Getting Started

Accessing the Audit Log

1. Log in to the Manager Portal
2. Navigate to Integrations
3. Click on the Audit Log integration card
4. The Audit Log Viewer opens automatically—no configuration required
   

Quick Start (First Time Users)

Just want to jump in? Follow these 3 steps:

1. Click the Audit Log integration card in your Integrations menu
2. Click the blue Search button (it will show the last 24 hours by default)
3. Click any row to expand and see event details

That’s it! You’re now viewing recent activity in your territory.

Next steps to try:

• Change the Date Range to “Last 7 Days” and search again
• Select Action = “Login” to see authentication events
• Type a domain name in Affected Domain and search
• Click Investigate User on any expanded event

Using the Audit Log Viewer

The Interface

The Audit Log Viewer consists of several key areas:

1. Filter Bar (top): Search and filter controls
2. View Controls (right): Toggle between Table and Card views
3. Results Area (center): Your audit events
4. Statistics Bar (bottom): Summary of results
5. Pagination (bottom): Navigate between pages
   

Search Filters Explained

The filter bar at the top provides powerful search capabilities. Enter your criteria and click Search to view results.

Action

Dropdown selection of operation types

Filter by the type of operation that was performed.

Available Actions:

• Login: User authentication events (includes failed logins)
• Logout: Session terminations
• Add/Create: Creating new resources
• Delete: Removing resources
• Modify/Update: Changing existing configurations
• Export/Upload: Data export operations
• Import: Data import operations
• Load: Loading configuration data
• Activate: Enabling resources or features
• Restart: System restart operations
• Validate: Validation checks
• Google Authenticator: MFA authentication requirements
• Security Warning: Security-related alerts and verifications

Use Case Example: Select “Delete” to audit all deletions within a time period for compliance reviews.

Best Practice: Start with broader action types, then narrow down using other filters like date or domain.

Objects

Multi-select dropdown organized by categories

Select one or more object types to filter events. Objects are grouped into categories:

Categories:

• Authentication: OAuth, API Key, MFA
• Users & Domains: Subscriber, Admin, Domain, Reseller, Territory
• Communication: Conference, Recording, Phone Number, Call Queue, Hunt Group, Meeting
• Configuration: Timerange, Dialing, Answer Rule, Phone Config, UI Config, Route, MAC
• System: Database, Server, System, Support Login, TAC, LEA License, NCS, NFR, NMS
• Other: Address, Agent, Audio File, Code, Connection, Images, Message Session, Quota, Registrar, Reject Log, SBus, Vmailnag

Use Case Example: Select “Phone Number” and “Subscriber” to track all changes related to user phone assignments.

Best Practice: You can select multiple objects at once. The display shows “+X more” when you’ve selected more than 2 objects.

Date Range

Date range picker with quick presets

Filter events by when they occurred. Click the date range field to see quick preset options.

Quick Presets: - Today - This Week - Last 7 Days - Last 30 Days - This Month - Last 3 Months - Last 6 Months - Last Year

Use Case Example: Select “Last 7 Days” to quickly review recent activity, or choose custom dates to audit a specific maintenance window.

Best Practice: - Start with broader ranges (Last 30 Days) to get an overview - For incident investigations, align the date range with when the issue was first reported - For compliance audits, use custom dates matching your reporting periods

Performed By User

Text input field

Enter the username/extension of the person who performed the action.

Example: 1041 or admin

Use Case Example: Track all changes made by a specific administrator during an incident for quality assurance.

Best Practice: Combine with date filters to review activity during a specific time window.

Performed By Domain

Text input with auto-complete

Enter the domain of the person who performed the action. As you type, matching domains appear for quick selection.

Example: who.did.it.com

Use Case Example: Identify which domain’s administrators made changes across multiple customer domains.

Best Practice: Start typing a domain name and select from the autocomplete dropdown for accuracy.

Performed By IP Address

Text input field

Enter the IP address from which the action was initiated.

Example: 192.168.1.1

Use Case Example: Track actions from a specific IP address during security investigations.

Best Practice: Use this to verify administrative actions are coming from expected office locations or VPN addresses.

Affected User

Text input field

Enter the username/extension of the user account that was affected by the action.

Example: 100

Use Case Example: Track all configuration changes made to a specific user’s account when troubleshooting their phone setup.

Best Practice: Use this to isolate events related to a single user for focused troubleshooting.

Affected Domain

Text input with auto-complete

Enter the domain (customer/organization) where the change occurred. Auto-complete helps you find the right domain quickly.

Example: abcplumbing.service

Use Case Example: If a customer reports unexpected behavior, filter by their domain to see all recent changes.

Best Practice: When investigating customer issues, always filter by their domain first to scope the search.

Executing Your Search

Clear Filters

Click the Clear button (with refresh icon) to reset all filters to their defaults. This gives you a fresh start for a new search.

Search Button

After setting your filters, click the blue Search button to execute the query. Results appear below in your selected view mode (Table or Cards).

Tip: The default search shows the last 24 hours of activity when you first open the integration.

Viewing Results

Table View vs. Card View

Toggle between two view modes using the selector in the upper right:

Table View (default): Compact, spreadsheet-like layout - Shows multiple events per screen - Best for: Scanning many events quickly - Click any row to expand details

Card View: Visual card layout with larger text - Shows fewer events per screen but with more detail visible - Best for: Reviewing events in detail, presentations

Understanding Event Details

Click any event row (in Table view) or card (in Card view) to expand and see full details:

Event Summary (blue box) A plain-English description of what happened, including:

• Who performed the action
• From what IP address
• What they did
• What was affected

Event Details

• Full Timestamp (with timezone)
• Action Details
• Performed By User / Affected User
• Performed By Domain / Affected Domain
• Performed By IP Address
• Object type

Parameters (if available) Additional technical details about the event, displayed as tags.

