Searching...

How Do I Check For An Unauthorized Download Of Data Using PowerSchool System Logs?

Contents

In this article, we will review how to download PowerSchool system logs to track user events. For the purposes of this article, we will use the example of an unauthorized user exporting a students table and a teachers table as a .csv. This process can be used for many reasons, including security focused tasks such as access by threat actors and data breaches.

In this example, we assume that we know the IP Address of a specific user, but you can also search for logged events based on UID.

Step 1: Check The “ps-log-audit” Log For A Download Action

You can download recent system logs by navigating to the PS Admin URL:

https://{yoursubdomainhere}.powerschool.com/admin/tech/log/systemlogdownload.html

Alternatively, you can navigate to the page manually via the clickable path:

System Management > Server (Category: System Management) > Download System Logs (Category: Server Performance)

Your page should look similar to the screenshot below:

  1. Select Server
    • There is likely only one option here
  2. File Type
    • Select “ps-log-audit”
  3. Select the checkbox that you wish to download
    • You should select the log file that represents the time period that you are interested in. For example, if we are looking at logs for 12/21/2024 to 12/22/2024, we will select that log that was modified right after the date of review.
  4. Click Download

Now that you are in posession of a .log file, open the file in a text editor of your choice and search for the IP address in question. For the sake of this example, we will assume that there is a questionable IP address originating from outside of our trusted IP range with a value of 91.218.50.11.

When you search the log in your text editor you may find something that looks like the following:

[Web Handler 123] 2024-12-22 03:18:27.08 UID=200A0 IP=91.218.50.11 XFF= URL=/ws/md/v1/massdata/executeExport/Students_export.csv KV= P=request_locale V=POST EX=abcdefghijklmnopqrstuvwxyz1

[Web Handler 124] 2024-12-22 18:13:49.838 UID=200A0 IP=91.218.50.11 XFF= URL=/ws/md/v1/massdata/executeExport/Teachers_export.csv KV= P=request_locale V=POST EX= abcdefghijklmnopqrstuvwxyz2

Red is the IP Address.

Blue is the file that was exported.

Green is the identifier used to learn more about this export.

Step 2: Check The “mass-data” Log For The Details Of The Download Action

Return to the Download System Logs page in PowerSchool and download the relevant log that is of the File Type “mass-data”.

Your page should look similar to the screenshot below.

  1. Select Server
    • There is likely only one option here
  2. File Type
    • Select “mass-data”
  3. Select the checkbox that you wish to download
    • You should select the log file that represents the time period that you are interested in. For example, if we are looking at logs for 12/21/2024 to 12/22/2024, we will select that log that was modified right after the date of review.
  4. Click Download

Now that you are in posession of a .log file, open the file in a text editor of your choice and search for the matching identifiers from the previous Step. For this example they were abcdefghijklmnopqrstuvwxyz1 and abcdefghijklmnopqrstuvwxyz2. Then you will be able to review the details of the export that occurred.


2024-12-22 03:18:34,100 [Web Handler 123 - EX= abcdefghijklmnopqrstuvwxyz1] INFO  com.pearson.powerschool.massdata.modules.coretables.CoreTableExportHandler - ----- Export Completed -----
Module: Students
Export ID: 100
User ID: 0
Total Records: 100
Total of Bytes Exported: 100
Total Elapsed Time: 0 Hours 0 Minutes 1 Seconds
Fields Exported: STUDENTS.State_ExcludeFromReporting, STUDENTS.First_Name, STUDENTS.Last_Name, STUDENTS.DOB, STUDENTS.SSN, STUDENTS.Emerg_Phone_1, STUDENTS.Emerg_Phone_2, STUDENTS.Student_Number

2024-12-22 18:13:49,995 [Web Handler 124 - EX= abcdefghijklmnopqrstuvwxyz2] INFO  com.pearson.powerschool.massdata.modules.coretables.CoreTableExportHandler - ----- Export Completed -----
Module: Teachers
Export ID: 100
User ID: 0
Total Records: 100
Total of Bytes Exported: 100
Total Elapsed Time: 0 Hours 0 Minutes 1 Seconds
Fields Exported: TEACHERS.dcid, TEACHERS.SSN, TEACHERS.Last_Name, TEACHERS.First_Name

Step 3: Preserve Logs

In the case of a confirmed breach, do not assume that the logs will be available forever. Download the logs as needed for future reference.

Updated on January 10, 2025
Was this article helpful?
Yes No
Looking For More?
Talk To A Support Consultant Immediately!
Contact Us

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.