About Ivanti EPMM logs

As you oversee management and security of users, data and devices, you will need information about the actions and events that occur in your Ivanti EPMM instance. Ivanti EPMM logs many actions that can impact your Ivanti EPMM instance, and provides the Audit Logs page for you to sort and view the logged information.

The following pages of logs, found in the Admin Portal under Logs, enable you to easily navigate through the Ivanti EPMM log entries to find the information you need.

  • Audit Logs: for Ivanti EPMM device management entries
  • Certificate Management: for certificate-related entries

Note the following:

  • Logs are stored in the Ivanti EPMM file system, not in the Ivanti EPMM database. Therefore, the size of the logs does not impact Ivanti EPMM performance.
  • Ivanti EPMM will show up to 1 million audit log records.

Audit logs

Using log entries, the Admin Portal tracks status and operations for each managed device. You can use log entries to confirm that actions were completed and to investigate problems.

The Audit Logs page includes panels that:

  • enable you to filter through all events that Ivanti EPMM has logged since the last time the logs were purged
  • shows either the events recorded since the logs were last purged, or the events matching the criteria you specified in the Filters panel

Figure 1. Audit logs

Searching the information in the audit logs

Procedure 

  1. In Admin Portal, go to Logs.

    Ivanti EPMM displays the Audit Logs page, which initially lists the events logged since the last time the logs were purged.

  2. In the Filters panel, click on the number of events in a category to display only that category’s events.

    For example, click the 72 next to App.

    .

  3. Alternatively, click to expand one of the information types that you want to view (for example, App).
  4. Check the items within that category that you want to view (for example, Add App and Install App).
  5. Repeat Step 3 and Step 4 for each category that you want to include in this search.
  6. (Optional) To search for events involving a particular administrator, or actions that contain a specific word or phrase in the details, use the Search by Performed (On|By)/Details box in the Filters panel as follows:

  7. (Optional) To limit the time frame of the actions, use the Action Date box (see Setting event time criteria in audit logs)

  8. Click Search.

    The Audit Logs page shows all events matching your search criteria and time period. If you do not specify a time period, the default used is the period between the time you run the search and when the log data was last purged.

  9. To reset all search criteria, click Reset.

Setting event time criteria in audit logs

When you are working with audit logs, the default time frame for the events displayed is the time between the current time and the last time the logs were purged (for information about setting the log retention time, see Specifying how long log information is saved). For example, if the logs were purged two weeks ago, the Audit Logs display all the events matching any criteria you set that occurred from two weeks ago to the current moment.

You can change the time frame of events you view in the Filters panel. You can select by time or date.

Procedure 

  1. In Admin Portal, go to Logs.
  2. In the Filters panel, click the drop-down arrow in Action Date.

  3. Select one of the times listed or Others.

    Selecting a time displays the events matching criteria you set, if any, for the time period from the last time the logs were purged until the time you specify.

    Any events that occurred between the specified time period and the current moment are not displayed. For example, if you select 1 hour ago, no events that happened within the last hour are displayed.

  4. If you select Others:

    • using the left column of time choices in Filters, you can specify an exact date, hour or minute (or any combination of these criteria) as one end of the time frame and use the date of the last audit log purge as the other end of the time frame
    • using the left and right columns of time choices in Filters, you can specify both the beginning and end of the time range.

    Use the following table to help you set the time range for your search.

    • When you set only one end of the time frame, the date or time you specify must be later than the last date the log data was purged. If the last log purge was May 13th, for example, May 12th would not be a valid date for selecting events.

    • When you set both ends of the time frame, ensure that the time or date specified in the left column occurs before the time or date specified in the right column. For example, if you specify 1 hour ago in the left column and 1 day ago in the right column, Ivanti EPMM will display a message asking you to reset your time criteria because 1 hour ago happens after 1 day ago.

Table 84.   Time criteria selection examples

Time criteria selected

Value selected

Result

In the left column, select both:

Others

Select date

Click May 12th in the displayed calendar

Displays all events matching your criteria that occurred from the last audit log data purge until May 12th.

In the left column, select both:

Others

Select hour

Select 2AM from the list of hours

Displays all events matching your criteria that occurred from the last audit log data purge until 2AM of the current day.

In the left column, select both:

Others

Select minute

Select 15 from the list of minutes

Displays all events matching your criteria that occurred from the last audit log data purge until the 15th minute of the current hour.

In the left column, select:

Others

Select date

 

In the right column, select:

a time interval from Select time

In the left column:

Select April 10th from the calendar

 

In the right column:

Select 1 day ago

Displays all events matching your criteria that occurred between April 10th and 24 hours ago.

In the left column, select:

Others

Select hour

 

In the right column, select:

a time interval from Select time

In the left column:

Select 2AM

 

In the right column:

Select 1 hour ago

Displays all events matching your criteria for the time period that started at 2AM the morning of the current day and ended an hour ago.

Viewing audit log information

The Audit Logs page displays the information that Ivanti EPMM records for your Ivanti EPMM instance. You specify what information is displayed on this page when you use the controls in the Filters panel of the page. See Searching the information in the audit logs for details.

Procedure 

  1. In Admin Portal, go to Logs.

    Ivanti EPMM displays the Audit Logs page. The information panel displays:

    Action (for example, Admin Portal sign-in)

    • State (for example, Success)
    • Performed By (for example, myadmin)
    • Action Date
    • Completed At
    • Performed On (for example, Admin Portal)
    • Details
  2. (Optional) Enter a number in Page to specify what page to view.
  3. (Optional) Select a number from per page to specify how many records are displayed on a page.
  4. (Optional) Click Export to CSV to export the records that match the current search criteria.

Specifying how long log information is saved

You specify how long log data is retained on your server. Determining how long to retain data is a balance between having data you need and having the available server resources to run your Ivanti EPMM. The default value is 90 days.

Procedure 

  1. In System Manager, go to Settings > Data Purge.
  2. In Audit Logs Purge Configuration, select the number of days Ivanti EPMM retains log information.
  3. Click Apply.