Audit Logs

Updated

This article describes what is contained inside the Audit Log files and how to access and search this information. Audit logs allow you to search, review, and export logs regarding account access and configuration changes made by administrators. This applies to Administrators responsible for monitoring changes and events in their accounts.

Audit Logs are Immutable. They cannot be purged/deleted or otherwise cleared. Logs will persist for the duration of the customer's account with Mimecast.

Audit Log Contents

The logs are read-only but can be exported. See the "Exporting Audit Logs" section below for full details.

Each log file is an audit of activity on your account, whether it is performed automatically by an administrator or a user. Some of the event types captured are:

  • Account changes.
  • User account changes (including password changes).
  • New, amended, or deleted policies/definitions.
  • Directory synchronization.
  • Journal failures.
  • Folders being created, updated.
  • User login attempts and failures.

Accessing Audit Logs

When using an option other than All to search for an audit log, technical limitations with storing audit files mean the All option is still applied. This is expected for log files older than 30 days but also occurs for those under 30.

You can access the Audit Logs by using the following steps:

  1. Log in to the Mimecast Administration Console.
  2. Navigate to Account | Audit Logs.
  3. Click on a Log File to display its content in a pop-out panel.
auditlog.png

Searching Audit Logs

You can search for particular Audit Logs and apply filters by using the following steps:

  1. Click on the Search field.

  2. Enter any known details in the Search field.

    Search terms will automatically search across all the fields.

  3. Click on the Search Icon. Your results are displayed.

Showing/Hiding Columns

You can remove or hide columns by clicking on the gear icon and selecting them as required:

Applying Custom Dates

Log files are displayed from the previous 24-hours by default, though they are available to access indefinitely regardless of your account's retention period.

You can view Audit Logs by an alternative date range, by using the following steps:

  1. Navigate to the Date Range field, and select the drop-down (this defaults to Last 24 hours).
    A date picker is displayed.

  2. Select a Time Period. The available options are Last 24 hours, Last 7 days, Last 30 days, Last 60 days, Last Year, Last 2 years and Custom Range.

    Audit Logs date range

    To apply an optional custom date range:

  •  
    • Click on Custom Range.
    • Select a Custom Date Range as required.
  1. Click on the Apply button.

Filtering Audit Logs

You can apply category filters to the logs displayed, by using the following steps:

  1. Click on the Filter drop-down menu. 

  2. By default, when filtering Audit Logs, all categories will be deselected. You will need to select the specific category you want to apply to, which include:

    • Account Logs
    • Archive Service Logs
    • Authentication Logs
    • Awareness Training Logs
    • Branding Logs
    • Case Review Logs
    • Collaboration Security Logs
    • Continuity Services Logs
    • CyberGraph Logs
    • Integrations and APIs
    • Journaling Logs
    • Mimecast Access Logs
    • Policy Logs
    • Profile Group Logs
    • Reporting Logs
    • Secure Messaging Logs
    • User Account and Role Logs
    • Integration Logs
    • Human Risk Logs
  3. Click on the Apply button.

The pagination is now located at the bottom of the page.

You can use the Filter-by drop-down to locate Reports submitted by users by the following steps:

  1. Log in to the Mimecast Administration Console.
  2. Navigate to Accounts | Audit Logs and select your desired date range.
  3. In the Filter-by dropdown, select Account Logs and click Apply.
  4. Enter the keywords Message Reported in the search bar.
  5. Copy the message ID.
  6. Navigate to Archive | Archive Search.
  7. Paste the message ID to the Search Text box.
  8. Select the Search Message Headers box.
  9. Scroll down to select your Date Range in the drop-down box, then click Apply.
  10. Click Search.

Exporting Audit Logs

You can export the Audit Logs from your search results and/or a selected / custom time period, by using the following steps:

  1. Click on the Export button.
  2. Complete the dialog as follows:
Field / Option Description
Columns to Include By default, all the check boxes are selected; uncheck the boxes for the information you wish to exclude.
Format The file format is in CSV.
  1. Click the Export button.
  2. Once the export is complete, it will be downloaded directly to the workstation from which the request was made.

Log Events

A log displays the following details about each event:

Event Information Description
User

Displays the email address of the user who triggered the event.

"Automated Task Manager" is displayed if the event was automatically triggered.
Category Displays the category of event that generated the log file (e.g., "Policy Logs," "Account logs").
Type Displays the type of event that generated the log file (e.g., "New Policy," "Completed Directory Sync").
Details

Displays brief details about the event or changes made. The details displayed depend on the type of event. While the below list is not all-inclusive, some common examples include:

Event Description Information Provided
User Logged On A user has logged onto the Administration Console.
  • User's login.
  • Date and time.
  • IP address.
Login Authentication Failed

A user attempted to log on to the Administration Console, but their authentication failed.

Information about failed authentication is only logged for known users.
Audit logs for SMTP Authentication are removed after a period of 7 days.
MSW may refer to the Mimecast for Outlook Add-In.
  • User's login.
  • Date and time.
  • IP address.
  • The application used to access Mimecast.
    • API: An authentication request directly to the API (/api/login/login).
    • MSA: Mimecast Services for Android.
    • MSI: Mimecast Services for iPhone.
    • MSW: Mimecast Services for Windows. 
    • SMTP – MTA2: SMTP authentication against our MTA to submit messages.
Account Updated A user's account details were amended.
  • Administrator
  • Date and time
  • Account details
New Policy A policy was created.
  • Administrator
  • Date and time
  • Policy type
  • Full policy details
Policy Deleted A policy was deleted.
  • Administrator
  • Date and time
  • Policy type
  • Full policy details
Completed Directory Sync A scheduled Directory Synchronization was completed.
  • Date and time
  • Number of domains
  • Users and groups processed
Folder Log Entry A folder was either created or deleted.
  • Administrator
  • Date and time
  • Folder name
Existing User Role Updated A user role was amended.
  • Administrator
  • Date and time
  • Role name
User added/removed from role A user was added or removed from a role.
  • Administrator
  • Date and time
  • Role name
  • User's login
User Settings Updated A user account was updated.
  • Administrator
  • Date and time
  • User account details
  • User's permissions
User Password Changed A user's password was changed.
  • Administrator
  • Date and time
  • User account details
  • User's permissions
Stationery Log Entry A stationery layout was created or amended.
  • Administrator
  • Date and time
  • Stationery Layout name
  • Shortcode
  • Links
Unlock eDiscovery Case

This is an automatic process.
 

The email address used to generate the log entry will be admin@mimecast.local

 Unlocked eDiscovery case: <Case Name>
Date / Time Displays the date and time that the audit log was created.

All archive searches can be viewed in the search logs, and any message (metadata and content) can be viewed in the message view logs.

See Also...

Related to

Was this article helpful?
0 out of 0 found this helpful

Comments

1 comment
Date Votes

Please sign in to leave a comment.