Audit log
Audit logs provide a detailed record of user activities, system changes, and administrative actions to support security monitoring, compliance requirements, troubleshooting, and operational visibility.
Benefits
Security & Compliance: Track access patterns, detect unauthorized activities, and maintain audit trails for compliance frameworks such as System and Organization Controls 2 (SOC 2), International Organization for Standards (ISO 27001), General Data Protection Regulation (GDPR), and Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Operational Visibility: Monitor configuration changes, track policy modifications, and understand system usage patterns.
Troubleshooting: Investigate issues by reviewing the sequence of events leading to a problem or configuration change.
Accountability: Maintain clear attribution of all actions to specific users with timestamps and contextual information.
Accessing the audit log
Superusers reach the audit log by clicking the settings cog in the header, then Audit Log as shown.
Downloading an audit log
Use these steps to download an Audit Log:
NOTE Audit logs use (Coordinated Universal Time) UTC.
Date ranges are applied in UTC, which may differ from your local time.
- Enter a From Date or pick a date from the calendar.
- Enter a To Date or pick a date from the calendar.
- Click Download CSV File.
- The Audit Log file will download in your web browser.
Audit log events reference
User management & authentication events
| Event Type | Captured Information |
|---|---|
| User Login Success | Username, source IP address, authentication method (portal, RMM), timestamp, session ID |
| User Login Failure | Username, source IP address, authentication method, failure reason, timestamp |
| User Logout | Username, logout type (manual or timeout), session duration, timestamp |
| MFA Enrollment | Username, MFA method enrolled, enrollment status, timestamp |
| MFA Verification | Username, verification status (success/failure), MFA method used, timestamp |
| Password Change | Username, change initiated by (user/admin), timestamp |
| Password Reset | Username, requested by, timestamp |
| User Account Lockout | Username, lockout reason (failed attempts), timestamp |
| User Account Unlock | Username, unlocked by (admin/automatic), timestamp |
| User Account Creation | New username, created by, assigned role, initial permissions, timestamp |
| User Account Deactivation | Username, deactivated by, reason, timestamp, data retention status |
| Invitation Sent | Recipient email, invited by, role assigned, invitation expiration date, timestamp |
| Invitation Accepted | New username, invitation acceptance timestamp, account activation date |
| Invitation Expired | Recipient email, original inviter, expiration timestamp, resend status |
Group & role management events
| Event Type | Captured Information |
|---|---|
| Group Creation | Group name, created by, initial members, permissions assigned, timestamp |
| Group Modification | Group name, modified by, changes made (org. names, description, permissions), previous values, new values, timestamp |
| Group Deletion | Group name, deleted by, number of affected users, timestamp, related policy impacts |
| User Added to Group | Username, group name, added by, timestamp, inherited permissions |
| User Removed from Group | Username, group name, removed by, timestamp, permission changes |
| User Added to Role | Username, role name, assigned by, timestamp, granted permissions |
| User Removed from Role | Username, role name, removed by, timestamp, revoked permissions |
Endpoint backup v2 management events
| Event Type | Captured Information |
|---|---|
| Endpoint Deployment | Endpoint name, hostname, IP address, OS type/version, deployed by, deployment token used, timestamp, agent version |
| Endpoint Deletion | Endpoint name, hostname, deleted by, deletion reason, backup retention policy, timestamp, last backup date |
| Endpoint Paused | Endpoint name, paused by, pause reason, timestamp, scheduled resume date |
| Endpoint Started/Resumed | Endpoint name, started by, timestamp, last backup date before pause |
| Endpoint License Change | Endpoint name, previous license type, new license type, changed by, timestamp, billing impact |
| Endpoint Policy Assignment | Endpoint name, previous policy, new policy, assigned by, timestamp, effective date |
Backup policy management events
| Event Type | Captured Information |
|---|---|
| Policy Creation | Policy name, created by, initial configuration (schedule, retention, throttling), timestamp, assigned endpoints count |
| Policy Edit | Policy name, edited by, modified fields, previous values, new values, timestamp, affected endpoints count |
| Policy Deletion | Policy name, deleted by, number of affected endpoints, reassignment policy, timestamp |
| Policy Duplication | Source policy name, new policy name, duplicated by, timestamp |
| Policy Rename | Previous policy name, new policy name, renamed by, timestamp |
| Policy Description Update | Policy name, previous description, new description, updated by, timestamp |
| Retention Change | Policy name, previous retention settings, new retention settings, changed by, timestamp, data impact estimate |
| Backup Schedule Change | Policy name, previous schedule, new schedule, changed by, timestamp, next backup time |
| Throttling Configuration Change | Policy name, previous throttling settings, new throttling settings, changed by, timestamp |
| Alerting Threshold Override | Policy name, threshold type, previous value, new value, overridden by, timestamp |
| Selective Backup Enabled/Disabled | Policy name, enabled status, configured by, timestamp, scope |
| Selective Backup Inclusion Added | Policy name, included path/file type, added by, timestamp, estimated impact |
| Selective Backup Exclusion Added | Policy name, excluded path/file type, added by, timestamp, estimated impact |
Deployment token management events
| Event Type | Captured Information |
|---|---|
| Deployment Token Creation | Token name, created by, associated organization, expiration date, usage limit, timestamp, default policy |
