Warning: The old Audit trail app has been discontinued in February 2024. The new Audit trail functionality (now called Audit trail in this article) is the only functionality available and to be used. The new Audit trail is already available and no action is required from your part to activate it. The new Audit trail is fully tracking all events since January 2023. After the deprecation of the old Audit trail app, the events that have taken place before this date have been archived and transferred to the new Audit trail. You will still be able to export them from the Archive tab (Note: if your platform was created after January 1, 2024, you will not see the Archive tab as all the events will be included in the New Audit trail app). Please note that the Audit trail report found in the Reports area is no longer available.
Introduction
The Audit trail functionality allows you as a Superadmin to keep track of the administrative actions performed in the platform and helps you allocate specific accountability with regard to regulatory compliance requirements.
An audit trail (also called audit log) is an immutable record that keeps track of administrative actions performed in the system (the platform), such as important changes to course completion, enrollment status and many others. The audit trail provides evidence of a sequence of activities that have affected specific operations, procedures, or events, and it is useful when you need to allocate the appropriate accountability in case of incidents, specifically pertaining to regulatory compliance.
Use case scenarios
The Audit trail functionality opens various opportunities, such as:
- Have complete control over your learning activities. If you have more than one administrator in charge of your learning platform, you may encounter common issues, such as “who deleted this user?” or “who updated this item?”. The Audit trail functionality solves these issues by keeping track of all relevant data and giving you the information you need to be aware of who is responsible for the information that lies within your learning platform.
- Make regulatory compliance easier. Depending on where you are in the world, there will likely be a number of regulations that will require you to track specific data related to the events that have occurred within your learning platform, ensuring the accuracy and trustworthiness of the certifications data your platform provides.
Managing the Audit trail
To manage the Audit trail area, access the platform as the Superadmin, reach the Admin menu from the gear icon in the top right corner of the page, then, select the Audit trail option in the Settings section.
Please note: Remember that only Superadmins are in charge of managing audit logs, while Power Users cannot manage the Audit trail area.
This is the main page of the Audit trail management, listing in the table of the page all of the actions performed in the system in the last seven days.
All actions performed in the last seven days (this is the default time frame, but you can edit it using the filters panel) are shown in the list on this page. Every row shows the action’s timestamp, info about who performed the action, the event type (what the action is about), info about its target and the IP address of the user who performed the action.
Please note: You will see more than one IP address because the IP column is populated with the X-Forwarded-For (XFF) HTTP header, which identifies the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer.
In the Timestamp column, you can see an indication of the time zone. In the Operated by (ID) and the Operated by columns, you will see the ID and the administrative user, application or object who performed the specified action, while in the Target (ID) and Target columns, you will view the ID and the user or object that was the target of the action.
For example, for the event User has been created (by administrator), the ID and the username of the administrative user who created the user will be displayed in the Operated by (ID) and the Operated by columns, while the ID and the username of the created user will be displayed in the Target (ID) and Target columns. If the event was triggered by an automated task, the Operated by column will display the name of the application that triggered the event or in case of a chain of events, which can include multiple applications being associated to a specific trigger, the Operated by column will display the name of the application that triggered the initial event of the chain.
In the Event column you will view the name of the event. You can also filter by event in the filters panel. Learn more in the next chapters.
If you want to know more about a specific action, click the ellipsis icon on the right side of the action row in the table, then select the View log details option.
Filtering the Audit trail data
By pressing the filters icon, you can select a few filtering options for the audit log. In the Quick filters tab of the slideout panel, set a time frame to filter by date the events that will be shown in your audit trail (and export).
Remember the following notes about the time frame:
- The last seven days' time frame is the default for the filter, so if you don’t set any specific dates, only the actions performed in the last seven days will be shown in your audit log.
- The last seven days’ time frame starts exactly seven days before the moment when you are accessing the Audit trail functionality (at the same time of the day). For example, if you access the audit log in your platform on January 8th at 9 am, the last seven days’ time frame covered starts on January 1st at 9 am and ends on Jan 8th at 9 am (that is when you access the functionality).
- In order to avoid slowing down data extraction, the time frame cannot be longer than 90 days.
Then, in the sections below in the panel, flag all of the events (grouped by event categories such as Course events, User management events, and many others) that you want to be included in your audit trail. Once set the time frame and selected the events you want to track, press the Apply filters button at the bottom of the panel.
Please note: The delay between the moment the event occurs and the moment it appears in the Audit trail table should not exceed 5 minutes. However, in the event a large number of events happen simultaneously, the data may be queued. As a consequence, this delay may be extended by up to a few hours.This does not affect the accuracy of the data itself. The date and time shown in the Timestamp column will still reflect the time the event took place and not the time it appeared in the Audit trail table, even if some delay is experienced.
In the Advanced Filters tab of the slideout panel, press the Add filter button to add a filter. You can add the following advanced filters: Operated by (ID), Operated by, Target (ID), Target and IP. Once you’ve added filters, the table will automatically refresh using the applied filters.
Please note: If you set two or more filters of the same type — for example, Target=A and Target=B — the table will show all the actions with target A and all the actions with target B. If you set two or more filters of different types — for example, Target=B and Operated by=C— the table will show all of the actions with target B that have been performed (operated by) by C. So, by setting filters of different types, an action is displayed in the table only if it meets at the same time all of the conditions set. Here is another example: if you set all three filters mentioned above — Target=A, Target=B and Operated by=C— the table will show all of the actions with target A that have been performed (operated by) by C and will show all of the actions with target B that have been performed (operated by) by C.
Events for the Audit trail
When selecting the events that you want to include in the audit log, you will browse among different event categories. Check out the Audit trail events details article for a complete listing of all events that can be used in the Audit trail.
Exporting your Audit trail
You can export your audit trail in CSV (Comma Separated Values). To do so, press the Export icon in the top right corner of the Audit trail page.
Please note: The delay between the moment the event occurs and the moment it appears in the Audit trail table and is available for the export should not exceed 5 minutes. However, in the event a large number of events happen simultaneously, the data may be queued. As a consequence, this delay may be up to a few hours.
This does not affect the accuracy of the data itself. The date and time shown in the Timestamp column will still reflect the time the event took place and not the time it appeared in the Audit trail table, even if some delay is experienced.
Tips & tricks
- Before setting the filters, gather all the info you need (for example the date and time an event took place, who performed the action…) to be able to perform a research as detailed as possible. Then, set the filters to search for the data you need.
- Make the most out of the filters at your disposal: your research will be more efficient and more focused.
- You should refrain from including all of the events when filtering your audit trail. It’s better to have a single audit trail for each event category and limit the time frame to ease the readability and use of the log itself.