By viewing audit logs, users with Security Admin permissions can monitor user actions, authentication failures, invalid login attempts, and the user session lifespan.

Before you begin
  1. Select Settings  Access Management.

  2. Select the Audit Log tab.

    Audit log activity appears in tabular format, which includes the following columns of information:

    • Date/Time — Timestamp of when the storage array detected the event (in GMT).

    • Username — The user name associated with the event. For any non-authenticated actions on the storage array, "N/A" appears as the user name. Non-authenticated actions might be triggered by the internal proxy or some other mechanism.

    • Status Code — HTTP status code of the operation (200, 400, etc.) and descriptive text associated with the event.

    • URL Accessed — Full URL (including host) and query string.

    • Client IP Address — IP address of the client associated with the event.

    • Source — Logging source associated with the event, which can be System Manager, CLI, Web Services, or Support Shell.

    • Description — Additional information about the event, if applicable.

  3. Use the selections on the Audit Log page to view and manage events.

    Selection Details
    Selection Description

    Show events from the…​

    Limit events shown by date range (last 24 hours, last 7 days, last 30 days, or a custom date range).


    Limit events shown by the characters entered in the field. Use quotes ("") for an exact word match, enter OR to return one or more words, or enter a dash ( — ) to omit words.


    Select Refresh to update the page to the most current events.

    View/Edit Settings

    Select View/Edit Settings to open a dialog box that allows you to specify a full log policy and level of actions to be logged.

    Delete events

    Select Delete to open a dialog box that allows you to remove old events from the page.

    Show/hide columns

    Click the Show/Hide column icon sam 1140 ss access columns to select additional columns for display in the table. Additional columns include:

    • Method — The HTTP method (for example, POST, GET, DELETE, etc.).

    • CLI Command Executed — The CLI command (grammar) executed for Secure CLI requests.

    • CLI Return Status — A CLI status code or a request for input files from the client.

    • SYMbol Procedure — The SYMbol procedure executed.

    • SSH Event Type — Secure Shell (SSH) events type, such as login, logout, and login_fail.

    • SSH Session PID — Process ID number of the SSH session.

    • SSH Session Duration(s) — The number of seconds the user was logged in.

    • Authentication Type — Types can include Local user, LDAP, SAML, and Access token.

    • Authentication ID — ID of the authenticated session.

    Toggle column filters

    Click the Toggle icon sam 1140 ss access toggle to open filtering fields for each column. Enter characters within a column field to limit events shown by those characters. Click the icon again to close the filtering fields.

    Undo changes

    Click the Undo icon sam 1140 ss access undo to return the table to the default configuration.


    Click Export to save the table data to a comma separated value (CSV) file.