About Audit Logs

Watch a video about Audit Logs

Zscaler records the login name and IP address of every admin who logs in to the Admin Portal and changes policies or configuration settings. The Audit Logs display an admin's login and logout record (timestamps, actions, IP, etc.) and any configuration changes they completed. If an admin account makes five unsuccessful attempts to log in within one minute, the account will be locked out for five minutes and the failed attempts will be recorded. The audit logs are stored for up to 6 months.

To view these records, go to Administration > Audit Logs.

About the Audit Logs Page

On the Audit Logs page, you can do the following:

  1. View a list of admin logins. For each admin login, you can see the following:
    • Timestamp: The local time of the admin's last login or last logout.
    • Action: The action performed by the admin in the Admin UI or API.
    • Category: A location in the Admin Portal where the action was performed.
    • Sub-Category:
    • Resource: The specific location within a sub-category.
    • Admin ID: The admin's login ID.
    • Client IP: The source IP address for the admin.
    • Interface: The means by which the user performed their actions.
      • The interface will either be the Admin UI or an API.
    • Result: The outcome of an action.
      • If the action was a success, it will show as a green circle with a check mark inside.
      • If the action was a failure, it will show as a red circle with an X inside.
  2. See configuration changes.
  3. Modify the table and its columns
  4. Filter by time range, action, category, sub-category, interface, and/or result.
  5. Search for an audit log by resource, admin ID, or client IP.
  6. Download a CSV. The times in the CSV file are in PDT. 

Screenshot of Audit Logs page with buttons and list used to view login and configuration records pertaining to the Zscaler Admin Portal

  • Activate
  • Audit Operation
  • Create
  • Delete
  • Download
  • Forced Activate
  • Import
  • Patch
  • Report
  • Sign In
  • Sign Out
  • Update
  • Access Control Resource
  • Activation
  • Administrator Management
  • Advanced Settings
  • Alert
  • Authentication Settings
  • Backup & Restore
  • Company Profile
  • Data Loss Prevention Resource
  • Firewall Access Control
  • Firewall Resource
  • ICAP Settings
  • Identity Proxy Settings
  • Login
  • Mobile Access Control
  • Mobile Security
  • NSS
  • Report
  • Role Management
  • Traffic Forwarding Resource
  • User Management
  • Virtual ZEN
  • Web Access Control
  • Web Data Loss Prevention
  • Web Security
  • Activation
  • Administrator
  • Advanced Policy Settings
  • Advanced Settings
  • Advanced Threats Policy
  • Advanced Threats Policy Security Exceptions
  • Alert Definitions
  • Alert Subscriptions
  • Auditor
  • Authentication Bridge
  • Authentication Profile
  • Backup & Restore
  • Bandwidth Class
  • Bandwidth Control
  • Browser Control
  • Cloud App Control Policy
  • Company Profile
  • Department
  • Destination Group
  • DLP
  • DLP Dictionary
  • DLP Engine
  • DLP Notification Template
  • DNS
  • End User Notifications
  • EzAgent
  • File Type Control
  • Firewall Filtering
  • Firewall Network
  • FTP
  • Group
  • ICAP Server
  • Identity Proxy Settings
  • Interactive Reports
  • Location
  • Location Group
  • Login
  • Malware Policy
  • Malware Policy Security Exceptions
  • Mobile App Store Control
  • Mobile Malware Protection
  • NAT Control
  • Network Application Group
  • Network Service
  • Network Service Group
  • NSS Feed
  • NSS Server
  • PAC File
  • Password change
  • Password expiry
  • QBR
  • Role Management
  • SAML
  • SAML Settings
  • Sandbox
  • Scheduled Report
  • Source IP Group
  • SSL Inspection
  • Time Interval
  • URL Category
  • URL FIltering
  • User
  • Virtual ZEN
  • Virtual ZEN Cluster
  • VPN Credentials 

Click on the configuration changes you want to view. You'll be able to view visual differences between the pre-configuration and post-configuration changes.

Up to 1000 lines are shown. If there are more than 1000, only the count is shown.

There are two types of changes you can view:

  • View additions or deletions. The following is an example of an addition:
    See image.
  • View updates. The following is an example of modifications to a policy:
    See image.