Use audit logs to track activity in your IoT Central application

This article describes how to use audit logs to track who made what changes at what time in your IoT Central applications. You can:

  • Sort the audit log.
  • Filter the audit log.
  • Customize the audit log.
  • Manage access to the audit log.
  • Export the audit log records.

The audit log records information about who made a change, information about the modified entity, the action that made change, and when the change was made. The log tracks changes made through the UI, programatically with the REST API, and through the CLI.

The log records changes to the following IoT Central entities:

The log records changes made by the following types of user:

  • IoT Central user - the log shows the user's email.
  • API token - the log shows the token name.
  • Azure Active Directory user - the log shows the user email or ID.
  • Service principal - the log shows the service principal name.

The log stores data for 30 days, after which it's no longer available.

The following screenshot shows the audit log view with the location of the sorting and filtering controls highlighted:

Screenshot that shows the audit log. The location of the sort and filter controls is highlighted.

Customize the log

Select Column options to customize the audit log view. You can add and remove columns, reorder the columns, and change the column widths:

Screenshot that shows the audit log column options.

Sort the log

You can sort the log into ascending or descending timestamp order. To sort, select Timestamp:

Screenshot that shows how to sort the log into descending timestamp order.

Filter the log

To focus on a specific time, filter the log by time range. Select Edit time range and specify the range you're interested in:

Screenshot that shows how filter the log to show the last hour of entries.

To focus on specific entries, filter by entity type or action. Select Filter and use the multi-select drop-downs to specify your filter conditions:

Screenshot that shows how filter the log to show only updates to user entities.

Manage access

The built-in App Administrator role has access to the audit logs by default. The administrator can grant access to other roles. An administrator can assign either Full control or View audit log permissions to other roles. To learn more, see Manage users and roles in your IoT Central application.

Important

Any user granted permission to view the audit log can see all log entries even if they don't have permission to view or modify the entities listed in the log. Therefore, any user who can view the log can view the identity of and changes made to any modified entity.

Export logs

You can export the audit log records to various destinations for long-term storage, detailed analysis, or integration with other logs. For more information, see Export IoT data.

To send audit logs to Log Analytics in Azure Monitor, use IoT Central data export to send the audit logs to Event Hubs, and then use an Azure Function to add the audit log data to Log Analytics.

Next steps

Now that you've learned how to manage users and roles in your IoT Central application, the suggested next step is to learn how to Manage IoT Central organizations.