| Deployment Token Deletion | Token name, deleted by, associated organization, deletion reason, timestamp, endpoints deployed with token |
| Deployment Token Used | Token name, endpoint deployed, deployment timestamp, remaining uses, IP address |
Restore operations – file-level restore
| Event Type | Captured Information |
|---|---|
| File Restore Initiated | Endpoint name, restore point date/time, initiated by, selected files/folders, restore destination, timestamp |
| File Restore Completed | Endpoint name, restore point used, completion status, files restored count, total size, duration, timestamp |
| File Restore Failed | Endpoint name, restore point attempted, failure reason, initiated by, error details, timestamp |
| Encryption Key Error | Endpoint name, restore point date, incorrect key attempt, attempted by, timestamp, lockout status |
Restore operations – multi-version file restore
| Event Type | Captured Information |
|---|---|
| Multi-Version Restore Initiated | Endpoint name, file path, version selection, initiated by, restore destination, timestamp |
| Multi-Version Restore Completed | Endpoint name, file path, versions restored, total size, completion status, duration, timestamp |
| Multi-Version Encryption Key Error | Endpoint name, file path, incorrect key attempt, attempted by, timestamp |
Restore operations – bare metal restore (bmr)
| Event Type | Captured Information |
|---|---|
| BMR Initiated | Endpoint name, restore point date/time, initiated by, target hardware information, timestamp |
| BMR Agent Code Generated | Endpoint name, agent code, generated by, expiration time, timestamp |
| BMR Agent Code Used | Endpoint name, agent code, used by, source IP, timestamp |
| BMR Encryption Key Error | Endpoint name, restore point, incorrect key attempt, attempted by, timestamp |
| BMR Completed | Endpoint name, restore point used, completion status, duration, restored data size, timestamp |
| BMR Failed | Endpoint name, restore point attempted, failure reason, error details, timestamp |
Reporting & analytics events
| Event Type | Captured Information |
|---|---|
| Report Creation | Report name, report type, created by, organization scope, scheduling configuration, recipient list, timestamp |
| Report Deletion | Report name, deleted by, timestamp, final run date |
| Report Modification | Report name, modified by, changed fields, previous values, new values, timestamp |
| Report Execution | Report name, executed by, execution type (manual/scheduled), organization scope, timestamp, record count |
Audit log column reference
Id
Description: Uniquely identifies the audit event
Type: Universally Unique Identifier (UUID)
Notes: Used to correlate events across systems or logs
TenantId
Description: Uniquely identifies the tenant
Type: Universally Unique Identifier (UUID)
Notes: Used to correlate events across tenants
TimestampUTC
Description: Date and time when the event occurred
Type: ISO‑8601 timestamp
Notes: Stored in UTC
WorkflowId
Description: Date and time when the event occurred
Type:ISO‑8601 timestamp
Notes: Stored in UTC
WorkflowType
Description: Date and time when the event occurred
Type:ISO‑8601 timestamp
Notes: Stored in UTC
EventType
Description: Describes what action was performed
Type: String
Examples: Create, Update, Delete, Login, Logout
EventDescription
Description:Describes the event
Type: String
Initiator
Description: Identifies who initiated the action
Type: String
Common values: user, system, service
InitiatorType
Description: Identifies what initiated the action
Type: String
Common values: user, system, service
InitiatorId
Description: Identifier of the user or system that performed the action
Type: String
Notes: May map to a user ID, service account, or internal identifier
Target
Description: Identifies the specific object acted upon
Type: String
Notes: Used with target_type to pinpoint the affected entity
TargetType
Description: Type of object affected by the action
Type: String
Examples: Account, Device, Policy, Record
TargetId
Description: Identifies the specific object acted upon
Type: String
Notes: Used with target_type to pinpoint the affected entity
OperationStatus
Description: Indicates whether the action succeeded or failed
Type: String
Common values: success, failure
Javascript object notation (json) reference
Os
Description: Operating system installed on the asset at the time of the event.
Type: String
Example: windows
Mac
Description: Primary Media Access Control (MAC) address associated with the asset.
Type: String
Name
Description: Human-readable name assigned to the asset.
Type: String
Status
Description: Current operational state of the asset.
Type: String
Common values: online, offline, paused
Policyid
Description: Unique identifier of the backup or protection policy applied to the asset.
Type: String (UUID)
V1agentid
Description: Identifier of the legacy (v1) agent associated with the asset, if applicable.
Type: String
Licencetype
Description: License Stock Keeping Unit (SKU) assigned to the asset.
Type: String
Example: Kaseya 365
Macaddresses
Description: List of all MAC addresses detected for the asset.
Type: Array of strings
Backupenabled
Description: Indicates whether backup functionality is enabled for the asset.
Type: Boolean
Organizationid
Description: Identifier of the organization that owns the asset.
Type: String (UUID)
Storageusedbytes
Description: Total amount of storage currently consumed by the asset.
Type: Integer (bytes)
Updatedtimestamp
Description: Timestamp of the most recent update to the asset metadata.
Type: ISO‑8601 timestamp
Hascustomermanagedkey
Description: Indicates whether customer‑managed encryption keys are enabled.
Type: Boolean
Timezoneoffsetminutes
Description: Time zone offset from UTC, in minutes, for the asset location.
Type: Integer
Usage notes
- Filter by action, result, or actor_id to isolate relevant activity.
- Sort by event_timestamp to reconstruct timelines.
- Copy JSON fields into a JSON-aware tool for deeper analysis.
