Administration Console: Auditing Logs Files

Document created by user.oxriBaJeN4 Employee on Sep 15, 2015Last modified by user.oxriBaJeN4 Employee on Jun 15, 2017
Version 8Show Document
  • View in full screen mode

This guide describes what is contained inside the auditing log files, as well as how to access this information.

 

Applies To...

 

  • Administrators responsible for monitoring changes and events that have occurred in their account.

 

Audit Log Contents

The logs are read only, and are available indefinitely regardless of your account's retention period.

Each log file is an audit of activity on your account, whether it is performed automatically, by an administrator, or a user. Some of the event types captured are:

  • Account changes
  • User account changes (including password changes)
  • New, amended, or deleted policies / definitions
  • Directory synchronization
  • Journal failures
  • Folders being created, updated
  • User login attempts and failures

 

Accessing the Log Files

When using an option other than "All" to search for an audit log, technical limitations with the method of storing audit files means the "All" option is still applied. This is expected for log files older than 30 days, but also occurs for log files younger than 30 days.

To access the log files:

  1. Log in to the Administration Console.
  2. Click on the Administration toolbar button. A menu drop down is displayed.
  3. Click on the Account | Audit Logs menu item. A list of log files is displayed.
  4. Click on a Log File to display it's content. This pops out in a panel on the right hand side.
  5. Click the X icon in the top right hand corner of the popup panel to close it. 

    Audit Log details

 

Log File Events

 

A log displays the following details about each event:

 

Event InformationDescription
User

Displays the email address of the user who triggered the event.

"Automated Task Manager" is displayed if the event was automatically triggered.
CategoryDisplays the category of event that generated the log file (e.g. "Policy Logs", "Account logs").
TypeDisplays the type of event that generated the log file (e.g. "New Policy", "Completed Directory Synch").
Details

Displays brief details about the event or changes made. The details displayed depends on the type of event, but some common examples include:

 

EventDescriptionInformation Provided
User Logged OnA user has logged onto the Administration Console
  • User's logon
  • Date and time
  • IP address
Logon Authentication Failed

A user has attempted to log on to the Administration Console, but their authentication failed.

Information about failed authentication is only logged for known users.
  • User's logon
  • Date and time
  • IP address
  • Application used to access Mimecast (e.g. Administration Console, MPP, CCM, Mobile).
Account UpdatedA user's account details were amended.
  • Administrator
  • Date and time
  • Account details
New PolicyA policy was created.
  • Administrator
  • Date and time
  • Policy type
  • Full policy details
Policy DeletedA policy was deleted.
  • Administrator
  • Date and time
  • Policy type
  • Full policy details
Completed Directory SyncA scheduled Directory Synchronization was completed.
  • Date and time
  • Number of domains
  • Users and groups processed
Folder Log EntryA folder was either created or deleted.
  • Administrator
  • Date and time
  • Folder name
Existing User Role UpdatedA user role was amended.
  • Administrator
  • Date and time
  • Role name
User added / removed from roleA user was added or removed from a role.
  • Administrator
  • Date and time
  • Role name
  • User's logon
User Settings UpdatedA user account was updated.
  • Administrator
  • Date and time
  • User account details
  • User's permissions
User Password ChangedA user's password was changed
  • Administrator
  • Date and time
  • User account details
  • User's permissions
Stationery Log EntryA stationery layout was created or amended.
  • Administrator
  • Date and time
  • Stationery Layout name
  • Short code
  • Links
Unlock eDiscovery CaseThis is an automatic process

Unlocked eDiscoverycase: <Case Name>

The email address used to generate the log entry will be admin@mimecast.local.
Date / Time

Displays the date and time that the audit log was created.

All archive searches can be viewed in the search logs and the actual viewing of any message (metadata and content) can be seen in the message view logs.

See Also...

 

1 person found this helpful

Attachments

    Outcomes