Audit log report

The Audit log report represents a chronological history of the system activities that users have performed through the Clumio UI or REST API. Use the Audit Report to find out who made what changes in the Clumio platform and ensure that everything is in compliance as per your business requirements.

Note: Clumio supports integration with AWS CloudTrail Lake, see Sending Clumio Audit Logs to AWS CloudTrail Lake on the Clumio Support site.

The Audit report will never store data that is older than ninety (90) days. By default, the report (named Default Report) is filtered to display data for the full ninety (90) days. Specify a different interval to view report details over another date range.

Each line in the table is called an event, and the events in the table are organized in chronological descending order by when the event occurred in the system (timestamp). A single user-generated event may create additional internal events in the Audit Report; each user-generated event displays the IP address, interface, and email details for the user while any associated internal events appear with dashes in those columns.

The table in the Audit report displays the following columns:

  • Timestamp: The date and time when the event occurred.
  • IP Address: The IP address of the user/device where the event was generated from. A dash (-) appears if the event was system generated.
  • Interface:The interface where the user performed the operation from. Examples include UI and API. A dash (-) appears if the event was system generated.
  • User: The email address of the user who was logged in to Clumio . A dash (-) appears if the event was system generated.
  • Action: The type of activity that was performed. See the Audit Report actions table for a list of actions that the audit report tracks.
  • Category: The category that the action belongs to. See the Audit Report categories table for a list of categories that the audit report tracks.
  • Asset Type: The entity type that was affected by the action. Examples of asset types include AWS EBS Volume (for any SecureVault Backup, Snap, or restore actions performed on an AWS EBS volume), User (for when a new user is invited to or registers into Clumio or logs out of Clumio), and Policy (for policy-related changes). A dash (-) symbol displays if the event did not impact a specific entity.
  • Asset: The specific entity within the entity type that was affected by the action. Examples of assets include AWS EBS volumes, AWS EC2 instances, and Clumio policy names. A dash (-) symbol displays if the event does not impact an entity. For example, system-wide events such as user logins do not impact a specific entity.
  • Details: The REST API request that was sent to the server. Click View JSON to see and copy the body of the request. Refer to the API reference to learn more about the Clumio REST API.
  • Result: The outcome of the action, such as success, failure or partial success. Partial success is logged if a password is valid, but part of multi-factor authentication (MFA), which requires the user to enter additional login credentials that have not yet been entered.

Set any of the following filters to narrow down report data:

  • Action: select one or more actions from the list that displays when you select this filter
  • Asset: select the asset or assets from the list that displays when you select this filter
  • Category: select one or more categories from the list that displays when you select this filter
  • Date Range: select from the list of options, or select a custom date or range
  • Triggered By: to view which user triggered an action, type that user's email ID ,press enter to type multiple IDs.
  • Result: select from Success, Partial success , Failed

Audit report actions

The following table describes all possible actions that can appear in the Audit report:

ActionDescription
ApplyApply a policy to protect assets.
Batch activateActivate a policy. As a result, all assets with tags that have this policy applied become protected.
Batch deactivateDeactivate a policy causing all of its protected assets to become unprotected.
BrowseBrowse through the system for assets, such as AWS EBS volume backups.
CreateCreate or add a new entity, such as a policy or asset.
DeleteDelete an existing entity, such as an AWS environment, policy, user, or setting.
DisableDisable a feature, such as single sign-on (SSO) or multi-factor authentication (MFA).
DownloadDownload retrieved files and folders after a user has entered the passcode to access the content. This action is part of the Transparent Data Access (TDA) feature.
EnableEnable a feature, such as single sign-on (SSO), or multi-factor authentication settings.
Full restoreFull restore of an asset, such as an AWS EBS volume.
Grant download accessUsers granted access to retrieved files or folders through direct download from the Clumio UI.
Grant email accessUsers granted access to retrieved files or folders via an email link and passcode. This action is part of the Transparent Data Access (TDA)feature.
Granular retrievalRetrieve files or folders from within an assets. This more granular than a full restore
InviteInvite someone to register an account with Clumio.
LoginLog in to Clumio. Login events only appear if a user logs in with an email address that is registered with Clumio. If a user tries to log in to Clumio with an invalid email address, the attempt will not appear in the Audit Report.
LogoutLog out of Clumio manually.
RedirectedRedirected to the IdP login page during the Clumio login process because single sign-on (SSO) is enabled.
Regenerate TDA passcodeRegenerate a passcode, which is sent to someone to access and download retrieved files and folders. TDA stands for Transparent Data Access.
RegisterRegister a new data source or user, or register a user for multi-factor authentication.
RemoveRemove policy protection from an asset.
SearchSearch for assets, such as files or folders.
UnapplyDelete a data source or user, or unregister a user from multi-factor authentication.
UpdateUpdate something in the system, such as a policy, setting, or password.
Validate TDA passcodeValidates the person who entered the passcode as someone who can access the retrieved files and folders using the provided link and passcode. TDA stands for Transparent data access.

Audit report categories

The following table describes all possible categories that can appear in the Audit Report:

CategoryDescription
AuthenticationAuthentication operations. These include authenticating into Clumio through the UI or through the REST API. Examples include logging in to and out of Clumio, and logging in through single sign-on (SSO).
BackupBackup operations, such as searching for a backup or restoring a backup.
Bandwidth configBandwidth configuration operations.
Cloud connector templateCloud connector template operations, such as updating the CloudFormation or Terraform version.
Data sourceOperations that impact a data source.
KMS configOperations related to key management service (KMS).
MFAOperations related to multi-factor authentication.
PolicyOperations that impact a policy, such as creating or activating and policy.
ProtectionProtection operations, such as applying policy protection to an asset.
RestoreRestore operations, such as restoring from a SecureVault Backup or granular retrieval.
SSOOperations related to single sign-on (SSO).
UsersUser related operations, such as inviting, registering, or suspending a user.

Note that certain actions apply to certain categories. In other words, some actions don't apply to some categories, so if you apply a filter on actions and categories that are totally unrelated, Clumio will return "No data". For example, the filter combination Action:Full Download and Category:Users will return "No data" because you can't download a user! On the other hand, the filter combination Action:Invite and Category:Users will return data if users have been invited to create a Clumio account in the past 90 days.