Need to find if a user's login/logout activities, create or delete an item from applications? If so, you can use the audit log search tool in the admin portal to search the unified audit log to view user and administrator activity in your organization. Lots of user and admin operations performed in Yeeflow are captured, recorded, and retained in your organization's unified audit log. System admin in your organization can use the audit log search tool to search for, and view the audit records for these operations.
Before you search the audit log
- When an audited activity is performed by a user or admin, an audit record is generated and stored in the audit log for your organization. Audit records are retained (and searchable in the audit log) for 90 days by default.
- Yeeflow doesn't guarantee a specific time after an event occurs for the corresponding audit record to be returned in the results of an audit log search. Audit record availability is less than 24 hours as the backend job will push those records to log server 1 time everyday.
- For each search, the data range are limited with maximum 7 days.
Run an audit log search
Sign in to Yeeflow, and go to the admin center. Click the "Security" icon to open the security settings page.
In the left pane of the security settings list, click Audit logs. The Audit logs page is displayed.
On the Search tab, configure the following search criteria:
- Start date and End date: Select a date and time range to display the events that occurred within that period. The date and time are presented in local time. The maximum date range that you can specify is 90 days. You can select 7 days for each search.
- Activities: Click the drop-down list to display the activities that you can search for. You can select specific activities. After you run the search, only the audit log entries for the selected activities are displayed. Leave blank to displays results for all activities performed by the selected users.
Users: Click in this box and then select one or more users to display search results for. The audit log entries for the selected activity performed by the users you select in this box are displayed in the list of results. Leave this box blank to return entries for all users (and service accounts) in your organization.
- Click Search to run the search using your search criteria.
- The search results are loaded, and after a few moments they are displayed on this page. When the search is finished, the number of results found is displayed.
View the search results
The results of an audit log search are displayed under Results on the Audit log search page. Each page will display 20 records by default. You can select the dropdown from the pagination to change the number of each page's records.
The results contain the following information about each event returned by the search:
Date: The date and time (in your local time) when the event occurred.
IP address: The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format.
User: The user (or service account) who performed the action that triggered the event.
Activity: The activity performed by the user. This value corresponds to the activities that you selected in the Activities drop down list.
Item: The object that was created or modified as a result of the corresponding activity. For example, the item that was viewed or modified or the user account that was updated. Not all activities have a value in this column.
Detail: Additional information about an activity. Again, not all activities have a value.
View the details for a specific event
You can view more details about an event by clicking the event record in the list of search results. A flyout page is displayed that contains the detailed properties from the event record. The properties that are displayed depend on the service in which the event occurs.