Logs
The Logs section provides visibility into all administrative actions and user login activity in your Prism organization. Logs are essential for security monitoring, compliance auditing, and troubleshooting.
Log Types
Prism provides two types of logs:
| Log Type | Description | Link |
|---|---|---|
| Audit Logs | Records of all administrative actions performed in the Admin Portal (create, update, delete operations) | Audit Logs |
| Access Logs | Records of user login activity, including successful and failed authentication attempts | Access Logs |
Audit Logs
Audit logs track every administrative action performed in the Admin Portal. This includes:
- Creating, editing, and deleting users
- Creating and deleting groups
- Modifying group membership
- Creating, editing, and deleting permission sets
- Creating and deleting assignments
- Onboarding and deleting AWS accounts
- Changes to preferences and settings
See Audit Logs for detailed filtering and search capabilities.
Access Logs
Access logs track user authentication activity, including:
- Successful logins (username/password and SSO)
- Login source and method
- Session information
See Access Logs for detailed filtering and statistics.
Review logs regularly as part of your security posture. Look for unusual patterns such as unexpected administrative actions, or access from unusual locations.
Log Retention and Export
Prism retains logs for 90 days. Logs older than 90 days are automatically purged from Prism's database. For long-term retention and compliance, configure Log Export Settings to automatically export logs to an Amazon S3 bucket before they expire.
Audit Logs
Audit logs provide a comprehensive record of every administrative action performed in the Prism Admin Portal. Use audit logs to track changes, investigate incidents, and meet compliance requirements.
Overview
Every action performed in the Admin Portal is recorded in the audit log with details about what changed, who made the change, and when it occurred. Audit logs are immutable -- they cannot be edited or deleted.
Filters
The audit log table supports the following filters to help you find specific entries:
| Filter | Type | Description |
|---|---|---|
| Action Type | Dropdown | Filter by the type of action: CREATE, READ, UPDATE, DELETE |
| Resource Type | Dropdown | Filter by the type of resource affected (e.g., User, Group, Permission Set, Assignment, AWS Account) |
| Date Range | Date picker | Filter logs to a specific time period (start date and end date) |
| User | Text/Dropdown | Filter by the admin user who performed the action |
| Status | Dropdown | Filter by action status (success or failure) |
Combine multiple filters to narrow down the results. For example, filter by DELETE action type and Permission Set resource type to find all permission set deletions.
Audit Log Table
Table Columns
| Column | Description |
|---|---|
| Timestamp | The date and time when the action was performed |
| User | The admin or API token that performed the action (e.g., akshat.gautam@clou... or API Token: Akshat TF) |
| Action | The type of action performed: CREATE, UPDATE, or DELETE |
| Resource | The type of resource affected (e.g., Permission Sets, Groups, Users) |
| Description | A summary of the action performed (e.g., "Delete permission set (ID: ...)", "Create a new group") |
| Status | The HTTP status code of the action (e.g., 200 for success) |
| Duration | How long the action took to complete (e.g., 8ms, 138ms) |
| Actions | View icon to see additional details about the log entry |
Expanding Details
Click on the Details column or the expand icon on any row to see additional information, such as:
- The specific fields that were changed (for update actions)
- The full resource data (for create actions)
- Error messages (for failed actions)
- Request metadata
Common Audit Queries
"Who deleted this user?"
- Set Action Type to
DELETE. - Set Resource Type to
User. - Adjust the Date Range to the suspected time period.
- Review the Performed By column.
"What changes were made today?"
- Set the Date Range to today's date.
- Leave other filters empty to see all actions.
"What did a specific admin do?"
- Set the User filter to the admin's username.
- Adjust the Date Range as needed.
- Review all actions performed by that admin.
"Were there any failed operations?"
- Set the Status filter to
Failed. - Review the details of each failed operation for error messages.
What Gets Logged
The following actions are recorded in the audit log:
| Resource Type | Logged Actions |
|---|---|
| User | Create, Edit, Delete, MFA changes, Group assignment changes |
| Group | Create, Delete, Member additions and removals |
| Permission Set | Create, Edit, Delete, Policy changes |
| Assignment | Create, Delete |
| AWS Account | Onboard, Rename, Owner changes, Delete |
| Identity Provider | Configuration changes |
| Custom Application | Create, Edit, Delete |
| Preferences | Admin role changes, SCIM token operations, API token operations, Log export configuration |
Access Logs
Access logs record all user authentication activity in your Prism organization, including successful logins, failed attempts, and session information. Use access logs to monitor login patterns, detect suspicious activity, and troubleshoot authentication issues.
Overview
Every authentication attempt is recorded in the access log. This provides a complete picture of who is logging in, when, how, and from where.
Filters
The access log table supports the following filters:
| Filter | Type | Description |
|---|---|---|
| Date Range | Date picker | Filter logs to a specific time period (start date and end date) |
| User Email | Text | Filter by the user's email address |
| AWS Account ID | Text | Filter by the AWS account ID accessed during the session |
| Permission Set | Dropdown | Filter by the permission set used during the session |
| Login Type | Dropdown | Filter by the authentication method (e.g., username/password, Google SSO, Microsoft SSO) |
Use the User Email filter to investigate logins for a specific users. Combine with the Date Range to see a user's recent login history.
Access Log Table
The access log table displays individual login records with the following information:
| Column | Description |
|---|---|
| Timestamp | The date and time of the access event |
| User Email | The email address of the user |
| Target | The resource accessed -- either an AWS account (shown with account name and ID) or a custom application |
| Permission Set | The permission set used for the session, if applicable |
| Client IP | The IP address of the user's client |
| Actions | View icon to see additional details about the log entry |
Common Access Log Queries
"When did a specific user last access a resource?"
- Set the User Email filter to the user's email.
- Set a broad Date Range (e.g., last 30 days).
- Sort by timestamp (most recent first).
"Who accessed a specific AWS account?"
- Filter by the AWS Account ID.
- Adjust the Date Range as needed.
- Review the list of users, their permission sets, and client IPs.
"Which permission set is a user accessing?"
- Set the User Email filter to the user's email.
- Filter by Permission Set to narrow results.
- Review the targets and timestamps.
Security Monitoring
Access logs are a key tool for security monitoring. Watch for:
| Pattern | Potential Issue |
|---|---|
| Access from unexpected client IPs | Possible unauthorized access |
| Unusual permission set usage | Possible privilege escalation |
| Access at unusual times | Possible compromised account |
| Spike in access to a specific account | Unusual activity worth investigating |
If you detect suspicious activity, take immediate action: reset the affected user's password, and review their recent activity in the Audit Logs.