Administration Console: Audit Logs

Document created by user.oxriBaJeN4 Employee on Sep 15, 2015Last modified by user.oxriBaJeN4 Employee on Dec 14, 2018
Version 11Show Document
  • View in full screen mode

Audit Logs allows you to search, review, and export logs regarding account access and configuration changes made by administrators. This guide describes what is contained inside the auditing log files, as well as how to access and search this information.

 

Applies To...

 

  • Administrators responsible for monitoring changes and events that have occurred in their account.

 

Audit Log Contents

The logs are read only but can be exported.

Each log file is an audit of activity on your account, whether it is performed automatically, by an administrator, or a user. Some of the event types captured are:

  • Account changes
  • User account changes (including password changes)
  • New, amended, or deleted policies / definitions
  • Directory synchronization
  • Journal failures
  • Folders being created, updated
  • User login attempts and failures

 

Accessing Audit Logs

When using an option other than "All" to search for an audit log, technical limitations with the method of storing audit files means the "All" option is still applied. This is expected for log files older than 30 days, but also occurs for log files younger than 30 days.

To access the audit logs:

  1. Log on to the Administration Console.
  2. Click on the Administration toolbar button. A menu drop down is displayed.
  3. Click on the Account | Audit Logs menu item. A list of log files is displayed.
  4. Click on a Log File to display its content. This pops out in a panel on the right hand side.
  5. Click the X icon in the top right hand corner of the popup panel to close it. 

    Audit Log details

 

Searching Audit Logs

 

To search for particular audit logs and apply filters:

  1. Click on the All pull down menu and select one of the following:
    • User: Searches by the administrator who performed the action.
    • Type: Searches by the type of event that generated the log (e.g. "Policy Deleted", "Existing Policy Changed").
    • Details: Searches by the known details about the event or changes made.
  2. Enter any known details in the Search field.
  3. Click on the Search Icon. Your results are displayed.

Custom DatesApplying Custom Dates

 

By default, log files are displayed from the previous seven days, though they are available to access indefinitely regardless of your account's retention period.

 

To view audit logs by an alternative date range:

  1. Click on the 1 week pull down menu.
  2. Select a time period. To apply an optional custom date range:
    1. Click on the Custom Range menu item. A date picker displays.
    2. Select your custom Date and Time period.
    3. Click on the Select button.

 

Applying Filters

Filtering Audit Logs


To apply category filters to the logs displayed:

  1. Click on the Filter drop down menu.
  2. Check the boxes of the log file categories you wish to display. 
  3. Click on the Apply button.

 

Exporting Audit Logs

 

You can export the audit logs displayed, either from your search results and / or a selected / custom time period.

 

ExportTo export audit logs:

  1. Click on the Export button. This Export Log panel displays.
  2. Complete the following:
    1. Columns to Include: Check the boxes of the information you wish to include.
    2. Format: Select either .CSV or .XLS as the file format.
    3. Email: Enter the recipient's email address.
  3. Click the Export button. An email notification is sent to the recipient to confirm the export has started.
  4. Once complete, the exported file is emailed to the recipient as an attachment.

 

Log Events

 

A log displays the following details about each event:

 

Event InformationDescription
User

Displays the email address of the user who triggered the event.

"Automated Task Manager" is displayed if the event was automatically triggered.
CategoryDisplays the category of event that generated the log file (e.g. "Policy Logs", "Account logs").
TypeDisplays the type of event that generated the log file (e.g. "New Policy", "Completed Directory Sync").
Details

Displays brief details about the event or changes made. The details displayed depends on the type of event. While the below list is not all-inclusive, some common examples include:

EventDescriptionInformation Provided
User Logged OnA user has logged onto the Administration Console
  • User's logon
  • Date and time
  • IP address
Logon Authentication Failed

A user attempted to log on to the Administration Console, but their authentication failed.

Information about failed authentication is only logged for known users.
  • User's logon
  • Date and time
  • IP address
  • Application used to access Mimecast (e.g. Administration Console, MPP, CCM, Mobile).
Account UpdatedA user's account details were amended.
  • Administrator
  • Date and time
  • Account details
New PolicyA policy was created.
  • Administrator
  • Date and time
  • Policy type
  • Full policy details
Policy DeletedA policy was deleted.
  • Administrator
  • Date and time
  • Policy type
  • Full policy details
Completed Directory SyncA scheduled Directory Synchronization was completed.
  • Date and time
  • Number of domains
  • Users and groups processed
Folder Log EntryA folder was either created or deleted.
  • Administrator
  • Date and time
  • Folder name
Existing User Role UpdatedA user role was amended.
  • Administrator
  • Date and time
  • Role name
User added / removed from roleA user was added or removed from a role.
  • Administrator
  • Date and time
  • Role name
  • User's logon
User Settings UpdatedA user account was updated.
  • Administrator
  • Date and time
  • User account details
  • User's permissions
User Password ChangedA user's password was changed
  • Administrator
  • Date and time
  • User account details
  • User's permissions
Stationery Log EntryA stationery layout was created or amended.
  • Administrator
  • Date and time
  • Stationery Layout name
  • Short code
  • Links
Unlock eDiscovery CaseThis is an automatic process

Unlocked eDiscoverycase: <Case Name>

The email address used to generate the log entry will be admin@mimecast.local.
Date / Time

Displays the date and time that the audit log was created.

All archive searches can be viewed in the search logs and the actual viewing of any message (metadata and content) can be seen in the message view logs.

See Also...

 

1 person found this helpful

Attachments

    Outcomes