Activity Logs

Applies To: WatchGuard Advanced EPDR This topic applies to the WatchGuard Advanced EPDR endpoint security product., WatchGuard EPDR This topic applies to the WatchGuard EPDR endpoint security product., WatchGuard EDR This topic applies to the WatchGuard EDR endpoint security product., WatchGuard EPP This topic applies to the WatchGuard EPP endpoint security product., WatchGuard EDR Core This topic applies to the WatchGuard EDR Core, available in the Total Security Suite license.

On the Users > Activity page, you can see log information for user sessions and actions, as well as system events and remote control sessions. For information on log details, go to Log Details.

To see activity logs:

1. In WatchGuard Cloud, select Configure > Endpoints.
2. Select Settings.
3. Select Users.
   The Activity page opens.
4. Select the type of activity you want to see the logs for (Sessions, User Actions, or System Events).

5. To filter the subset of activities, select Filters.

6. In the From and To text boxes, specify the date range you want to see activity logs for.
7. Click Filter.

Export Activity Logs

You can export activity logs to a comma-separated value (CSV) file that you can use in other applications.

To export activity logs:

1. In WatchGuard Cloud, select Configure > Endpoints.
2. Select Settings.
3. Select Users.
   The Activity page opens.
4. Select the type of activity you want to export (Sessions, User Actions, or System Events).
5. To export the results, click in the upper-right corner of the window.
   The browser automatically downloads a CSV file of the results.

Log Details

On the Users > Activity page, these columns are available for different types of activities.

Sessions

The Sessions tab shows information on access to the management UI such as when the user logs in and logs out.

Date — The date and time when the activity occurred.

User — The name of the user who completed the activity.

Activity — The activity completed (for example, Log in or Log out).

IP Address — The IP address of the endpoint.

User Actions

The User Actions tab shows user actions, such as when the user creates or edits a security settings profile or task, deletes a computer, or changes the group that a computer belongs to.

Date — The date and time when the action occurred.

User — The name of the user who completed the action.

Action — The user action completed (for example, allow threat).

Item Type — The type of device the action was performed on (for example, computer or non-persistent computer).

Item — The name of the computer that the action occurred on.

System Events

The System Events tab shows all events that occur in WatchGuard Endpoint Security that were not initiated by a user, such as when a computer registers on the server for the first time or after computer deletion or reinstallation.

Date — The date and time when the system event occurred.

Event — The action taken by WatchGuard Endpoint Security.

Type — The object that the action was taken on (for example, a computer or non-persistent computer).

Item — The name of the computer that the system event occurred on.

Related Topics

General Settings