Audit logging
Overview
Audit logging allows administrators to capture and review security related events in the application. This article shows how to configure audit logging and explains how to review and filter events.
Enable audit logging
To enable logging of audit events, open the Audit Settings page and select Enable audit logging. The default retention period is 7 days, after which older events will be flushed. Choose a retention period which provides a balance between the number of events available for review, storage space and user privacy. To protect user privacy, set the minimal retention period which supports your required use cases.
Reviewing events
The audit log shows the most recent events, without any filtering. Usually, you'll want to filter the events to only those of interest in your review:
Filter by time
This is useful if you are reviewing events from a certain time period. You can select recent events, old events or specify an exact time interval:
Filter by event type
Useful if you are only interested in reviewing a certain type of events:
Filter by users
Useful when you are reviewing the events for a certain user.
Filter by session
It is often useful to review all events across a single user session. To do this, click on the Session ref link on one of the events in the session you are interested in:
An example
In this example we observe the user John Doe from login to logout. He is using the Edge browser on MacOS from IP 172.17.1.13.
Each event in the is explained in the below table:
Event type | Event details | Explanation |
---|---|---|
User logout | The user logs out | |
Policy evaluation | Completed | All Polar SSO policies have been evaluated, and the user is logged in |
Policy evaluation | Session lifetime adjusted | A Polar SSO session policy adjusts the session lifetime for the user |
MFA verification | FIDO Web Authentication | The user is successfully MFA verified |
MFA enrolment | FIDO Web Authentication | The user successfully registers a MFA device using FIDO Web authentication |
Policy evaluation | MFA enrolment required | A Polar SSO multifactor policy requires the user to enrol in MFA |
User login | Username /password | The user John Doe (johdoe) logs in using username / password |
Deleting events
Events older than the retention period will get deleted automatically. If you need to delete all the events from the system, that's possible by using the Delete all events link on the Audit Settings page.