search
homeappabout

Audit Logs

Tracking your workgroup usage & events

hashtag
About Audit Logs

Audit logs are provided to you as a means to track key events and user usage generated within your workgroup in the Ardexa Web App . Example events captured include by whom and when; a file is sent to your device, or a device was moved to another workgroup, when a user logged-in, or when a device was renamed.

A detailed breakdown of audited events is provided belowarrow-up-right.

circle-info

NOTE: Records captured in the audit_logs table are kept indefinitely.

hashtag
Who can access and view Audit Logs?

Access to view this data is dependent on your workgroup and your role within that workgroup:

  • User role(s) of type:

    • ownerare able view the audit_logs table to conduct searches

    • Anyone with the read audit logs permission.

All other role types do not have access to this data.

hashtag
Where can I see the Audit Logs in the Ardexa Web App?

Under the [SEARCHES] tab, select the audit_logs table to begin building your search against this data.

hashtag
Search Criteria for Common Searches

There are a number of fields associated with the audit trail, as discussed in the sections below. This table shows the common user actions that are logged, and how to search for them in the audit traill. The "action", "controller", "attribute", "new value" and "old value" refer to the fields in the audit trial. Please be aware that all the actions below have the "user_id" field populated by the user that made the change. Also, the "status" field will indicate the success or failure of the command.

hashtag
User Account Actions

User Action
action
controller
attribute
new_value
old_value

Successful Login

login

auth

“MFA send challenge” (1)

No

No

Successful Login with MFA (1)

MFA login

auth

No

No

Failed Password Login

Login

auth

No

No

Invalid MFA code

MFA login

auth

No

No

User Profile Change

Update

me

record

Yes

Yes

Change Email (userid)

Request email change

me

email

Yes

Yes

Change Password

Change password

me

No

No

Logouts (3)

(1): This will appear only if the user is using MFA

(3): Logouts, either by the user or by inactivity timeout, are currently not logged

hashtag
Workgroup Actions

User Action
action
controller
attribute
new_value
old_value

Change Workgroup Settings (2)(4)

(5)

workgroup-setting

Yes

Yes

Change Lookup Table (2)(4)

(5)

lookupTable

Yes

Yes

Run a Security Scan

bulk-run

Job

No

No

Device Group Actions (2)(4)

(5)

device-group

(4)

(4)

(2): The “entity_id” table entry in the audit table will also be populated, when undertaking this activity

(4): The “old_value_full” and/or “new_value_full” may be populated with this record

(5): This can be one of update, create or delete

hashtag
User Permissions

User Action
action
controller
attribute
new_value
old_value

User Permission Change (6)

update

org

permissions

Yes

Yes

Invite a User (9)

invite

org

membership

Yes

No

Remove a User (10)

remove

org

membership

No

Yes

New User

accept

org

invite

No

No

(6): The user/device that is affected by the change will be in the “Comments” column

(9): The "new_value" contains the user email that was invited and the workgroup invited to

(10): "old_value" contains the removed user's email and the workgroup from which they were removed.

hashtag
Tables and External Sources

User Action
action
controller
attribute
new_value
old_value

Delete a Table

delete

storage

object

No

No

Delete an External Source

delete

externalSources

record

No

No

Create an External Source

create

externalSources

record

Yes

No

hashtag
Device Actions

User Action
action
controller
attribute
new_value
old_value

Rename a Device

update

device

name

Yes

Yes

Create a new Device (6)

create

device

object

Yes

No

Remove a Device (6)

remove

device

object

No

Yes

Update a Certificate

update

device

certificate

Yes

No

Refresh Metadata

refresh_meta

websocket_device

No

No

Move a Device to a new Workgroup

move

device

workgroup.deviceId

Yes

Yes

Run a Command

run_cmd

websocket_device

No

No

Send a File

send

device

file

Yes

No

Get a File

get

device

file

Yes

No

Install a Plugin

install

plugin

{plugin name}

No

No

Uninstall a Plugin

uninstall

plugin

{plugin name}

No

No

Change Agent Config (7)

apply_config

websocket_device

No

No

Change Network Settings (8)

send

device

file

Yes

No

Network Scan

run

device

discovery

"network scan"

No

Port Scan

run

device

discovery

"port scan"

No

Open Services Scan

run

device

discovery

"open services"

No

Web Tunnel

start_session

remote_web

No

No

TCP Port Tunnel

open_tunnel

websocket_device

No

No

Tunnel Start

start_tunnel_session

websocket_device

No

No

Tunnel Close

close_tunnel

websocket_device

No

No

Device Offline

offline

state_change

No

No

Device Online

online

state_change

No

No

(6): The user/device that is affected by the change will be in the “Comments” column

(7): Details of the new config will be in the "config" field

(8): Details of file for interface config will be in the "new_value" field

hashtag
Alert Actions

User Action
action
controller
attribute
new_value
old_value

Alert Changed

update

alert

(4)

(4)

Alert Deleted

delete

alert

No

No

Alert Created

create

alert

(4)

No

(4): The “old_value_full” and/or “new_value_full” may be populated with this record

hashtag
Search Actions

User Action
action
controller
attribute
new_value
old_value

Change a Saved Search

update

search

name

Yes

Yes

Share a Search

share

search

record

Yes

Yes

hashtag
How to read and understand your audit_logs searches

The audit_logs table works like any other search. You can build filters and show the columns relevant to your needs. To understand how you might go about reading this data, provided here, are the most important fields and their description:

Field

Always?

Description

EVENT_TIME

Y

When the event was recorded.

CONTROLLER

Y

The component inside the Ardexa Web App that recorded and applied the event against the ENTITY.

DEVICE

N

The device that the event was related, if the event was actually related to a device.

ENTITY

Y

The unit or something that was worked upon. Examples might be: device, user, workgroup,

ACTION

Y

The simple description of the event. Examples might be:

get, update, send, run, login, move

ATTRIBUTE

N

A simple description of the attribute that was affected by the action

OLD_VALUE

N

If a prior value of the attribute is relevant and available for the action being applied then it will be captured here.

NEW_VALUE

N

Specifics for the audit event are captured here. For example: new attribute values, files names, descriptors of the event

STATUS

N

Reports if the attempted action was success or failed .For example some events are thrown-out due to permission limitations but there is still a need to know it was attempted, eg deleting the audit_log table.

WORKGROUP_ID

Y

The user's workgroup that the was active when the user triggered the event.

USER_ID

Y

The user's details that triggered the event.

hashtag
Can the audit_log Table be Deleted?

circle-check

No.

The audit_log table is among a number of system tables that can never be deleted.

Any attempt to delete a table or an index, the audit_log table itself included, whether it succeeds or fails, is recorded as an entry in the audit_log table. This can be viewed through your searches on the audit_log table.

hashtag
An example audit_logs concise search

A suggested search to easily read the audit data (best viewed on a large monitor)
PreviousSearch AnalysisNextOther Resources

Last updated

Was this helpful?