Audit Logs

The Audit Logs page records the events that occur in Cohesity DataProtect as a Service. The events are:

  • Read or write actions performed by the users on Cohesity clusters.

  • Login and logout actions performed by the Helios users in .

View Audit Logs

On the Audit Logs page in Cohesity DataProtect as a Service, you can find the following details for the events that are logged by the registered regions:

  • Date

  • Time

  • User & action

  • System (Cohesity DataProtect as a Service region)

By default, only the write actions performed by the users on Cohesity clusters are displayed on the Audit Logs page. To see read actions, select Read Actions from the Actions filter and click Apply. See Use Filters to Locate Specific Logs next.

Use Filters to Locate Specific Logs

Use the following filters to narrow the listed audit logs and locate the specific logs.

Filter Purpose
Date Range Filter the audit logs based on the selected time window.
System Filter the audit logs based on the Cohesity DataProtect as a Service regions.
Users View the audit trails of specific users.
Category Filter the audit logs based on predefined categories. See Review Cluster Audit Log Categories next.
Action Filter the audit logs based on the read or write actions performed by the users in the registered regions. See Logged Actions below

Review Cluster Audit Log Categories

Audit logs are logged under predefined categories for you to find the relevant audit logs and analyze the correct logs quickly.

  • API Key

  • Access Token

  • Active Directory

  • Alert

  • Alert Notification Rule

  • AMQP Target Configuration

  • Antivirus Service Group

  • App

  • Bifrost Connection

  • Bifrost Connector

  • Chassis

  • Clone Refresh Task

  • Clone Task

  • CloudSpin

  • Cluster

  • Cluster Partition

  • Cluster Services

  • CSR

  • Data Tiering Analysis Group

  • Data Tiering Downtier Task

  • Data Tiering Uptier Task

  • Disk

  • Encryption Key

  • Group

  • Helios Event

  • Hotfix

  • Hybrid Extender

  • IDP Configuration

  • Infected File

  • Interface

  • IOTier

  • IP

  • Keystone

  • KMS Configuration

  • LDAP

  • Network

  • Network Interface Group

  • NIS

  • NIS Net Group

  • Node

  • Object

  • Patch

  • Physical Agent

  • Preferred Domain Controller

  • Protection Group

  • Protection Run

  • Protection Policy

  • Proxy Server

  • QoS

  • Recovery Task

  • Remote Cluster

  • Resolution

  • Role

  • SaaS Connector

  • Scheduler

  • Search Job

  • Service Flag

  • Share

  • SMTP Server

  • Snapshot

  • SNMP Config

  • Source

  • SSL Certificate

  • Static Route

  • Storage Domain

  • Support Server

  • Swift Roles

  • Tags

  • Tenant

  • Trusted CA

  • User

  • Vault

  • View

  • Share

  • VLAN

Logged Actions

Along with the read actions, the following write actions are logged:

Write Actions Descriptions
Accept A user accepted the license agreement.
Activate A user activated an entity such as Protection Group.
Add A user added a Region.
Apply A user applied a setting or configuration. For example, the user applied a patch.
Assign A user assigns a source to a tenant.
Cancel A user canceled an entity such as a running Protection Group or a Recovery task.
Clone A user cloned an entity such as a Snapshot, VM, View, or SQL Database.
Close A user closed an SMB file.
Cloud Spin A user deployed a VM on the cloud.
Cluster Expand A user expanded the cluster.
Create A user created an entity such as a Protection Group.
Deactivate A user deactivated a Protection Group.
Delete A user deleted an entity such as a Protection Group, Protection Policy, or View.
Disjoin A user disjoined the Cluster from an AD domain.
Download A user downloaded a VMX file or a file from a VM Snapshot.
Import A user performed a generic action for any import operations. For example, the user has imported patch binary.
Install A user performed a generic action for any installation. For example, the user has installed an app.
Join A user joined the Cluster to an AD domain.
Login A user logged in to the Cohesity cluster.
Logout A user logged out of the Cohesity cluster.
Mark A user marked an entity for removal such as a disk.
Modify A user modified an entity such as a User, Protection Group, or Remote Cluster.
Notification Rule A user modified the notification rule.
Overwrite A user performed an overwrite operation.
Pause A user paused an entity such as a running Protection Group.
Recover A user recovered an entity such as a VM, file, or SQL Database.
Refresh A user performed a refresh of the entities in the Cohesity cluster. For example, the user refreshed the source configuration.
Register A user registered an entity such as an External Target (Vault).
Mark Removal A user marked an entity for removal. For example, the user marked a disk for removal.
Rename A user renamed an entity such as a Storage Domain.
Restart A user restarted a Cohesity Platform service in their cluster.
Resume A user performed a resume action on a Protection Group.
Revert A user reverted a setting or action.
Run Diagnostics A user ran a diagnostics. For example, the user ran diagnostics on the agent to collect logs and other metrics.
Run Now A user performed a Run Now action on a Protection Group.
Schedule A user scheduled an event such as cluster upgrade.
Schedule Report A user scheduled an email report.
Search A user searched for a term such as gflags.
Start A user started a Cohesity cluster service.
Stop A user stopped a Cohesity cluster service.
Unassign A user removes a source from a tenant.
Uninstall A user uninstalled an app.
Unregister A user unregistered an entity such as a Source.
Update A user updated an entity in a Cohesity cluster.
Upgrade A user upgraded the Cohesity cluster.
Upload A user uploaded an entity.
Validate A user validated an entity.

Set Log Retention Period for Cluster Audit Logs

You can set the retention period for cluster audit logs. When you set a retention period, the logs are retained on the cluster until the retention period ends.

The default retention period is 180 days.

To set a retention period for cluster audit logs, follow the steps below:

  1. In DataProtect as a Service, navigate to Security > Audit Logs > Settings.

  2. In the Settings tab, click the edit icon for Log Retention Period.

  3. Enter the desired number and choose a type of retention period (Days, Weeks, Months, or Years).

  4. Select the icon to save.

    A push notification with the message Settings Updated is displayed.

    Cohesity converts weeks, months, or years into days and displays it as the Log Retention Period.

Download Audit Logs

You can download the Audit Logs in CSV format from Cohesity DataProtect as a Service for analysis and sharing.

The downloaded .CSV file contains more details than what the Helios Dashboard displays. For example, the file contains details about the IP addresses of the systems from which the cluster is accessed, tenants, impersonation, and so on.

To download audit logs:

  1. In DataProtect as a Service, navigate to Audit Logs.

  2. In the top right, click the Download icon.

The audit logs CSV file is downloaded.