The Ivanti Device Control Device Event Log Queries module allows you to create and modify log queries for the various endpoints in your network.

1. Select Review > Device Event Log Queries.

   You can access Device Event Log Queries only if you have the appropriate permissions to do so. For more information on Device Event Log Queries access, see Granting Access to Device Event Logs.

   The Device Event Log Queries page opens.

For more information on the Device Event Log Queries page, see The Device Event Log Queries Page.

You can schedule queries that record specific device-related actions in your network. This includes queries for granted and blocked actions.

1. Select Review > Device Event Log Queries.
   The Device Event Log Queries page opens.
2. Click Create.
   The Device Event Log Query wizard opens.
   
3. Type the Query name.
4. Select the Type.
5. Select the desired scheduling option. You can choose from the following options:

Option	Description
Immediate	The query will run immediately after creation.
Once	The query will run once at a specified time.
Daily	The query will run every day at the selected time.
Weekly	The query will run every week at the selected time.

Depending on the option you choose, additional settings are available in the right-side box.

The start and end dates are the date range for which you want the query results. If you choose Immediate or Once, specify the start and end dates in the Date range fields.

6. [Optional] Select the Notify me via email when query is complete check box.
   Ensure that you provide a valid email address in the associated field.
7. Click Next.
   Step Result: The Select endpoints/users/groups page opens.
   
8. Select the groups, endpoints, or users the policy will apply to. Use any of the following methods:

   The built-in user groups Administrators, Everyone, Power Users, and Users and Active Directory groups are not supported in log queries and will be removed from the query.

Option	Description
To add groups of endpoints	Select a group or groups from the Groups list. Click Add. Active Directory groups are not supported in log queries.
To add individual endpoints	Select an endpoint or endpoints from the Endpoints list. Click Add.
To add individual users or user groups	Select users or usergroups from the Users list. Click Add. Note: The Built-in Users and Groups Administrators, Everyone, Power Users, and Users are not supported in log queries.
To remove groups of endpoints	Select a group or groups from the Groups list. Click Remove.
To remove individual endpoints	Select an endpoint or endpoints from the Endpoints list. Click Remove.
To remove individual users or user groups	Select users or usergroups from the Users list. Click Remove.

The selected groups, users, or endpoints are displayed in the Assigned List .

9. Click Finish.
   The Device Event Log Query wizard closes.

A new query is created and runs. When the query completes, its summary is displayed in the Completed tab.

You can edit scheduled queries that you have created earlier.

1. Select Review > Device Event Log Queries.
   The Device Event Log Queries page opens.
2. Click the Scheduled tab.
   The Scheduled page opens.
3. Select the query you want to edit.
4. Click Edit.
   Step Result: The Device Event Log Query wizard opens.
   
5. Edit the query details.
   1. Type the Query name.
   2. Select the device event type from the Type drop-down list.
6. Select the desired scheduling option. You can choose from the following options:

Option	Description
Immediate	The query will run immediately after creation.
Once	The query will run once at a specified time.
Daily	The query will run every day at the selected time.
Weekly	The query will run every week at the selected time.

Depending on the option you choose, additional settings are available in the right-side box.

The start and end dates are the date range for which you want the query results. If you choose Immediate or Once, specify the start and end dates in the Date range fields.

7. [Optional] Select the Notify me via email when query is complete check box.
   Ensure that you provide a valid email address in the associated field.

   If the query results in no data found, then the subject line of the resulting email will contain the message Report result - No Results Found.

8. Click Next.
   The Select endpoints/users/groups page opens.
   
9. Select the groups, endpoints, or users the policy will apply to. Use any of the following methods:

Option	Description
To add groups of endpoints	Select a group or groups from the Groups list. Click Add.
To add individual endpoints	Select an endpoint or endpoints from the Endpoints list. Click Add.
To add individual users or user groups	Select users or usergroups from the Users list. Click Add.
To remove groups of endpoints	Select a group or groups from the Groups list. Click Add.
To remove individual endpoints	Select an endpoint or endpoints from the Endpoints list. Click Add.
To remove individual users or user groups	Select users or usergroups from the Users list. Click Add.

The selected groups, users, or endpoints are displayed in the Assigned List.

10. Click Finish.
    The Device Event Log Query wizard closes.

The selected query is edited.

You can create and run a new Device Event Log Query based on an existing scheduled query.

Prerequisites:

You must be assigned the Manage Dev Ctl Event Log Queries access right.

1. Select Review > Device Event Log Queries.
2. Click the Scheduled tab.
   A list of scheduled queries is displayed.
3. If necessary, sort the list to find the query you want to copy.
4. Select the check box beside the query name. You can copy only one query at a time.
5. Click Copy.
   The Create device log query wizard opens, displaying the details of the selected query. All the settings are the same as the original query, except "Copy of" is added to the Query name and the Start date is reset (for Scheduling of type Once, Daily, and Weekly).
6. Complete the wizard to modify the query settings as required.

   If you need to indicate that this query is based on an exiting one, keep at least part of the original Query Name.

You have created a copy of a scheduled Device Event Log Query and run it. If not run immediately, it will appear under the Scheduled tab on the Device Event Log Queries page.

You can create and execute a new Device Event Log Query based on a completed query.

Prerequisites:

You must be assigned the Manage Dev Ctl Event Log Queries access right.

1. Select Review > Device Event Log Queries.
2. Click the Completed tab.
   A list of completed queries is displayed.
3. If necessary, sort the list to find the query you want to rerun.
4. Select the check box beside the query name.

