Audit logs

Xshield logs the critical events and actions performed by users as Audit Logs. Audit logs capture the time when the events occurred, actions performed, and the actors and entities involved in the event. Audit logs can help you audit user activity on an Xshield instance and take corrective measures if needed. 

Audit logs are not purged from an instance. The audit logs you see, for an instance are audit logs generated from the time when the instance was created and active.

Audit log categories

Audit logs are categorized by the type of Audit events (activities performed during the events). The following are the audit log categories.

  • Access Parameter - logs for creating, updating, and deleting Access parameters

  • Access Policy - logs for creating, updating, and deleting Access policies

  • API Auth Key Generator - logs for creating, updating, and deleting API keys for the Flow Explorer API

  • Authentication - logs for successful and failed login attempts to the instance

  • Corporate Policy Template - logs for creating, updating, and deleting Corporate policy templates

  • Groups - logs for adding, updating, or deleting administrative user groups to access the instance

  • Managed Endpoint - logs for creating, updating, and deleting Endpoint groups

  • Managed Workload - logs for creating, updating, and deleting Workload groups

  • Network Group - logs for creating, updating, and deleting Network groups

  • Quarantine Template - logs for creating, updating, and deleting Quarantine templates

  • Instances - logs for third-party integrations with the instance, downloading CSV files and reports from the instance, and enabling or disabling alerts for the instance

  • Security Policy Template - logs for creating, updating, and deleting Security policy templates

  • Security Sightings Report - logs for generating and downloading Security sightings reports

  • System - logs for events such as upgrading agents and decommissioning assets

  • Users - logs for administrative activities that users perform on the instance. For example, enabling and disabling Xshield features from the UI.

See audit logs

  • To see the audit logs for an instance, go to Settings > Audit log.

    The audit logs are listed in a tabular view. The table displays the category of the audit log, a brief description of the logged event/action, and the timestamp of the event.

Sort and filter audit logs

  • Click the arrow next to the Time Stamp column header to sort the audit logs in chronological or reverse chronological order. 

Audit logs can be filtered at two levels - by the category of the audit log and by the text in the Event column of the audit log. The filters are additive. 

  • To filter audit logs by categories, click the Audit Type drop-down list and select the categories.

  • To filter audit logs by the text in the Event column, enter the text in the Search box.

For example, filter audit logs by the System category and then search the 'System' audit logs by the version of the agent used to which assets were updated.

Download audit logs

  • Click the Download icon (next to the Search box) to download all or selected (filtered by the log categories and/or search text) audit logs as a CSV file.

Next steps

  • Integrate a third-party Syslog collection and analysis tool with the Xshield instance, and send the audit logs and alerts to the third-party tool. See Integrate third-party Syslog tools for more details.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.