View the Audit Log
Table of Contents
The Audit Log gives Syncro Users with appropriate security permissions visibility into all user actions within the Backup Portal.
This includes, but isn't limited to, accessing data, initiating restores and backups, modifying consent, and modifying backup settings. The log's primary function is to help you track and review user-based activities within a backup instance.
Tip: The Audit Log does not contain information on backup or restore statuses, such as completion times or failures. You can find this information in the Task Manager.
Navigate to the Audit Log
Follow these steps to view the Audit Log:
- Navigate to any Syncro Tenant's Details Page.
- In the Cloud Backup section, click Manage, then select Audit Log.
Note: If you're already in the Backup Portal, you can access the Audit Log from the User Profile menu in the upper right.
Audited events display in chronological order with the newest shown first:
Filter Audit Log Data
Use the dropdown menus to filter the events shown based on:
- Actor: A list of signed-in users who performed action(s) in the Backup Portal. The options include: “System,” and “All,” followed by a list of specific users.
- Event: A list of action(s) taken or events that happened (e.g., “Emails were accessed” or “SharePoint restore was initiated”). You can select more than one Event at a time.
- Target User: A list of users who were affected by the action (e.g., the user whose emails were accessed). This is a single-select field.
- Time Range: The time period when the action(s) were taken. Options include Last Week, Last Month, Last Year, or select a Custom date range from the calendar.
Note: The filters only display relevant Actors/Events. If, for example, a certain Actor is not visible in the Actor filter, that user has not taken any action in the Backup Portal.
Tips: Click the slanted triple line () icon to clear the filters. Click the refresh (
) icon to refresh the Audit Log for new entries.
About Audit Log Entries
The Audit Log lists all user actions that have taken place in the Backup Portal, with the following exceptions:
- A signed-in user accessing his/her own OneDrive or Mail folders, and
- A signed-in Administrator browsing shared organization data (SharePoint & Teams)
Notes:
- If a user restores or downloads their own data, or an Administrator restores or downloads shared organization data, these actions are visible in Audit Log.
- Entries cannot be deleted from the Audit Log, nor can entries be added manually.
What appears in the Details column of the Audit Log depends on the Service restored and/or downloaded:
- Mail: For email folders, the folder name is shown. For single or selected emails, the email subject(s) is shown.
- OneDrive/SharePoint: For file or folder restores, destination accounts and/or folders, SharePoint lists/OneDrive, the folder and file names, as well as paths of all restored files are shown. Click the ellipsis icon to view the full list of restored files.
-
Backup settings: When backup settings for user or organization Services have been modified, both the old and new settings are shown. Click the State Before (
) icon to view the original settings. Click the State After (
) icon to view the new settings.
Audit Log Entry Examples
Here are some example entries for the Audit Log:
Organization backup settings were modified: This example shows the settings were changed for backups as part of the initial configuration, which is why no user is associated with the change. For subsequent actions, this entry would also include the user who made the change:
Emails were accessed: This example shows the user whose email was accessed and which folder of emails was accessed:
SharePoint backup was initiated: This example shows the user who initiated a backup of SharePoint:
Mail restore was initiated: This example shows that a Restore was initiated for the user, and it shows which specific email was targeted in the restore:
SharePoint restore was initiated: This example shows which List and which site were restored for SharePoint:
Teams restore was initiated: This example shows the Team ID that was restored, along with the Channel: