Activity Log

SECURITY  For viewing and searching user activity, you must have the Administrator security level.

SECURITY  For viewing and searching device activity, refer to Sites > Devices in Permissions.

NAVIGATION  Analytics > Activity Log

NAVIGATION  Device summary page > Activities card > Activity Log. To view the various navigation paths you can use to access the device summary page, refer to Device summary.

About

The Activity Log page allows you to view and search a list of activities. Activity Log data is retained for 180 days. The page consists of two sections: the Activity Log search and the list of activities.

The Activity Log provides the following benefits:

  • Device and user activity, all in one place. The Activity Log page provides a single view of all activity within your Datto RMM account, while respecting permissions around access to different activity types.
  • Access device data at the device, site, or global level. You can view device activity across all your devices or for specified sites and devices all in one place.
  • Get the data you need with filters and search. Filtering capabilities allow you to view data globally or for specific devices, users, and sites. You can also use the search field to return a list of matching activities. Example activities include the following:
    • Logging into Datto RMM
    • Licensing activities
    • Resetting a user's password or two-factor authentication (2FA)
    • Enabling, disabling, or updating support access
    • Support access activities
    • Deleting a user with details about the deleted user, the user who performed the deletion, the type of data that was deleted or reassigned, and the recipient user of the reassigned data.
    • Moving of devices, including the name and ID of both the source site and destination site
    • Deletion of devices (marked for deletion and moved to the queue for deleted devices) or removal of devices from the platform
    • Addition or removal of devices to or from Device Groups
    • Addition or removal of sites within a security level, including the names and IDs of affected sites and Site Groups
    • Deploying patches or monitoring policies
    • Disabling/enabling monitors via user action or alert rate limiting
    • Adding components from the ComStore and editing components
    • Running jobs or components
    • Processing of reports with details including report creation, queuing, sending, recipients, execution time, start and end of processing, and failure information
    • Scheduling a device reboot
    • Downloading Agent log files
    • Initiating a remote takeover session
    • Web Remote screen control session with details including technician name, end user name, and session name
    • File transfer during Web Remote screen control session with details including file name, file size, and whether the file was uploaded or downloaded
    • Web Remote chat session with details including technician name, end user name, session name, and any session failure information
    • Web Remote PowerShell session with details including technician name, end user name, session name, type of shell used, path of shell, and directory where shell was started

NOTE  The start and end activities for Web Remote screen control and Web Remote PowerShell sessions are displayed separately.

Activity Log details are available in the Datto RMM API. Refer to Datto RMM API.

Activity Log data is stored within indexed fields in the Activity Log. You can search for specific data by entering search queries in the table at the top of the page.

The table contains the following fields:

Field Description
Search Enter a search query. To clear the field, click x.
Site Enter the name of a site. The search results will be narrowed as you type. To clear the field, click x.
Hostname Enter the name of a device. The search results will be narrowed as you type. To clear the field, click x.
User Begin entering a first name, last name, or username to filter on activities created by the selected user (the search results are narrowed as you type), then select the user from the list. To clear the field, click x.

NOTE  You must have the Administrator security level to view this field and to search for activities by user.
Date Range Select Custom and then choose a start date and end date to define the range for the activities you wish to search.
You can also select any of the following predefined date ranges:
Last 24 hours
Last 7 days
Last 2 weeks
Last 30 days
Last 60 days
Last 180 days

NOTE  Activity Log data is retained for 180 days.

The following types of searches and search operations are supported:

Search Type Notes and examples
Term or Phrase Searches A term is a single word; for example, hello or world.

A phrase is a group of words surrounded by double quotes; for example, "hello world".
Field Searches Field names are displayed in the Details column of the list of activities; for example, "user.username". Refer to Details. You can search any indexed field by entering the field name followed by a colon and the search term; for example: user.username:fred.

You can also use grouping, booleans, and other query syntax in searches on specific fields. For example, site.name:(+new +"fred special") will find site names with both the term “new” and the phrase “fred special” in them, such as “new site fred special” and “fred special new site”.

NOTE  Specifying fields in a query makes the search faster and more accurate.

NOTE  To search for complex objects in the Details column, join field names with periods. For example, an object called "data.details" with a "details" field within it can be searched as follows: data.details.detail: 123456.
Exact Match Searches To find exact matches for a term containing certain punctuation, enclose the term in quotes. For example, to search for a specific UID, entering the query “d28635b9-f4b7-4c2f-ab2d-2bcc0269228c” will only return matches on the entire UID.

NOTE  Enclosing the desired term in quotes is especially important if the term includes splitting characters, such as "-" or "_".
Wildcard Searches You can perform single or multiple character wildcard searches within single terms only (not within phrases).

To perform a single character wildcard search, use the ? symbol. The single character wildcard search looks for terms that match the query with a single character replaced. For example, to search for "text" or "test," enter the following query: te?t.

To perform a multiple character wildcard search, use the * symbol. The multiple character wildcard search looks for terms with zero or more characters; for example, to search for "test", "tests", or "tester", enter the following query: test*.

You can also use wildcard searches in the middle of a term; for example, te*t would find terms such as "test", "tempest", or "temperament".

NOTE  You can use a wildcard search at the front of a term, but this is inefficient, particularly when searching across fields in a large data set.
Fuzzy Searches You can use fuzzy searches to look for similarly-spelled words. To perform a fuzzy search, use the ~ symbol at the end of a term. For example, to search for a term similar in spelling to "roam" (such as "foam" or "roams"), enter the following query: roam~.