   You can select only one query to rerun at a time.

5. Click Run Again.
   The Create device log query wizard opens, displaying details of the selected query. All the settings are the same as the original query, except "Copy of" is added to the Query name and the Start date is reset (for Scheduling of type Once, Daily, and Weekly).
6. Follow the wizard and modify the query information and settings as required.

   Keep at least part of the original query name so that you will know that this query has been modified.

7. Click Finish.

   You have created a copy of a completed Device Event Log Query and run it. If not run immediately, it will appear under the Scheduled tab on the Device Event Log Queries page.

The Device Event Log Query Results page is displayed when the user clicks the Name hyperlink of an executed query on the Completed tab of the Device Event Log Queries page.

1. Select Review > Device Event Log Queries.
   The Device Event Log Queries page opens.
2. [Optional] Sort the list to find the query you want to view.
3. Click the name of the query you want to view in the Name column.
   The Device Event Log Query Results page opens, displaying the detailed results of the query.

   Click the arrow next to a name to view more details of the query result.

The grid list has the following columns:

Field	Description
Type	The type of event logged.
Log Time (Agent Local)	The time on the agent endpoint when the action was performed.
Endpoint	The endpoint where the action was performed.
Logged In User	The user who performed the action.
Class	The device class.
Model ID	The device model.
File Name	The name of the file accessed on the device.
File Path	The path to the file on the device.
Process Name	The description of the process used for device access.
Size	The size of the shadowed file.
Reason	Denied or Enabled.

After Completing This Task:

Now you can complete Refreshing a Completed Device Event Log Query to update the results grid with relevant events sent to the server from endpoints since the query last ran.

Refreshing a Completed Device Event Log Query

You can refresh a completed Device Event Log Query to import the latest events into the results grid list without having to recreate the query.

1. Select Review > Device Event Log Queries.
   The Device Event Log Queries page opens.
2. [Optional] Sort the list to find the query you want to view.
3. Click the name of the query you want to view in the Name column.
   The Device Event Log Query Results page opens, displaying the detailed results of the query.
4. Click Refresh.
   The results grid is updated with relevant events sent to the server from endpoints since the query last ran:

Scheduling	Refresh Behavior
Immediate Once Daily	Results are updated to reflect all events sent from endpoints in the last 24 hour period, from the moment Refresh is clicked.	Original Device Event Log Query is updated. Duplicate Device Event Log Query is created
Weekly	Results are updated to reflect all events sent from endpoints in the past 7 days from 7*24 hours before to the present moment when Refresh is clicked.

Device Event Log Queries Open File Dialog

Safely open a file from a shadowing event on the Device Event Log Query Results page for inspection.

The dialog launches from All File Shadowing Event type Device Event Log Query Results when you click the hyperlink file path in the Full File Name field.

Caution:

• Scan the file with Ivanti AntiVirus prior to opening. If uncertain that the file was scanned by a policy- based scan on the endpoint (Real-time Monitoring Scan or Recurring Virus and Malware Scan), use the Custom Scan Now feature in the Agent Control Panel on the endpoint.
• Opening a file in an application other than the binary viewer exposes you to the vulnerabilities of that application.

Field	Description
File	The file type, name with extension, and size.
Options	Open in binary viewer (safest option): Displays file contents as 16 byte rows of data in Hex, ANSI, and Unicode formats, without the risk of code execution. Recommended for file types without an associated application in the browser (including those with no file extension). Open in new browser window as the following MIME type: Displays file contents in the application the browser associates with the MIME type you select from the drop-down list: Octet Stream, HTML, Microsoft Word, PDF, Microsoft Excel, and BMP. Open in new browser window with default browser functionality: Displays file contents using the default application the browser associates with the file extension.
Select this option by default for...	Makes the option you select the default opening action for files with the same extension.

You can delete a device event log query that is scheduled to run at a later time. You cannot delete a query if it is currently running.

1. Select Review > Device Event Log Queries.
   The Device Event Log Queries page opens.
2. Select the Scheduled tab.
   The Scheduled page opens.
3. Select the query you want to delete.

   Ensure that the query you are deleting is not running. If you try to delete query that is running, you will receive an error message.

4. Click Delete.
   The Delete Queries dialog opens.
5. Click OK to confirm the deletion.
   The Delete Queries dialog closes.

The selected query is deleted.

You can export queries and results of a query to a .csv (comma separated value) file. To export data, refer to Exporting Data.

The Device Event Log Query Results page lets you add devices directly to the Device Library.

1. Select Review > Device Event Log Queries.
   The Device Event Log Queries page opens.
2. [Optional] Sort the list to find the query you want to view.
3. In the Name column, click the name of the query you want to view.
   The Device Event Log Query Results page opens, displaying the detailed results of the query.
4. Select the devices you want to add to the Device Library.
5. Click Add To Device Library.
   The Add To Device Library dialog opens.
6. Select the items to add.
   • To add the devices to the parent device class, select Selected devices .
   • To add the device model, select Selected device models.

     Note: Log events prerequisites when adding devices:

     • Device model: log events must have a Model ID.
     • Unique device: log events must have a Model ID and a device Unique ID.
7. Type the name of a collection in the Add to an existing collection or type the name of a new collection or select an existing collection from the associated drop-down list.
8. Click OK.
   A success message is displayed.

   If you try to add devices that are already present in the Device Library, you will receive an error message.

The selected devices are added to the Device Library.