Audit logs capture user management and authentication events for your organization in Imply Polaris. You can use audit logs to detect anomalous activities and investigate potential misuse of privileges or security incidents.
This topic explains how to view audit logs in the Polaris UI. To retrieve audit logs through the Polaris API, see the Audit API documentation.
Access audit logs
Polaris retains audit logs for a minimum of 31 days.
You cannot modify or delete audit logs.
To view audit logs in the Polaris UI, click the gear icon in the top right corner to open the Administration console. Click Audit logs in the left navigation pane to access the main Audit logs page:
Audit logs provide contextual information based on the category and type of action. Logged events contain the following fields:
- Time: date and time the event occurred
- Actor: user that triggered the event
- Summary: description of the event
- Category: category of the event
- IP address: IP address of the user that triggered the event (when applicable)
This section describes the events captured by Polaris, grouped by event category.
Logs in the Auth category are user authentication events. Polaris provides logs for the following types of authentication events:
- Successful user login
- Failed user login
- Password reset requested
- Password updated
- User impersonated
- User invite accepted
Polaris doesn't log API key access events at this time.
Search audit logs
You can use the search bar to narrow down events according to your specified criteria.
Filter by date range
To find events within a date range, click the date drop-down and select one of the available options:
- Last day
- Last 3 days
- Last 7 days
- Last 14 days
To use a custom range, select Custom from the date drop-down and enter the start and end dates.
You can apply additional filters to refine your results. Click the Filters drop-down to view available options. You can filter by user email, event category, or IP address.