Log locations differ significantly depending on the specific Ivanti product architecture. Assuming analysts are performing offline analysis on a mounted forensic extraction (e.g., mounted at /mnt/analysis/), these are the critical targets.
The primary application logs for ICS are located within the writable data partition, specifically in /data/var/dlogs/.
| Log File | Critical Forensic Value |
|---|---|
event.log | The main system journal for the application. Contains service startups, internal errors, and broad system actions. |
user_access.log | CRITICAL. Tracks user VPN connections. Details who logged in, when, from which IP, and the targeted authentication “Realm”. |
admin_access.log | CRITICAL. Tracks authentications to the web administration console (/admin). Analysts use this to determine if an attacker successfully logged in using stolen administrative credentials. |
web_access.log | The HTTP request log (similar to Apache/Nginx access logs). This is the primary hunting ground for web exploitation (e.g., malicious URIs) and interactions with dropped webshells. |
EPMM architecture is closer to a standard Linux deployment (often utilizing Apache/Tomcat).
/var/log/httpd/ or /var/log/apache2/ (access_log, ssl_access_log, error_log)./var/log/portal/ (Logs specific to the mobile management portal).ICS logs are not always easily readable plain text. They can feature strange delimiters, proprietary binary headers, or be compressed during the export process.
The Tool: Ivanti-Connect-Secure-Logs-Parser (Hexastrike) To effectively analyze these files, DFIR teams rely on community parsers to clean the raw data.
# Example usage of the Hexastrike parser on a mounted ICS extractionpython3 ivanti_parser.py -f /mnt/analysis/data/var/dlogs/user_access.log -o /tmp/parsed_user_access.csvAnalysts should search for the following specific indicators within the parsed log files.
web_access.log)Look for GET or POST requests targeting files that should not exist or are known indicators of specific CVEs.
.jsp, .php, .sh, or .pl (Perl) files hiding in image or script directories./api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection.../ or %2E%2E%2F).admin_access.log)user_access.log)Even though the appliance runs proprietary software, the underlying OS is Linux. Once an attacker exploits the web layer, they drop into a standard Linux shell environment.
Authentication Logs (/var/log/secure)
Attackers often enable or manipulate SSH to establish a backdoor. Look for successful SSH logins (Accepted password or Accepted publickey) for root or admin. On an Ivanti appliance, SSH is rarely exposed to the internet, making external SSH connections a critical alert. (See Linux Auth Logs Analysis).
Cron Logs (/var/log/cron)
Did the attacker create a scheduled task for persistence? Review cron logs to identify execution of unknown scripts at regular intervals. (See Linux Legacy Persistence).
# Hunt for directory traversal and webshell access in parsed web_access.logindex=ivanti_logs sourcetype=ivanti:web_access| search uri_path="*../*" OR uri_path="*..%2F*" OR uri_path="*.jsp" OR uri_path="*.pl"| table _time, src_ip, http_method, uri_path, status, bytes| sort - _time// Concept: Hunt for Impossible Travel in parsed user_access.log// Requires geospatial enrichment in SentinelIvantiAccessLogs| where EventType == "VPN_Login_Success"| summarize FirstLogin = min(TimeGenerated), LastLogin = max(TimeGenerated), IPCount = dcount(SourceIP), Locations = make_set(GeoLocation) by UserName// Alert if the same user logged in from more than 1 distinct country in a short timeframe| where IPCount > 1 and array_length(Locations) > 1| project UserName, FirstLogin, LastLogin, IPCount, Locations