Logging
If Managed Application Security is enabled, the overview on the Log tab shows who accessed which authorized/unauthorized files on which computer. Unauthorized files can be authorized via the context menu on this tab.
With Discover new file hashes enabled (on the Settings tab of a Workspace Container), automatically discovered file hashes will be added to the log.
Select Import file hashes from the context menu to import either a comma delimited CSV file or a tab delimited TXT file.
All Applications security events are logged in the Applications Log. This log shows an overview of all events that occurred when users were prevented from starting an unauthorized executable. The log is automatically cleaned up periodically.
Many applications need to start up other, legitimate executables in order to function properly. For example, some application Help features will call on an executable. If that executable is blocked, the user cannot access the Help. You can allow these specific executables to run in your environment by authorizing them from the Applications Log. These specific executables will be set as Global Authorized Files.
The Application Security log file can be exported in XML format via a command line (case insensitive): PWRTECH.EXE /EXPORTLOG /TYPE=APPLICATION /OUTPUT=<OUTPUT FILEPATH> /START=<START DATE> /END=<END DATE>. A value for OUTPUT must be specified. START and END are optional values with a YYYYMMDD (optionally YYYYMMDDHHMMSS) format. Data entered for START and END, and timestamps in the export file are all in UTC.
Example:
PWRTECH.EXE /EXPORTLOG /TYPE=APPLICATION /OUTPUT=C:\LOGS\APPLICATIONLOG.XML /START=20160101082959 /END=20160229
At least read permission is needed on the Managed Applications node (at Security > Applications > Managed Applications) to export the log. With insufficient access rights, the XML export file will contain no data.
Ivanti recommends to test first by exporting just one or two days of data.