Audit Log of IEM Console actions

Is there any way to get an idea of volume from bigfix? Meaning how many jobs have we scheduled ytd, or how many endpoints have we patched?

1 Like

Sounds like a job for session relevance!

To get a list of how many jobs that have been scheduled ytd, you can do something like:

number of bes actions

Getting the number of endpoints that have been “patched” is a little bit harder. In this case I’m just going to get a feel for how many endpoints you’ve touched per action and try to add them all up…

number of computers of results of bes actions

And then you can filter your actions based off of stuff in patch specifically if all you care about are just patch actions… so maybe something like…

number of computers of results of bes actions whose (name of site of source fixlet of it = "Enterprise Security" or name of site of source fixlet of it contains "Patches for")

And if you’re using bigfix >= 9.0, you can use the RESTAPI to query using session relevance! See the query documentation via developerWorks for more details.

Can you explain more about how to do this? I’m not familiar with this feature.

Maybe share how you want to use this information, how often you need it and so on?
Do you need it in a report - maybe Web Reports is the way to go.
Do you want to get it and use it in another system - the REST API is the way to go.

Session relevance is the query language used to query endpoint manager.
REST API is a http based API through which you can issue a session relevance query.

Yes it does need to be in a report format. For the most part it would only be used for reviewing.

I’d say start with Endpoint Manager Web Reports and see if that’ll work for you.

From Web Reports you can build a report without having to use session relevance directly.

There’s some default reports that will give you a starting place
The reporting category of this forum has many examples and is a place to ask for help or advice.

Depending on the infomration you need that might be all you have to do.