Audit Logs
Tracking your workgroup usage & events

About Audit Logs

Audit logs are provided to you as a means to track key events and user usage generated within your workgroup in the Ardexa Web App . Example events captured include by whom and when; a file is sent to your device, or a device was moved to another workgroup, when a user logged-in, or when a device was renamed.
A detailed breakdown of audited events is provided below.
NOTE: Records captured in the audit_logs table are kept indefinitely.

Who can access and view Audit Logs?

Access to view this data is dependent on your workgroup and your role within that workgroup:
  • User role(s) of type:
    • ownerare able view the audit_logs table to conduct searches
    • Anyone with the read audit logs permission.
All other role types do not have access to this data.

Where can I see the Audit Logs in the Ardexa Web App?

Under the [SEARCHES] tab, select the audit_logs table to begin building your search against this data.

Here are some of the events we capture

ENTITY
ACTION
ATTRIBUTE
OLD_VALUE
NEW_VALUE
STATUS
COMMENTS
device
run
discovery
network scan
device
run
discovery
port scan
device
run
discovery
open services
device
run
discovery
modbus
device
move
workgroup.deviceId
<workgroupId>.<deviceId>
<workgroupId>.<deviceId>
device
get
certificate
agentpack
device
get
certificate
certpack
device
get
file
<path>+<filename>
device
send
file
<path>+<filename>
device
update
certificate
replace
device
update
name
<old value>
<new value>
user
login
USER_ID
USER_ID
USER_ID
search
share
record
private
shared
[name].nameOfTheSearch
dashboard
share
record
shared
shared
[name].nameOfTheDashboard
search
delete
record
<nameOfTheSearch>
success/failed
table
delete
object
<nameOfTheTable>
success/failed
index
delete
object
<dateOfTheIndex>
success/failed

Some further events captured in audit_logs

  • Device state: eg. offline, online,
  • Device events: eg: start_feed, stopAll_feed, against source and table
  • commands run against a device and by whom from [DEVICE] > [REMOTE SHELL]
  • Device configuration changes and updates.
  • Tunnel events: eg. open, start.

How to read and understand your audit_logs searches

The audit_logs table works like any other search. You can build filters and show the columns relevant to your needs. To understand how you might go about reading this data, provided here, are the most important fields and their description:
Field
Always?
Description
EVENT_TIME
Y
When the event was recorded.
CONTROLLER
Y
The component inside the Ardexa Web App that recorded and applied the event against the ENTITY.
DEVICE
N
The device that the event was related, if the event was actually related to a device.
ENTITY
Y
The unit or something that was worked upon. Examples might be: device, user, workgroup,
ACTION
Y
The simple description of the event. Examples might be:
get, update, send, run, login, move
ATTRIBUTE
N
A simple description of the attribute that was affected by the action
OLD_VALUE
N
If a prior value of the attribute is relevant and available for the action being applied then it will be captured here.
NEW_VALUE
N
Specifics for the audit event are captured here. For example: new attribute values, files names, descriptors of the event
STATUS
N
Reports if the attempted action was success or failed .For example some events are thrown-out due to permission limitations but there is still a need to know it was attempted, eg deleting the audit_log table.
WORKGROUP_ID
Y
The user's workgroup that the was active when the user triggered the event.
USER_ID
Y
The user's details that triggered the event.

Can the audit_log Table be Deleted?

No.
The audit_log table is among a number of system tables that can never be deleted.
Any attempt to delete a table or an index, the audit_log table itself included, whether it succeeds or fails, is recorded as an entry in the audit_log table. This can be viewed through your searches on the audit_log table.

An example audit_logs concise search

A suggested search to easily read the audit data (best viewed on a large monitor)