Skip To Content

Understand audit logs

Portal for ArcGIS records user activity and any changes that occur to the system to audit logs. Audit logs are an important tool for monitoring and troubleshooting critical or breaking changes and identifying the organization members or processes that made those changes, their effects on the system, and the time those events occurred.

Audit logs can be processed by Security Information and Event Management (SIEM) tools to generate an audit trail, track trends in user activity, and monitor and address any security threats or vulnerabilities.

Audit logs capture information for the following events:

  • Accessing the organization portal site
  • Creating, deleting, updating, and disabling member accounts
  • Creating and updating user roles
  • Adding and configuring groups
  • Adding and removing members from a group
  • Sharing items
  • Changing item ownership
  • Adding, updating, moving, and deleting items

Audit log access

The default directory where the portal writes audit logs is <Portal for ArcGIS installation directory>/usr/arcgisportal/logs/<machine name>/audit. You can change the audit log location at any time using the Portal Administrator Directory.

Change audit log settings

Audit log settings, such as log retention policy and the default directory for the logs, are inherited from portal logs. To change audit logs settings, you must change the portal log settings using the Portal Administrator Directory. For instructions, see Specify portal log settings.

Delete audit logs

To delete audit logs, complete the following steps:

  1. Open the Portal Administrator Directory and log in as an administrator.

    The URL is typically available at https://webadaptorhost.domain.com/webadaptorname/portaladmin.

  2. Click Logs > Clean.
  3. Select the output format from the Format drop-down list.
  4. Click Clean logs.

All log files are deleted from the portal machine.

Audit log syntax

Portal for ArcGIS records each event in the audit log using the following JSON syntax:


{
    "version": "Audit record version number",
    "timeStamp": "Epoch time value",
    "eventId": "Unique audit record identifier",
    "event": "Event Name",
    "eventLevel": "Event level",
    "status": "Success/Failure indicator",
    "statusCode": "Status code value",
    "actor": "username",
    "actorId": "user id",
    "actorRole": "User's role",
    "sourceIp": "Source IP address",
    "destinationIp": "Destination IP address",
    "destinationHost": "Destination host name",
    "resource": "Resource URI",
    "data": {
        "data_attribute1": "attribute value",
        "data_attribute2": "attribute value"
    },
    "userAgent": "user agent information",
    "message": "Any corresponding message if applicable"
}