: Work with Audit Logs
Focus
Focus
Table of Contents

Work with Audit Logs

Let us learn to work with audit logs.
Where Can I Use This?What Do I Need?
  • Prisma SD-WAN
  • Active Prisma SD-WAN license
Use Audit Log to access the audit logs, filter the query parameters, compare different versions of the logs, and view audit logs for error scenarios.
  1. Select ManageSystemAudit Logs.
    You can also access audit logs for a resource by clicking on a resource or selecting Audit Logs from the ellipsis menu.
  2. Use the filter criteria to narrow down the audit logs search.
    Enter values in any of the filter fields and click Query. You can enter partial text or a regular expression (Regex) for fields marked with a *. Filters can be set for a field by entering values or selecting an option from the drop-down. The following table describes the query parameters:
    Field Name Description
    Resource Key
    Identifies the resource for querying. The resource key is inside square brackets with the event name outside the brackets. For example, select Devices [elements] to filter operations on devices.
    Resource ID
    Uses the ID of the resource.
    Type
    Uses the type of operation for filtering. You can select either GET, POST, PUT, PATCH or DELETE.
    Status
    Uses the status of the operation for filtering. For example, a 200 in the Status field will filter actions with the Status Code 200 or successfully carried out actions.
    Resource Ver
    Uses the resource version for filtering. The resource version is updated whenever you perform an operation on the resource.
    URI Ver
    Uses the API version of the resource for filtering.
    URI
    Uses the request URI for filtering. The complete URI needs to be entered. For example, /v2.0/api/login
    Session Key
    Uses the session tag of the operator performing the operations on the resource.
    Source IP
    Uses the client IP address for filtering.
    Operator ID
    Sets the filter based on the operator performing the operations on the resource.
    Start Date
    Sets the filter based on a start date selected from the calendar drop-down. Start date corresponds to the time of the request. Records are filtered between the start date and the end date.
    End Date
    Sets the filter based on an end date selected from the calendar drop-down. End date corresponds to the time of the response. Records are filtered between the start date and the end date.
  3. Compare the audit log versions.
    Choose versions to compare by clicking the back and forward icons under Response Compared. The responses compared display changes between versions in different colors.
    You can also compare audit versions at the resource. Click the resource icon or select Audit Log from the ellipsis menu and then click the Compare icon.
  4. View the audit logs by clicking the Audit Log Record for details on bad requests or requests with response status 400.
    Audit logs support nested IDs, which when clicked, provide access to a specific resource. To return to the resources screen, click the breadcrumb navigation on the Compare Audit Log Versions screen.