An additional parameter can specify the required similarity between terms. The value is between 0 and 1, where a value closer to 1 guarantees only terms with a higher similarity will be matched. For example, try using roam~0.8.

NOTE  The default value if not specified is 0.5.
Proximity Searches You can search for a word within a defined proximity to another. To perform a proximity search use the ~ symbol at the end of a phrase. For example, “new site"~2 will find "new site", "site new", "new special site", and "new super special site". It will not find "new ultra super special site".
Boolean Operator Searches Boolean operators allow terms to be combined through logic operators. Supported operators are AND, OR, NOT, +, and -.

AND: The AND operator matches records where both terms exist in the same record. To search for records that contain "new site" and "fred," use the query: "new site" AND fred.

OR: The OR operator matches records where either terms exist in the same record. To search for records that contain "new site" or "fred" use the query: "new site" OR fred.

NOT: The NOT operator excludes records that contain the term after NOT. To search for records that contain "new site" but not "fred," use the query: "new site” NOT fred.

NOTE  The NOT operator cannot be used with just one term. For example, the following search will return no results: NOT "new site".

+: The + operator requires that the term after the + symbol exist somewhere in a field of a single record.

-: The - operator excludes records that contain the term after the - symbol. To search for records that must contain "site" and must not contain "fred," use the query: +site -fred.
Grouped Searches Parentheses () can be used to group clauses to form sub-queries. To search for "green or red and fred", use the following query: (green OR red) AND fred.
Date Searches To retrieve records for a particular date or date range, use the Date Range field in the search table. This filter can be combined with a detailed search to get refined results for a particular date.
Special Character Searches The query syntax contains a number of special characters, which are as follows:

+ - && || ! ( ) { } [ ] ^ " ~ * ? : \

If you want to use these as part of a string you are searching for, you must escape them using the \ character. For example, to search for "(1+1)" in the device.hostname field, enter the following query: device.hostname: \(1\+1\).

The query syntax is based on Apache Lucene Query Parser syntax. This syntax supports other query elements, but these (specifically, boost queries and range queries) are not currently supported for the Activity Log search.

The maximum number of page entries for a search is 200 entries. The maximum number of matches that can be found is 10,000 entries, or 50 pages of 200 entries. If this limit is reached, you should refine the search or date range.

The check box allows you to select one or more activities. Select all activities shown by selecting the check box in the table header. Once you have made your selections, choose from the following options. To access all options, click the Row Actions icon.

Action Button Description
Export Selected Rows to CSV In the confirmation dialog box, select whether to show table headers in the file by toggling the Show table headers in the exported CSV button. Click Confirm to download the file. Any column selections, filters, and sorting that have been applied to the table will also be applied in the CSV file. A maximum number of 500 rows can be exported to a single CSV file. The Export all (max. 500) rows to CSV action is available without selecting any row in the table.
Export All (Max. 500) Rows to CSV
Uncheck All Clears all selected rows. The number of selected rows is indicated next to the Row Actions icon.

The table displays the following information:

Column Sortable? Description
Entity

 

 To narrow the list, click the filter icon and select Device or User to filter by entity. 

NOTE  You must have the Administrator security level to view this column.
Category

 

 To narrow the list, click the filter icon and select a category.
Action    To narrow the list, click the filter icon and select an action.
Date Created Displays how long ago the entry was created.
Time stamps reflect the user time zone and preferred date format configured on the Setup > My Settings page. Hovering over any time stamp will show its date in the alternative format. Refer to User Time Zone and Date Format.
Hostname

 

 Displays the name of the device the activity was performed on. Click the hyperlink to navigate to the device summary page. Refer to Device summary.
Site

 

 Displays the name of the site the device belongs to. Click the hyperlink to navigate to the site summary page. Refer to Site summary.
Username   Displays the user who performed the activity.

NOTE  You must have the Administrator security level to view this column.
Details   Displays fields in the Activity Log as details related to the activity. For activities with a long list of details, click the more link to expand the list. Click Show Less to collapse the list.
When a Datto RMM Support representative logs in to work on your account using Support Access, entries detailing their work will be recorded in the Activity Log. The actions will be listed under your username but the Details column will display the Datto RMM Support representative's email address.
StdOut/StdErr   Click the link to view the StdOut (standard output) or StdErr (standard error) results related to the activity. Click Download to download the associated file. For more information, refer to Activity Details.

You can filter any columns with the filter icon in the table, or you can enter Activity Log search queries. Refer to Activity Log search. The Filtered by bar displays all applied column filters. If a search term includes wildcard characters (for example, underscores and percent signs), they serve as normal characters if they are preceded by a backslash. For details, refer to Wildcard characters. Click the X next to any filter to remove that filter. Click Reset Filters to return to the default view (Date Range: Last 24 Hours). If no filter is applied, the Filtered by bar displays Unfiltered. To view an Unfiltered list, click Reset Filters (if applicable) and then change the Date Range to Custom without choosing a start date or end date. Refer to Date Range in Activity Log search.

The filter selection in the columns will not persist the next time the page is accessed as the table will return to the default view.

The table density is set to condensed theme by default. To change it to relaxed theme, click the density toggle icon. The selection will persist across all pages.

The number of results displayed can be specified by selecting the desired number from the pagination control. This selection will persist the next time the page is accessed.