How Can We Help?
AuditAudit
All actions performed by users are systematically logged in Pure. Creating, retrieving, changing, deleting, viewing or reporting on content is logged as well as any other functionality used.
Content that was changed due to running Jobs in Pure is also logged. This is usually as the user ‘root’, though with each release more jobs use the name of the job to indicate in which context the content was changed.
The content that was changed, including its state before and after the change, are also logged in addition to the operation, the user and the time and date. For example, if a project title is changed the log will show the title before and after the change operation was carried out.
Data synchronized from external sources (such as HR details on Person records, citations or Impact Factors etc.) are logged with a source ID and import date as well as the common audit information.
Through these processes the entire history of each individual data item in Pure is systematically logged, securely stored, and made available for system administrators and other users with special privileges.
This is very useful when troubleshooting an issue it is often relevant to know how something was created/changed/deleted. What might have been changed or deleted. Or maybe you want to know why or when it was created/changed/deleted. Maybe you need to compare content before or after a change.
Another thing you might need details on are whom logged into Pure and when. Or maybe you want to investigate failed login attempts.
Pure Administrators can view the audit log using the search and filter functionality on the Administrator > System information > Audit.
If you are at a listed record you can also access the audit log by clicking the gear icon on a record in the content list view and selecting Show audits
Search the audit log
To search the audit logs, fill in any of the following fields from the table below to restrict your search to records that match this query and press Search afterwards.
We recommend you enter as many restrictions as possible as audit logs can be very large
| Field | Description |
|---|---|
| Username |
Show all actions of a specific user. Enter the username. For Pure 5.32.0 search supports wildcards: It supports wildcards * and ?. A * will match multiple characters, a ? will match exactly one character. E.g. “user?ame” will match “username”, but also “userfame”. “user*ame” will match “usernnnnnname”. If no wildcard is used, it first tries to find exact matches. If it finds no exact matches, it goes to wildcard mode and repeats the search. If a wildcard is used, it performs the search in wildcard mode. Any wildcard search will have an implicit * at the beginning and end of the word. E.g. “ernam” will match “username”, as if the query was really “*ernam*”. |
| Content-ID |
Show all actions on a specific record (e.g. actions on an Application record). This is the Pure ID for a record, which can be found in the top-left corner of the record's editor window. 
|
| Starte date | Show actions after a specific date. |
| End date | Show actions before a specific date. |
| Operation |
Show only this chosen operation (e.g. create, delete). You can use a wildcard search, with * replacing multiple characters and ? replacing a single character, i.e “auth*” will give you any authentication operations.
See table “List of Audit operations” for full list.
|
List of Audit operations
| Operation | Description | Content ID |
|---|---|---|
| authentication-event:AuthenticationFailureBadCredentialsEvent | Authentication failed due to invalid credentials being presented | NA |
| authentication-event:AuthenticationFailureConcurrentLogin | Authentication failed due to a concurrent login. | NA |
| authentication-event:AuthenticationFailureDisabledEvent | Authentication failed due to the user's account being disabled. | NA |
| authentication-event:AuthenticationFailureExpiredEvent | Authentication failed due to expiry of the form. | NA |
| authentication-event:AuthenticationFailureLockedEvent | Authentication failed due to the user's account having been locked | NA |
| authentication-event:AuthenticationFailureProviderNotFoundEvent | Authentication failed as the provider was not found. | NA |
| authentication-event:AuthenticationFailureProxyUntrustedEvent | Authentication failed due to an untrusted proxy. | NA |
| authentication-event:AuthenticationFailureServiceExceptionEvent | Authentication failed due to an internal exception. | NA |
| authentication-event:AuthenticationSuccessEvent | A user logged in with success | NA |
| authentication-event:AuthenticationSwitchUserEvent | A user switched to another user successfully | NA |
| authentication-event:EventAuthenticationFailureCredentialsExpiredEvent | Authentication failed due to expired credentials. | NA |
| authentication-event:login | A user logged in using username and password | NA |
| authentication-event:logout | A user logged out | NA |
| authentication-event:UserAuthenticatedEvent success | A used logged in successfully. | NA |
| authentication:changeCredentialsFailed | Changing password failed | NA |
| authentication:changeCredentialsFailed | Changes to user credentials (password) not made | NA |
| authentication:credentialsChanged | Changes to user credentials (password) made successfully | NA |
| authentication:credentialsChanged | A user changed password | NA |
| config:change | Configuration settings were changed. | NA |
| config:create | A configuration setting was added. | NA |
| config:delete | A configuration setting was deleted. | NA |
| content:create | Content creation | ID of the created content |
| content:delete | Content deleted | ID of the deleted content |
|
content:embargoStateChangeObserved
|
The state of embargo on content has changed due to something that was not related to saving/deleting content, such as the passing of time. | ID of content where state changes |
| content:migrate | Content’s template was changed. The description contains information about the new content item created. |
ID of the content item that has been migrated to a new Template |
| content:modify | Existing content modified | ID of the modified content |
| dependency:replace | References to a content item have been replaced by another content item. The description contains information about both content items. | ID of the content item that replaced the other item |
| merge:merge | A number of source content items have been merged into a target content item. | ID of the target content |
| preservedContent:create failed | Metadata about content failed to be created in a long term preservation destination. The description contains information about the cause. | ID of the content that the metadata originates from |
| preservedContent:create success | Metadata about content has been successfully created in a long term preservation destination | ID of the content that the metadata originates from |
|
preservedContent:update preservedContent:delete preservedContent:createFile preservedContent:deleteFile |
CRUD operations on content metadata and filse in repositories. | ID of the content that the metadata originates from. |
| revalidation:revalidation | Content has been modified in a way that caused it to be marked for revalidation | ID of the content marked for revalidation |
| role:modify | Modification of roles | ID of the content roles have been set for |
| suggestedaction:claim | Content has been claimed by user | ID of the content marked for claim |
| suggestedaction:disclaim | Content has been disclaimed by user | ID of the content marked for disclaim |
|
system:startup system:shutdown |
Pure was started or stopped | NA |
| textresource:create | This is when a default value is modified (an alternative text is created). | ID of the text resource |
| textresource:delete | This is when a previously modified text resource is changed back to the default value (alternative text is gone) | ID of the text resource |
| textresource:modify | This is when a modification happens to an already modified/created text resource (alternative text is modified). | ID of the text resource |
| workflow:accepted-on-step | Content has been accepted and workflow step has been changed to the default next step. | ID of the accepted content |
| workflow:accepted-to-step | Content has been accepted and workflow step has been changed to another step than the default step. | ID of the accepted content |
| workflow:pushed-to-step |
Content has been rejected or workflow step has been forcefully set to a specific step as a powerful user (typically as part of conversion or similar) |
ID of the pushed content |
Due to changes made to comply with GDPR requirements, the audit logs may not contain information that was scheduled to be deleted under retention actions. See Audit Retention Purger Job
Inspecting audit log search results
You can view an audit log to see what happened to a certain record, or what actions were performed by a certain user.
Results that match your query are displayed. You can:
- Choose how many results to display on the page by hovering on the results dropdown.
- Show the log entry in XML format, by expanding the XML area.
- Show the XML in a formatted way using the Audit XML formatted link for each result, where available.
Key things to identify in the XML is often:
- Before and after values
- Found in the XML
- User responsible for the modification and the time of the modification
- Found in the XML metadata on top of the XML
Note, the search results can not be exported!
Published at June 16, 2025