Data Export: SysLog

SysLog is a standard for message logging. You can use a syslog server to gather, analyze, and report on Ivanti EPMM activity. Using the System Manager, you configure the syslog servers that receive syslog data. You also can configure which data to export to which syslog server, and the format of the exported data.

Ivanti EPMM logs the following as Syslog events:

  • Android client authentication failure events
  • Failure to establish connection to determine revocation status
  • Failure to establish TLS session
  • Failure to generate key pair
  • Key randomization failure
  • Number of registered devices exceeded for this user
  • Self test failure
  • Self test start
  • SSH connection failed
  • Trusted channel during device enrollment
  • X.509 certificate validation failure
  • Certificate related events, including the following Certificate Expiry events:
    • Portal HTTPS Certificate
    • Client TLS Certificate
    • iOS Enrollment Certificate

Syslog events are stored on Ivanti EPMM and copied to the configured Syslog servers. The logs remain on Ivanti EPMM until deleted as part of the default log rotation process. View the data in System Manager at TroubleShooting > Logs > View Module Logs.

SysLog support on Ivanti EPMM includes:

  • Secure connections between Ivanti EPMM and your syslog servers using TLS over TCP.

  • Ability to specify which data to export, which allows you to:

    • Adhere to your security requirements.
    • Improve performance on both Ivanti EPMM and your syslog servers, as well as disk usage requirements on your syslog servers.
    • Focus only on data of interest to you.
  • Ability to format the exported syslog data to meet your needs by using syslog templates.

Exporting syslog data

This section includes the general workflow to export syslog data:

Step 1

Configuring the syslog servers to receive the exported syslog data.

Step 2

View Data Export: SysLog Advanced Options categories to export to the syslog servers.

Configuring the syslog servers

Procedure 

  1. Log into System Manager.
  2. Select Settings > Data Export > SysLog Servers.
  3. Click Add to open the Add SysLog window.
  4. Modify the fields, as necessary. Refer to the Add SysLog window table for details.
  5. Click Apply > OK to save the changes.

Add SysLog window

The following table summarizes fields and descriptions in the Add SysLog window:

Table 13.  Fields in the Add Syslog window

Fields

Description

Server

Enter the host name for the remote syslog server.

Protocol

Select the protocol to use between Ivanti EPMM and the syslog server.

If you have more than one syslog server, you cannot use TCP on one of them and TLS over TCP on another. You can use UDP on one server and TCP or TLS over TCP on another.

Trusted Server Certificate

This field displays only if you select TLS over TCP for the Protocol.

Upload a PEM-formatted file containing a valid issuing certificate authority (CA) certificate. When the syslog server presents its identity certificate to Ivanti EPMM, Ivanti EPMM validates the identity certificate to the CA certificate that you upload here.

Admin State

Select Enable from the dropdown list if you want Ivanti EPMM to send syslog data to the configured syslog server. Select Disable to suspend use of the syslog server.

Template

Enter a syslog template to format the logged messages.

Example:

<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME:%

%app-name% %procid% %msgid% [TOKEN@11058 tag=”RsyslogTLS”] %msg%

Severity
(facility.level)

Enter *.* to send all messages to the syslog server for all syslog facilities and severity levels that Ivanti EPMM supports.

To filter which messages are sent to the syslog server, provide a syslog regular expression based on the form:

<facility keyword> <severity level keyword>

where:

  • One of the following syslog facility keywords listed on Settings > Data Export > SysLog Data:

    • local3 - Virtual machine data (such as tomcat memory logs)
    • local4 - Health data (such as Apache and Linux logs)
    • local6 - Device data (such as Ivanti EPMM access from devices and Admin Portal)
    • local7 - Audit data (Audit logs, which are also available on the Admin Portal at Logs > Audit Logs)
  • The syslog severity level keyword, such as info and warning, specifies the minimum severity level to log.

Example  

local6.* - For all messages relating to device data
local6.error - For error messages relating to device data
local6,local7.* - For all messages relating to device data and audit logs
*.*; local3,local7 - For all messages excluding those relating to virtual machine data and audit data.
*.info - For all messages with a severity of info or higher
local4.warn - For all messages relating to health data with a severity of warn or higher
*.=debug - For all messages with a severity of debug

Syslog may experience data loss when logging messages especially when high volume of data is generated. For example, audit logs.
If you encounter performance issues with Syslog while exporting large amounts of data (like Audit logs), disable the export.

View Data Export: SysLog Advanced Options categories

Procedure 

  1. Log into System Manager.
  2. Go to Settings > Data Export > SysLog Data to open the Data to Index window.
  3. Click Advanced Options to display the categories within each set of data you want to modify.

Configuring the syslog data to export

Procedure 

  1. Log into System Manager.
  2. Go to Settings > Data Export > SysLog Data to open the Data to Index window.
  3. Click Advanced Options to display the categories within each set of data you want to modify.
  4. Modify one or more of the fields, as necessary.
  5. Change time intervals, as necessary. An interval indicates how often Ivanti EPMM collects the information and adds it to syslog data.
  6. Click Apply > OK to save the changes.