Monitoring Logs.
Specify the log criteria and then click Display Logs.
View logs. Logs contain the following information:
Date/Time unauthorized process was detected
Computer where unauthorized process was detected
Computer’s domain
Violation, which is the event monitoring rule violated by the process
Action performed when violation was detected
Event, which is the type of object accessed by the program
Risk level of the unauthorized program
Program, which is the unauthorized program
Operation, which is the action performed by the unauthorized program
Target, which is the process that was accessed
To save logs to a comma-separated value (CSV) file, click Export to CSV. Open the file or save it to a specific location.
To configure the Behavior Monitoring log sending schedule:
Open the ofcscan.ini file using a text editor such as Notepad.
Search for the string "SendBMLogPeriod" and then check the value next to it. The default value is 3600 seconds and the string appears as SendBMLogPeriod=3600.
Specify the value in seconds. For example, to change the log period to 2 hours, change the value to 7200.
Save the file.
Go to Networked Computers > Global Client Settings.
Click Save without changing any setting.
Restart the client.
See also: