# Audit Logs
## About Audit Logs
Audit logs are provided to you as a means to track key events and user usage generated within your workgroup in the Ardexa Web App . Example events captured include by whom and when; a file is sent to your device, or a device was moved to another workgroup, when a user logged-in, or when a device was renamed.
A detailed breakdown of audited events is provided [**below**](https://docs.ardexa.com/knowledge/app.ardexa/search/audit_logs#here-are-some-of-the-events-we-capture).
{% hint style="info" %}
**NOTE:** Records captured in the `audit_logs` table are kept indefinitely.
{% endhint %}
## **Who can access and view Audit Logs?**
Access to view this data is dependent on your workgroup and your role within that workgroup:
* User role(s) of type:
* `owner`are able view the `audit_logs` table to conduct searches
* Anyone with the `read audit logs` permission.
All other role types **do not** have access to this data.
## Where can I see the Audit Logs in the Ardexa Web App?
Under the `[SEARCHES]` tab, select the `audit_logs` table to begin building your search against this data.
## Search Criteria for Common Searches
There are a number of fields associated with the audit trail, as discussed in the sections below. This table shows the common user actions that are logged, and how to search for them in the audit traill. The "action", "controller", "attribute", "new value" and "old value" refer to the fields in the audit trial. Please be aware that all the actions below have the "user\_id" field populated by the user that made the change. Also, the "status" field will indicate the success or failure of the command.
#### User Account Actions
| User Action | action | controller | attribute | new_value | old_value |
|---|
| Successful Login | login | auth | “MFA send challenge” (1) | No | No |
| Successful Login with MFA (1) | MFA login | auth |
| No | No |
| Failed Password Login | Login | auth |
| No | No |
| Invalid MFA code | MFA login | auth |
| No | No |
| User Profile Change | Update | me | record | Yes | Yes |
| Change Email (userid) | Request email change | me | email | Yes | Yes |
| Change Password | Change password | me |
| No | No |
| Logouts (3) |
|
|
|
|
|
(1): This will appear only if the user is using MFA
(3): Logouts, either by the user or by inactivity timeout, are currently not logged
#### Workgroup Actions
| User Action | action | controller | attribute | new_value | old_value |
|---|
| Change Workgroup Settings (2)(4) | (5) | workgroup-setting |
| Yes | Yes |
| Change Lookup Table (2)(4) | (5) | lookupTable |
| Yes | Yes |
| Run a Security Scan | bulk-run | Job |
| No | No |
| Device Group Actions (2)(4) | (5) | device-group |
| (4) | (4) |
(2): The “entity\_id” table entry in the audit table will also be populated, when undertaking this activity
(4): The “old\_value\_full” and/or “new\_value\_full” may be populated with this record
(5): This can be one of update, create or delete
#### User Permissions
| User Action | action | controller | attribute | new_value | old_value |
|---|
| User Permission Change (6) | update | org | permissions | Yes | Yes |
| Invite a User (9) | invite | org | membership | Yes | No |
| Remove a User (10) | remove | org | membership | No | Yes |
| New User | accept | org | invite | No | No |
(6): The user/device that is affected by the change will be in the “Comments” column
(9): The "new\_value" contains the user email that was invited and the workgroup invited to
(10): "old\_value" contains the removed user's email and the workgroup from which they were removed.
#### Tables and External Sources
| User Action | action | controller | attribute | new_value | old_value |
|---|
| Delete a Table | delete | storage | object | No | No |
| Delete an External Source | delete | externalSources | record | No | No |
| Create an External Source | create | externalSources | record | Yes | No |
#### Device Actions
| User Action | action | controller | attribute | new_value | old_value |
|---|
| Rename a Device | update | device | name | Yes | Yes |
| Create a new Device (6) | create | device | object | Yes | No |
| Remove a Device (6) | remove | device | object | No | Yes |
| Update a Certificate | update | device | certificate | Yes | No |
| Refresh Metadata | refresh_meta | websocket_device |
| No | No |
| Move a Device to a new Workgroup | move | device | workgroup.deviceId | Yes | Yes |
| Run a Command | run_cmd | websocket_device |
| No | No |
| Send a File | send | device | file | Yes | No |
| Get a File | get | device | file | Yes | No |
| Install a Plugin | install | plugin | {plugin name} | No | No |
| Uninstall a Plugin | uninstall | plugin | {plugin name} | No | No |
| Change Agent Config (7) | apply_config | websocket_device |
| No | No |
| Change Network Settings (8) | send | device | file | Yes | No |
| Network Scan | run | device | discovery | "network scan" | No |
| Port Scan | run | device | discovery | "port scan" | No |
| Open Services Scan | run | device | discovery | "open services" | No |
| Web Tunnel | start_session | remote_web |
| No | No |
| TCP Port Tunnel | open_tunnel | websocket_device |
| No | No |
Tunnel Start
| start_tunnel_session | websocket_device |
| No | No |
Tunnel Close | close_tunnel | websocket_device |
| No | No |
| Device Offline | offline | state_change |
| No | No |
| Device Online | online | state_change |
| No | No |
(6): The user/device that is affected by the change will be in the “Comments” column
(7): Details of the new config will be in the "config" field
(8): Details of file for interface config will be in the "new\_value" field
#### Alert Actions
| User Action | action | controller | attribute | new_value | old_value |
|---|
| Alert Changed | update | alert |
| (4) | (4) |
| Alert Deleted | delete | alert |
| No | No |
| Alert Created | create | alert |
| (4) | No |
(4): The “old\_value\_full” and/or “new\_value\_full” may be populated with this record
#### Search Actions
| User Action | action | controller | attribute | new_value | old_value |
|---|
| Change a Saved Search | update | search | name | Yes | Yes |
| Share a Search | share | search | record | Yes | Yes |
## How to read and understand your audit\_logs searches
The audit\_logs table works like any other search. You can build filters and show the columns relevant to your needs.\
\
To understand how you might go about reading this data, provided here, are the most important fields and their description:
| Field | Always? | Description |
| ----------------- | ------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **EVENT\_TIME** | Y | When the event was recorded. |
| **CONTROLLER** | Y | The component inside the Ardexa Web App that recorded and applied the event against the `ENTITY`. |
| **DEVICE** | N | The device that the event was related, if the event was actually related to a device. |
| **ENTITY** | Y | The unit or something that was worked upon. Examples might be: `device`, `user`, `workgroup,` |
| **ACTION** | Y | The simple description of the event. Examples might be:
get, update, send, run, login, move
|
| **ATTRIBUTE** | N | A simple description of the attribute that was affected by the action |
| **OLD\_VALUE** | N | If a prior value of the attribute is relevant and available for the action being applied then it will be captured here. |
| **NEW\_VALUE** | N | Specifics for the audit event are captured here. For example: new attribute values, files names, descriptors of the event |
| **STATUS** | N | Reports if the attempted action was `success` or `failed` .For example some events are thrown-out due to permission limitations but there is still a need to know it was attempted, eg deleting the `audit_log` table. |
| **WORKGROUP\_ID** | Y | The user's workgroup that the was active when the user triggered the event. |
| **USER\_ID** | Y | The user's details that triggered the event. |
## Can the audit\_log Table be Deleted?
{% hint style="success" %}
**No**.
The `audit_log` table is among a number of system tables that can never be deleted.
Any attempt to delete a table or an index, the `audit_log` table itself included, whether it succeeds or fails, is recorded as an entry in the audit\_log table. This can be viewed through your searches on the `audit_log` table.
{% endhint %}
## An example audit\_logs concise search
