How to read and use the System Audit report

Question 

I've heard of this System Audit report thing, but it seems a bit confusing. How do I make sense of what's in here?

Environment

xMatters Starter, Base and Advanced plans

Answer

When you go to the System Audit report in the web user interface, you'll see a drop-down menu for different things we are auditing in the system. This includes:

  • Groups - For group changes/actions.
  • Persons - For user changes/actions.
  • Persons Function - For permission changes.
  • Email/Voice/Text Phone Device Detail - Multiple reports for device creation/updates.

For example, you can use the System Audit report to see which users were created, updated, or deleted by selecting the audit report for Persons from the drop-down list. From there you can select the date/time range and then click Search.

What you'll end up with is a table with various fields. The main ones to pay attention to are Action, Status, First and Last Name, Recorded Name, and Web Updated. You might also want to look at the When Updated/Created.

On each user login, the user's record is updated with the last login information which is why you may have seen an Update action. The Current action takes place right after that as soon as the record has been updated.

Possible Values:

  • Action - Current (meaning no changes), Update, or Create 
  • Status - Whether the user's profile is active or inactive.
  • First/Last Name - User's first and last name.
  • Recorded Name - User's user ID in the instance.
  • Web Updated - If populated, it shows who performed that action usually via a UI user. If the "Web updated" column is empty, that means that the record was updated via an automated process such as a sync or API call.
  • When Updated/Created - They mean just what they say: the date/time the action was performed and when that user was initially created.

Tip: If looking for a Deleted record, these should show as an Update row in the report with some of the typical data fields left blank. Notably a blank SITE_ID or ORG_LANGUAGE_ID would be a reasonable indicator that the record was removed.

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.