Audit Logs

The Audit Logs page records the events that occur in Cohesity DataProtect as a Service. The events are:

• Read or write actions performed by the users on Cohesity DataProtect as a Service.

• Login and logout actions performed by the Helios users.

View Audit Logs

On the Audit Logs page in Cohesity DataProtect as a Service, you can find the following details for the events that are logged by the registered regions:

• Date

• Time

• User & action

• System (Cohesity DataProtect as a Service region)

By default, only the write actions performed by the users on Cohesity clusters are displayed on the Audit Logs page. To see read actions, select Read Actions from the Actions filter and click Apply. See Use Filters to Locate Specific Logs next.

Use Filters to Locate Specific Logs

Use the following filters to narrow the listed audit logs and locate the specific logs.

Filter	Purpose
Date Range	Filter the audit logs based on the selected time window.
System	Filter the audit logs based on the Cohesity DataProtect as a Service regions.
Users	View the audit trails of specific users.
Category	Filter the audit logs based on predefined categories. See Review Audit Log Categories next.
Action	Filter the audit logs based on the read or write actions performed by the users in the registered regions. See Logged Actions below

Review Audit Log Categories

Audit logs are logged under predefined categories for you to find the relevant audit logs and analyze the correct logs quickly.

• API Key

• Access Token

• Alert

• Alert Notification Rule

• Group

• Helios Event

• IDP Configuration

• Protection Group

• Protection Policy

• Recovery Task

• Region

• Resolution

• SaaS Connector

• Snapshot

• SNMP Config

• Source

• Tenant

• User

Logged Actions

Along with the read actions, the following write actions are logged:

Write Actions	Descriptions
Accept	A user accepted the license agreement.
Activate	A user activated an entity such as Protection Run.
Add	A user added a Region.
Apply	A user applied a setting or configuration.
Assign	A user assigns a source to a tenant.
Cancel	A user canceled an entity such as a running Protection run or a Recovery task.
Clone	A user cloned an entity such as a Snapshot, VM, or SQL Database.
Close	A user closed an SMB file.
Cloud Spin	A user deployed a VM on the cloud.
Cluster Expand	A user expanded the cluster.
Create	A user created an entity such as a Protection run.
Deactivate	A user deactivated a Protection run.
Delete	A user deleted an entity such as a Protection run, or Protection Policy.
Disjoin	A user disjoined the Cluster from an AD domain.
Download	A user downloaded a VMX file or a file from a VM Snapshot.
Import	A user performed a generic action for any import operations. For example, the user has imported patch binary.
Install	A user performed a generic action for any installation. For example, the user has installed an app.
Join	A user joined the Cluster to an AD domain.
Login	A user logged in to the Cohesity DataProtect as a Service.
Logout	A user logged out of the Cohesity DataProtect as a Service.
Mark	A user marked an entity for removal such as a disk.
Modify	A user modified an entity such as a User, Protection run, or Remote Cluster.
Notification Rule	A user modified the notification rule.
Overwrite	A user performed an overwrite operation.
Pause	A user paused an entity such as a running Protection run.
Recover	A user recovered an entity such as a VM, file, or SQL Database.
Refresh	A user performed a refresh of the entities in the Cohesity DataProtect as a Service. For example, the user refreshed the source configuration.
Register	A user registered an entity such as an External Target (Vault).
Mark Removal	A user marked an entity for removal. For example, the user marked a disk for removal.
Rename	A user renamed an entity.
Restart	A user restarted a service.
Resume	A user performed a resume action on a Protection run.
Revert	A user reverted a setting or action.
Run Diagnostics	A user ran a diagnostics. For example, the user ran diagnostics on the agent to collect logs and other metrics.
Run Now	A user performed a Run Now action on a Protection run.
Schedule	A user scheduled an event.
Schedule Report	A user scheduled an email report.
Search	A user searched for a term.
Start	A user started a service.
Stop	A user stopped a service.
Unassign	A user removes a source from a tenant.
Uninstall	A user uninstalled an app.
Unregister	A user unregistered an entity such as a Source.
Update	A user updated an entity in a Cohesity cluster.
Upgrade	A user upgraded the Cohesity cluster.
Upload	A user uploaded an entity.
Validate	A user validated an entity.

Set Log Retention Period for Cluster Audit Logs

You can set the retention period for cluster audit logs. When you set a retention period, the logs are retained on the cluster until the retention period ends.

The default retention period is 180 days. The minimum retention period is 90 days, and the maximum is 365 days.

To set a retention period for cluster audit logs, follow the steps below:

1. In DataProtect as a Service, navigate to Security > Audit Logs > Settings.

2. In the Settings tab, click the edit icon for Log Retention Period.

3. Enter the desired number and choose a type of retention period (Days, Weeks, Months, or Years).

4. Select the icon to save.

   A push notification with the message Settings Updated is displayed.

   Cohesity converts weeks, months, or years into days and displays it as the Log Retention Period.

Download Audit Logs

You can download the Audit Logs in CSV format from Cohesity DataProtect as a Service for analysis and sharing.

The downloaded .CSV file contains more details than what the Helios Dashboard displays. For example, the file contains details about the IP addresses of the systems from which the cluster is accessed, tenants, impersonation, and so on.

To download audit logs:

1. In DataProtect as a Service, navigate to Audit Logs.

2. In the top right, click the Download icon.

The audit logs CSV file is downloaded.