AuditAudit

All actions performed by users are systematically logged in Pure. Creating, retrieving, changing, deleting, viewing or reporting on content is logged as well as any other functionality used.

Content that was changed due to running Jobs in Pure is also logged. This is usually as the user ‘root’, though with each release more jobs use the name of the job to indicate in which context the content was changed. 

The content that was changed, including its state before and after the change, are also logged in addition to the operation, the user and the time and date. For example, if a project title is changed the log will show the title before and after the change operation was carried out.

Data synchronized from external sources (such as HR details on Person records, citations or Impact Factors etc.) are logged with a source ID and import date as well as the common audit information.

Through these processes the entire history of each individual data item in Pure is systematically logged, securely stored, and made available for system administrators and other users with special privileges.

This is very useful when troubleshooting an issue it is often relevant to know how something was created/changed/deleted. What might have been changed or deleted. Or maybe you want to know why or when it was created/changed/deleted. Maybe you need to compare content before or after a change.

Another thing you might need details on are whom logged into Pure and when. Or maybe you want to investigate failed login attempts.

Pure Administrators can view the audit log using the search and filter functionality on the Administrator > System information > Audit.

If you are at a listed record you can also access the audit log by clicking the gear icon on a record in the content list view and selecting Show audits

 

Search the audit log

To search the audit logs, fill in any of the following fields from the table below to restrict your search to records that match this query and press Search afterwards.

Field	Description
Username	Show all actions of a specific user. Enter the username. For Pure 5.32.0 search supports wildcards: It supports wildcards * and ?. A * will match multiple characters, a ? will match exactly one character. E.g. “user?ame” will match “username”, but also “userfame”. “user*ame” will match “usernnnnnname”. If no wildcard is used, it first tries to find exact matches. If it finds no exact matches, it goes to wildcard mode and repeats the search. If a wildcard is used, it performs the search in wildcard mode. Any wildcard search will have an implicit * at the beginning and end of the word. E.g. “ernam” will match “username”, as if the query was really “*ernam*”.
Content-ID	Show all actions on a specific record (e.g. actions on an Application record). This is the Pure ID for a record, which can be found in the top-left corner of the record's editor window.
Start date	Show actions after a specific date.
End date	Show actions before a specific date.
Operation	Show only this chosen operation (e.g. create, delete). You can use a wildcard search, with * replacing multiple characters and ? replacing a single character, i.e “auth*” will give you any authentication operations.   List of Audit operations Operation Description Content ID authentication-event:AuthenticationFailureBadCredentialsEvent Authentication failed due to invalid credentials being presented NA authentication-event:AuthenticationFailureConcurrentLogin Authentication failed due to a concurrent login. NA authentication-event:AuthenticationFailureDisabledEvent Authentication failed due to the user's account being disabled. NA authentication-event:AuthenticationFailureExpiredEvent Authentication failed due to expiry of the form. NA authentication-event:AuthenticationFailureLockedEvent Authentication failed due to the user's account having been locked NA authentication-event:AuthenticationFailureProviderNotFoundEvent Authentication failed as the provider was not found. NA authentication-event:AuthenticationFailureProxyUntrustedEvent Authentication failed due to an untrusted proxy. NA authentication-event:AuthenticationFailureServiceExceptionEvent Authentication failed due to an internal exception. NA authentication-event:AuthenticationSuccessEvent A user logged in with success NA authentication-event:AuthenticationSwitchUserEvent A user switched to another user successfully NA authentication-event:EventAuthenticationFailureCredentialsExpiredEvent Authentication failed due to expired credentials. NA authentication-event:login A user logged in using username and password NA authentication-event:logout A user logged out NA authentication-event:UserAuthenticatedEvent success A used logged in successfully. NA authentication:changeCredentialsFailed Changing password failed NA authentication:changeCredentialsFailed Changes to user credentials (password) not made NA authentication:credentialsChanged Changes to user credentials (password) made successfully NA authentication:credentialsChanged A user changed password NA config:change Configuration settings were changed. NA config:create A configuration setting was added. NA config:delete A configuration setting was deleted. NA content:create Content creation ID of the created content content:delete Content deleted ID of the deleted content content:embargoStateChangeObserved     The state of embargo on content has changed due to something that was not related to saving/deleting content, such as the passing of time. ID of content where state changes content:migrate Content’s template was changed. The description contains information about the new content item created. ID of the content item that has been migrated to a new Template content:modify Existing content modified ID of the modified content dependency:replace References to a content item have been replaced by another content item. The description contains information about both content items. ID of the content item that replaced the other item merge:merge A number of source content items have been merged into a target content item. ID of the target content preservedContent:create failed Metadata about content failed to be created in a long term preservation destination. The description contains information about the cause. ID of the content that the metadata originates from preservedContent:create success Metadata about content has been successfully created in a long term preservation destination ID of the content that the metadata originates from preservedContent:update preservedContent:delete preservedContent:createFile preservedContent:deleteFile CRUD operations on content metadata and filse in repositories. ID of the content that the metadata originates from. revalidation:revalidation Content has been modified in a way that caused it to be marked for revalidation ID of the content marked for revalidation role:modify Modification of roles ID of the content roles have been set for suggestedaction:claim Content has been claimed by user ID of the content marked for claim suggestedaction:disclaim Content has been disclaimed by user ID of the content marked for disclaim system:startup system:shutdown Pure was started or stopped NA textresource:create This is when a default value is modified (an alternative text is created). ID of the text resource textresource:delete This is when a previously modified text resource is changed back to the default value (alternative text is gone) ID of the text resource textresource:modify This is when a modification happens to an already modified/created text resource (alternative text is modified). ID of the text resource workflow:accepted-on-step Content has been accepted and workflow step has been changed to the default next step. ID of the accepted content workflow:accepted-to-step Content has been accepted and workflow step has been changed to another step than the default step. ID of the accepted content workflow:pushed-to-step Content has been rejected or workflow step has been forcefully set to a specific step as a powerful user (typically as part of conversion or similar) ID of the pushed content

Inspecting audit log search results

You can view an audit log to see what happened to a certain record, or what actions were performed by a certain user.

Results that match your query are displayed. You can:

• Choose how many results to display on the page by hovering on the results dropdown.
• Show the log entry in XML format, by expanding the XML area.

• Show the XML in a formatted way using the Audit XML formatted link for each result, where available.

Key things to identify in the XML is often:

• Before and after values
  • Found in the XML
• User responsible for the modification and the time of the modification
  • Found in the XML metadata on top of the XML