Contents x
    Audit Logs
    • 17 Dec 2024
    • 2 Minutes to read
    • Contributors
    • Print
    • Dark
      Light
    Contents

    Audit Logs

    • Updated on 17 Dec 2024
    • 2 Minutes to read
    • Contributors
    • Print
    • Dark
      Light
    Article summary

    Audit logs track everything performed in the Admin Portal, as well as some logins. These do not see logins from contactless cards, FIDO, Emergency Access (Question & Answer), and fingerprints into an MFA client. You can see PingMe, OTP, as well as VPN authentications.


    1. Open the Audit Logs by clicking on By Audit Logs on left-hand side in the Reports tab.
      audit logs - opening window.png

    2. A pop-up window will appear:
      audit logs - generate.png

    Clicking "Generate Report" with no criteria will pull the Audit Logs from all time. Depending on the size of your logs, the results can be slow or even time out.

    Function

    The dropdown box on the left-hand side of the Audit Logs window can be used to select any specific actions you are trying to find.
    e.g. "PingMe" authentication attempts, "Edit User" if user info or statuses were changed, etc.
    audit logs - function.png

    By User / For User

    By User filters for actions performed by a particular user. This value typically shows users who make updates within the Admin Portal (despite the name).
    e.g. The highlighted examples show the one_sys_admin edited the LAPTOP\Austin user and had created another new one.
    audit logs - for BY_.png


    For User filters for actions performed on a given user. This value typically shows which user has attempted a login.
    e.g. The highlighted examples show the user had successfully set their mobile PIN and the LAPTOP\Austin user successfully used PingMe.
    audit logs - FOR by.png

    Time

    Time allows you to create a window of dates to filter and show only the audit logs within that window. Otherwise, "Generate Report" will return logs from all time.
     
    The dates used to create the window will be included in the report:

    • Top box: start date
    • Bottom box: end date

    *Setting both boxes to the same day will return only the logs for that date.

    audit logs - time.png

    Result

    Result filters by end results of the function/action taken.

    Result CodeDefinition
    "Success" or "Failure"• seen with authentication attempts (PingMe, OTP, or VPN)
    • other appearances of "Success" mean the function performed worked
    Deactivatedwhen a user status is flipped to "Deactivated" in the Admin Portal
    AdHocQueryseen with OTP; the SQL in the Info1 box is the code resetting the authentication attempt count

    *Audit Logs DO NOT capture local workstation logons for RFID, FIDO, fingerprint, or Emergency Access.

    audit logs - result.png

    Show Time In Local Time

    The MFA server logs in UTC time and is shown in Audit Logs by default. By checking the "Show Time In Local Time" box, the time column will convert to your local machine's time (the example shown is a server in Central Standard Time).

    *There is not currently a way to set the system to use the local time by default and the box has to be checked with each Audit Log report you run.
    audit logs - result - Copy.png

    ⬇️⬇️⬇️

    audit logs - local time.png

    Was this article helpful?
    What's Next