Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Solution Framework
  3. Provisioning

Category filter

Forensic ZIP Collection: Remotely Gathering Logs for Security Incidents

Jump To

1. Overview

Administrators can collect diagnostic logs or specific files from managed devices using Remote Actions such as Execute Custom Script (for Windows, macOS, and Linux devices) and Device Support Logs (for ChromeOS devices) available in the Hexnode UEM portal. These logs help troubleshoot device management issues, verify configurations, and investigate potential security incidents. The collected data is returned to the Hexnode portal, allowing administrators to review device information and diagnose issues remotely without requiring physical access to the device.

Why Remote Log Collection Is Useful?

  • Flexible Log Retrieval: Administrators can collect logs or diagnostic files from managed devices depending on the platform and the method used. Custom Scripts allow administrators to collect specific artifacts such as system logs, application logs, or configuration files from defined locations, while the Device Support Logs action on ChromeOS generates a predefined diagnostic package that includes a standardized set of system information.
  • Remote Troubleshooting: Logs can be collected from devices enrolled in the Hexnode UEM portal without requiring physical access to the device. This enables administrators to gather diagnostic information from distributed environments.
  • Targeted Data Collection: Administrators can retrieve the specific information required for troubleshooting or investigation when the required details are not available through standard device information displayed in the portal.

2. Collection Scope

The collection scope defines the range of diagnostic data that can be retrieved from a device during log collection. This data provides visibility into system activity, configurations, and operational behaviour for troubleshooting and analysis.

Typical diagnostic collections may contain the following types of system artifacts:

Data Type Description
System Logs Logs generated by the operating system that contain information about system events and errors.
Application Logs Logs created by applications installed on the device.
Network Information Network configuration details or network-related diagnostic data.
Process Information Details about running processes, services, or system tasks.
Device Configuration Data System configuration details or environment information useful for troubleshooting.

3. Configuration Steps

Step A: Preparing Log Collection

For Windows, macOS and Linux, upload the script to the Hexnode File Repository.

  1. Log in to the Hexnode UEM portal.
  2. Navigate to Content > Scripts.
  3. Click Add.
  4. Upload the script file or create a script using the Hexnode Genie AI.
  5. Provide the required details such as the File name and Version.
  6. Save the script.

Once uploaded, the script becomes available for execution on managed devices.

Step B: Initiating Log Collection

  1. Navigate to Manage > Devices.
  2. Select the target device.
  3. Click Actions.

For Windows, macOS and Linux devices:

  1. Select Deployments > Execute Custom Script.
  2. Choose the script from the File Repository.
  3. Confirm execution.

For ChromeOS:

  1. Select Others > Device Support Logs.
  2. Select the options from the list that should be included in the support log.
  3. Click Download.

The command is sent to the device and executed by the Hexnode agent installed on the endpoint. If the device is offline when the command is issued, the command executes when the device next checks in with the Hexnode server.

Step C: Retrieving the Output

  • The output generated by the script is recorded in the Device Action History. Administrators can locate the script execution entry and click Show Output to view the results returned by the script. If the script is designed to collect files or logs, the script itself determines how those files are generated or processed during execution.
  • Upon successful execution of the Device Support Logs command, the resulting log file becomes available in the Hexnode UEM portal, located under the Logs sub-tab of the specific device’s details page.

4. Post-Collection Analysis

After retrieving the diagnostic data, administrators can review the output using standard troubleshooting methods or log analysis tools.

The collected information can help administrators identify:

  • Device configuration issues
  • System errors occurring on the device
  • Application failures
  • Operational problems affecting device performance or behaviour

Analyzing the collected data can help administrators determine the root cause of device issues or better understand system activity during troubleshooting or security investigations.

5. Security and Privacy Considerations

When collecting diagnostic data from managed devices, administrators should ensure that the process follows organizational security and privacy guidelines.

  • Secure Communication: Commands issued from the Hexnode portal are delivered to managed devices through secure communication between the Hexnode server and the device management agent or management framework.
  • Administrative Access Control: Only administrators with appropriate permissions in the Hexnode portal can initiate remote actions or upload scripts, helping prevent unauthorized activities on managed endpoints.
  • Responsible Data Collection: Administrators should collect only the data required for troubleshooting or investigation. Avoid retrieving unnecessary or sensitive user information unless it is required for the diagnostic process.
  • Audit Visibility: Remote actions performed through Hexnode UEM are recorded in the Device Action History, allowing administrators to monitor administrative activities on managed devices.

6. Troubleshooting

Issue: Log Collection Not Executed

  • Cause: The device may not receive the command if it is offline or unable to communicate with the Hexnode server.
  • Resolution: Ensure that:
    • The device is enrolled in Hexnode UEM.
    • The device has an active internet connection.
    • The device successfully checks in with the Hexnode server.

If the device was offline when the command was issued, the action will execute automatically when the device reconnects and checks in.

Issue: Script Output Not Available

  • Cause: The script may not generate output, or it may encounter errors during execution.
  • Fix: Verify the script logic and ensure that the script contains commands that generate output if results are expected in the portal.
    • Test the script on a single device before executing it on multiple devices.
    • Confirm that the file paths or commands referenced in the script exist on the target device.
    • Ensure the script has sufficient permissions to access the required files or directories.
Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
Solution Framework