This topic provides information regarding the collection, storage, and retention of logs by the Device Posture service. Any capitalized terms not defined in the Definitions sections carry the meaning specified in the Citrix End User Services Agreement.
The Citrix Device Posture customer content data resides in the AWS and Azure Cloud Services. They are replicated to the following regions for availability and redundancy:
- East US
- West India
- Europe (Frankfurt)
- West US
- West Europe
- Asia (Singapore)
- South Central US
The following are the different destinations for the service configuration, runtime logs and events.
- Splunk service for system monitoring and debug logs, in the US location only.
- Citrix Analytics Service for the diagnostics and user access logs, see Citrix Analytics Service Data Governance for more information.
- Citrix Cloud System Logs service for admin audit logs. For details, see Citrix Cloud Services Customer Content and Log Handling and Geographical Considerations.
Citrix Device Posture service allows the customer administrators to configure the service through the Device Posture UI. The following customer content is collected based on the device posture policy configuration and the platform:
- Operating system version
- Citrix Workspace app version
- MAC addresses
- Running processes
- Device certificate
- Registry details
- Windows installation update details
- Last Windows update details
- File system – file names, file hashes and modified time
- Domain name
For runtime logs collected by the service components, the key information consists of the following:
- Customer/tenant ID
- Device ID (Citrix generated unique identifier)
- Device posture scan output
- Public IP address of the endpoint device
Citrix Device Posture service sends logs to destinations protected by transport layer security.
Citrix Device Posture service does not currently provide options for the customers to turn off sending logs or prevent customer content from being replicated globally.
Based on the Citrix Cloud data retention policy, the customer configuration data are purged from the service 90 days after subscription has expired.
The log destinations maintain their service-specific data retention policy.
- For details, see Data Governance for the retention policy for the Analytics logs.
- The Splunk logs are archived and eventually removed after 90 days.
There are different data export options for different types of logs.
- The admin audit logs are accessible from the Citrix Cloud System Log console.
- The Splunk logs are not for customers to consume. These events can also be exported from Splunk as a CSV file.
- The Device posture service diagnostics logs can be exported from the Citrix Analytics Service or Secure Private Access service dashboard as a CSV file.
- Customer Content means any data uploaded to a customer account for storage or data in a customer environment to which Citrix is provided access to perform Services.
- Log means a record of events related to the services, including records that measure performance, stability, usage, security, and support.
- Services mean that the Citrix Cloud services outlined earlier for the purposes of Citrix Analytics.