Reading the Audit Log Viewer

The Audit Log page lists every recorded activity, with filters across the top and a paged table below. This page walks through every piece of the viewer, the details modal that opens when you click Details on a row, and the Audit Log Cleanup settings card that controls retention.

Filters

Three filters sit across the top of the page. Changing any of them resets pagination back to page 1.

Date Range:

Choose 7 days, 30 days, 90 days, or Custom. With Custom, two extra inputs (Start: and End:) appear for picking exact datetimes.

Type:

Filter by activity type, for example Access Granted or Scheduled Scan Executed. Default option is All types.

Actor:

Filter by a single user or system actor. Default option is All actors.

Defaults

Date Range

30 days

Page size

25 entries per page

Timezone

Viewer's local timezone, both in the table and the modal

The Activity Table

The table below the filters is the main view. Each row is one activity (or one grouped multi-phase activity).

Timestamp

Date on the first line, local time on the second line.

Type

Category icon plus the activity's display name. Multi-phase activities show an N phases label underneath.

Actor

Person icon for users, bot icon for the system, plus the display name. Falls back to System or User when no name was recorded.

Actions

Details button (eye icon) opens the modal for that entry.

Pagination sits below the table with Previous / Next buttons and a summary line like "Showing 1–25 of 412 activities".

Details Modal

Click Details on any row to open the modal. The header shows the activity's category icon and display name (for example Scheduled Scan Executed). Below that:

Timestamp

Single timestamp for one-shot activities. For multi-phase activities, shown as start → end (duration), for example "Jan 15, 02:30 PM → Jan 15, 02:32 PM (2m 15s)".

Actor

Person or bot icon plus display name, same format as the table.

Summary

A short, human-readable description of what happened.

IP Address

Monospace IP for user actions; unavailable for automated activity.

Key Information

Compact field/value table of the most important data for the activity (status, counts, identifiers).

Details

A fuller field/value table below Key Information. For settings-change activities, this section becomes the Settings Comparison table described below.

Show Raw JSON

Toggle that swaps the friendly view for the underlying JSON record. Toggle again with Show Enhanced View. Useful when you need to copy a value or attach the record to a support ticket.

Phase Tabs

Multi-phase activities have phase tabs above the body, labelled Phase 1: Started, Phase 2: Completed, Phase 2: Failed, or Phase 2: In Progress. Switching tabs swaps the timestamp, summary, Key Information, and Details to show that phase.

Settings Comparison View

When you open a settings-change activity (anything ending in Settings Updated), the Details section renders as a three-column table titled Settings Comparison:

Field

The setting that was modified.

Old Value

The value before the change.

New Value

The value after the change.

By default only fields that actually changed are shown, with a count above the table like "(3 of 12 fields changed)". Tick Show unchanged to reveal every field on the underlying settings object.

Audit Log Cleanup Card

Retention is controlled from the Audit Log Cleanup card on the Settings page. The card title is Audit Log Cleanup, with a status badge that reads Enabled or Disabled. The card is collapsed by default; click Show Settings to expand it.

Enable automated cleanup

Toggle that turns the cleanup job on or off. When off, audit entries are kept indefinitely.

Cleanup Frequency

Daily, Every few hours, or Every few minutes (testing only).

Start Time

Time-of-day dropdown in 30-minute slots, shown in your local timezone (the timezone name appears under the label).

Every N hour(s)

Hourly frequency only. Allowed range 1–24.

Every N minute(s)

Minutes frequency only. Allowed range 1–60. Intended for testing.

Keep For

Retention in days. Allowed range 1–9999. Entries older than this many days are deleted on each cleanup run.

Last run:

When the job last ran, plus a status icon (success, failed, partial, in-progress) and the count of entries deleted.

Next run:

When the job is scheduled to run next, when the schedule is enabled.

Save Schedule

Persists your changes. Disabled until you've made a change and validation passes. Requires a role with audit-log management access.

Defaults

Cleanup Frequency

Daily

Keep For

365 days

Every cleanup run is itself recorded in the audit log as an Automated Audit Log Cleanup entry, typically a Started phase and a Completed or Failed phase linked together. Open the entry to see how many records were deleted and any failure context.

Troubleshooting

I see "No activities found" but I know there's data

Check the date range first. The default is the last 30 days, and the cleanup job may have removed older entries. Switch to Custom and widen the window.

The cleanup card says "Last run: Failed"

Open the corresponding Automated Audit Log Cleanup entry from the audit log and read the Details section. The failure reason and diagnostic context are recorded there.

I changed cleanup settings but Last run still shows old data

Last run: reflects the last completed cleanup, so it doesn't change until the next run actually executes. Next run: updates immediately when you save.

I want to recover entries cleanup deleted

Deleted entries can't be recovered from inside StratoLens. If you need a longer history going forward, increase Keep For before the next cleanup runs, or disable automated cleanup entirely.