How to review Audit Logs

Introduction

Your Aembit tenant includes the ability for you to review detailed audit log information so you can troubleshoot any issues encountered in your environment. Having this data readily available can assist you in diagnosing any issues that may arise, while also providing you with detailed information about these events.

Retrieving audit log data

To retrieve event information from audit logs, perform the following steps:

Log into your Aembit tenant with your user credentials.
Click the Reporting link in the left navigation pane. You are then directed to the Reporting Dashboard page.
Click the Audit Logs tab at the top of the page, Aembit displays the Audit Logs dashboard.

Audit Logs Main Page

At the top of the page, you see the following dropdown menus:

Timespan - The period of time you would like to have audit logs data displayed. The default display value is 30 Days.
Category - The type of event information you want displayed. The default display value is All.
Severity - The level of importance of the event. The default display value is All.

Select the period of time you would like to view by clicking on the Timespan dropdown menu. Options are:
- 1 Day, 15 Days, 30 Days, 3 Months, 6 Months, 1 Year, or All
Select the event information you would like to view by clicking on the Category dropdown menu. Options are:
- AccessConditions, AccessPolicies, AgentControllers, Agents, Authentication, CredentialProvider, IdentityProviders, Integrations, Log Streams, Resource Sets, Roles, Tenant, TrustProvider, Users, Workloads, or All
Select the severity level of the results you would like to view by clicking on the Severity dropdown menu. Options are:
- Alert, Warn, Info, or All
Once you have selected your filtering options, the table displays the audit log information based on these selections.

Audit logs reporting example

If you would like to review detailed audit log information for an event, select the event. This expands the window for that event, enabling you to see both a summary of the event (on the left side of the information panel), and detailed JSON output (on the right side of the information panel).

The following example shows audit log information for an event where Trust Provider attestation failed.

Audit Logs Reporting Example

In the left side of the information panel, you see a summary of the event information displayed, including:

Timestamp - The time the event was recorded.
Actor - The entity responsible for the request.
Category - The category of the event.
Activity - The type of request being made.
Target - The identifier of the entity that you are running the activity against. For example, if you are editing a Credential Provider, the target is the name of the Credential Provider.
Result - The result of the event.
Client IP - The IP address of the user or workload that executed the action that is recorded by the audit log.
Browser - The browser used by the client.
Operating System - The operating system used by the client.
User Agent - The User-Agent HTTP header included in the API request that generated the audit log activity.

In the right side of the information panel, you see the more granular, detailed information, including:

ExternalID - The external ID of the audit log.
Resource Set ID - The Resource Set ID of the entity affected by the audit log generating activity.
Category - The category of the event in the audit log.
Actor - The entity responsible for the request.
Activity - The type of request being made.
Target - The target entity of the action represented by the audit log record.
Client - The metadata for the Client (e.g. browser) environment.
Outcome - The verdict of the request.
Trust Provider - The Trust Provider used in the request. Note that this value is only applicable for Trust Provider attestation based authentication (e.g. Agent Controller attested authentication or Proxyless authentication).
Severity - The severity of the event.
Created At - The time the request was made.