Admin Audit Log Formats
The Cisco Secure Access Admin Audit logs show the administrative changes to your organization's Secure Access settings. For information about the size of a log file, see Estimate the Size of a Log.
Table of Contents
Example
An example of a v4 through v10 Admin Audit log event.
id,timestamp,email,user,type,action,logged in from,before,after
"123","2024-07-22 10:46:45","[[email protected]](mailto:[email protected])","","logexportconfigurations","update","209.165.200.227","version: 4","version: 5"
Order of Fields in Admin Audit Log
Note: Not all fields listed are found in most or all requests. When a field does not have a value, Secure Access sets the field to the empty string ("") in the log.
V10 Log Format
The CSV fields in the header row of the Admin Audit log.
id,timestamp,email,user,type,action,logged in from,before,after
The description of each field and the log version in which each field was released, from version 4 up to version 10. For more information about log versions, see Find Your Log Schema Version.
| Field name | Description | Release version |
|---|---|---|
| id | A unique identifier of the audit event. | v4 |
| timestamp | The date and time of the administrative change event, expressed as a UTC-formatted string (e.g., 2024-01-16 17:48:41).Note: Unlike the Secure Access dashboard and reports, Secure Access logs do not convert the timestamp to your local timezone. | v4 |
| The email of the user that triggered the event. | v4 | |
| user | The account name of the user who created the change. | v4 |
| type | Where the change was made, such as settings or a policy. | v4 |
| action | The type of change made, such as Create, update, or Delete. | v4 |
| logged in from | The user's IP source. | v4 |
| before | The policy or setting before the change was made. | v4 |
| after | The policy or setting after the change was made. | v4 |
Reports and CSV Formats < Admin Audit Log Formats > Cloud Firewall Log Formats
Updated about 1 month ago