Help Center
News
Help Center
News
Popular
Architecture and High-level Information
Scans
Agents
How to Use Dashboards
How to Use Data Asset Inventory
How to Install\Uninstall and Set Up Spirion Sensitive Data Platform
How to Use Logs
How to View Endpoint LogsHow to Use Audit LogsHow to Use Agent LogsWhere to Find PostgreSQL LogsAdvanced Log and Log Location Information for Power UsersWhat are common errors shown in the Agent Log and how do I fix them?Can I Export Agent Log Data for External Analysis?Can I export Audit Log data for External Analysis?How do I export Audit Log data via the Web API?Can I customize which events appear in the Audit Log?Can I schedule automated exports of Audit Log data?Is there a sample script for API-based audit log export?Guide to Analyzing Logs and Generating Graphs in Time IntervalsIs There a Sample Script for Exporting Agent Log Data?What are Best Practices for Managing Large Log Exports?Is There an Example of Filtering Logs by Severity?What are best practices for storing and securing exported log data?What Tools Integrate Well with Spirion for Log Integrity VerificationIs There a Sample Script for Hash Verification?
PowerBI
How to Manage Users and Roles
Reports
Settings and Resources
Additional Resources
Release Notes
Reporting API
Customer Support Articles

Can I Export Agent Log Data for External Analysis?

Some users choose to export Agent log data for external analysis. That process is described in this article.

Yes, you can export Agent Log data for external analysis. There are 2 primary ways to handle Agent logs for external use, depending on whether you need a one-time export or a continuous stream for a SIEM.

1. Manual Export (One-Time Analysis)

If you are troubleshooting a specific issue or performing a point-in-time audit, you can manually collect the logs directly from the agent host.

  • Windows Agents: Logs are typically located in %ProgramData%\Identity Finder\Logs\. You can zip this entire directory and move it to your analysis workstation.
  • Mac/Linux Agents: Paths vary by version, but you can locate the log directory by identifying the agent service process and checking its configuration.
  • Console View: While the Agent Log page in the console enables you to view logs, for deep external analysis (like using Grep or a log viewer), collecting the raw files from the endpoint is the most reliable method.

2. Automated Export via Web API (Continuous Analysis)

For ongoing analysis, security monitoring, or long-term retention (for example, for PCI or NIST compliance), you should use the Spirion Web API.

  • The Method: You can write a script (or use a SOAR tool) to query the Spirion API for agent log events.
  • SIEM Integration: Most organizations use the API to pull log data into a centralized SIEM like Splunk, Microsoft Sentinel, or LogRhythm.
  • What to Export: You should focus on exporting the three core log families:
    • EPS (Endpoint Service): For agent health and connectivity trends.
    • IDF (SystemSearch): For scan progress and target access errors.
    • IFS (Shipper): For result delivery status and network performance.

3. Local Log Forwarding (Advanced)

Because Spirion Agents run locally on your infrastructure, you can also use standard infrastructure tools to "tail" and forward the log files as they are written.

  • Log Forwarders: You can install a lightweight Agent (like Splunk Universal Forwarder or Filebeat) on the Agent host machine.
  • Configuration: Point the forwarder to the Logs directory: %ProgramData%\Identity Finder\Logs\. This enales you to stream Agent logs to your external analysis platform in real-time, bypassing the Spirion Console entirely.

Recommendations

  • Use the API for Governance: If your goal is to prove compliance (for example, "Show me all scan completions for the last 90 days"), the Web API is the best choice because it provides a structured, consolidated view of logs from all Agents.
  • Use Local Forwarders for Troubleshooting: If you are trying to diagnose a complex network issue or a "silent failure" on a specific high-value server, using a local log forwarder provides the most granular, real-time visibility.
  • Watch the Volume: If you enable Debug or Trace logging, the volume of data can grow very quickly. Ensure your external analysis platform and your network can handle the increased load before enabling high-verbosity logging across the entire fleet.

Summary

Whether you need a quick ZIP file for a support ticket or a real-time stream for your SOC, Spirion provides multiple paths to get your Agent Log data into the external tools you use for analysis and reporting.

Was this article helpful?

Powered by Product Fruits