Action Buttons:

• Copy Details - Copy event summary to clipboard
• Investigate User - Automatically create a new search showing all recent activity for the affected user
  

Additional Features

Records Per Page

Select 10 per page or 25 per page from the dropdown in the upper right. Changing this automatically refreshes your search with the new page size.

Timezone Selector

All timestamps are displayed in your selected timezone. Click the timezone dropdown to change it. Common options include: - UTC - US/Eastern, US/Central, US/Mountain, US/Pacific - Your local timezone (automatically detected)

Column Toggle (Table View Only)

Click the Toggle Columns dropdown to show/hide specific columns:

• Timestamp
• Action
• Affected User
• Affected Domain
• Object
• By User
• By Domain
• IP Address

Default columns: Timestamp, Action, Affected User, Affected Domain, and Object are visible by default. By User, By Domain, and IP Address are hidden by default—enable them if you need to see who performed actions.

Use Select All or Clear All buttons at the bottom of the menu for quick changes.

Best Practice: Hide columns you’re not using to reduce clutter and focus on relevant information.

Refresh

Click the Refresh button to re-run your current search with the same filters. Useful for monitoring ongoing activity or checking for new events.

Export

Click the Export button to download all currently loaded results as a CSV file. The export includes:

• All visible events from all loaded pages 
• All columns (even hidden ones)
• All parameters as separate columns
• Filename format: audit-log-complete-YYYY-MM-DD-HHmm.csv

Best Practice: Load multiple pages before exporting to capture more data in a single file.

Investigate User Feature

When viewing event details, click Investigate User to:

1. Automatically filter for that specific user
2. Expand the date range to the last year
3. Show all activity for that user

This is perfect for troubleshooting user-specific issues or conducting user activity audits.

Navigation and Pagination

Page Navigation

Use the Previous and Next buttons at the bottom to navigate between pages.

• Page indicator shows your current page number
• “more available” displays when additional pages exist
• You can return to previous pages without losing them
• Loading more pages appends to your current session

Best Practice: Use a larger page size (25) if you’re investigating and need to see more events without clicking Next frequently.

Statistics Bar

Below your results, the statistics bar shows:

• Total Events: Number of events on the current page
• Unique Users: Count of distinct users in current results
• Unique Domains: Count of distinct domains in current results
• Current Timezone: Reminder of your timezone setting

Common Use Cases

Troubleshooting Customer Issues

Scenario: A customer reports their call routing stopped working this morning.

How to investigate:

1. Set Affected Domain to the customer’s domain
2. Select Objects: “Dialing” and “Route”
3. Set Date Range: “Last 7 Days” (or custom to yesterday)
4. Click Search
5. Review all routing/dialing changes
6. Look for changes around the time the issue started

What to look for: Delete or Modify actions on dial plans or routes that could have disrupted call flow.

Monitoring Security Events

Scenario: You want to review all login activity for suspicious patterns.

How to investigate:

1. Set Action: “Login”
2. Set Date Range: “Last 30 Days”
3. Leave other filters blank to see all logins
4. Click Search
5. Review the By IP column for unfamiliar addresses
6. Look for failed login attempts (action badges will show in red for bad logins)

What to look for: Login attempts from unexpected IP addresses, failed login patterns, or after-hours access.

Tip: Click Investigate User on any suspicious login to see that user’s full activity history.

User Provisioning Audit

Scenario: You need to document all new users added this month for billing or compliance.

How to investigate:

1. Set Action: “Add/Create”
2. Select Objects: “Subscriber”
3. Set Date Range: “This Month” (or custom dates)
4. Click Search
5. Click Export to download the complete list

What you’ll get: A CSV file with all user creation events including who created them, when, and from what IP.

Investigating Phone Number Changes

Scenario: A user says their phone number changed but they don’t know when or who did it.

How to investigate:

1. Set Affected User: the user’s extension (e.g., 100)
2. Select Objects: “Phone Number” and “Subscriber”
3. Set Date Range: “Last 3 Months”
4. Click Search
5. Expand any events related to phone number assignments

What to look for: Modify/Update actions showing phone number parameter changes in the expanded details.

Territory-Wide Activity Review

Scenario: As a Channel Partner, you want to review all administrative changes across your territory this week.

How to investigate:

1. Set Action: “Modify/Update”
2. Set Date Range: “Last 7 Days”
3. Leave Affected Domain blank (you’ll automatically see only your territory)
4. Click Search
5. Review by domain to see which customers had configuration changes

Best Practice: Export the results and sort by domain for a clean weekly activity report.

Admin Quality Assurance

Scenario: You want to review what changes a new admin made during their first week for training feedback.

How to investigate:

1. Set Performed By User: the admin’s username
2. Set Date Range: Custom dates for their first week
3. Click Search
4. Review each action type (look at the Action column)
5. Expand events to see details and verify correct procedures

What to look for: Ensure they’re following proper procedures and not making risky changes (like deletes without approval).

Tips and Best Practices

Searching Effectively

• Start broad, then narrow: Begin with just a date range and action type, then add more filters if needed
• Use date presets: The quick presets (Last 7 Days, Last 30 Days) are faster than custom dates
• Combine filters strategically: Action + Objects + Date Range is usually the most effective combo
• Don’t over-filter: Too many filters might miss related events; start simple
• Watch the statistics bar: Check “Total Events” to see if you need to broaden your search

Working with Results

• Switch views based on task: Use Table view for scanning, Card view for detailed review
• Hide unnecessary columns: In Table view, hide columns you’re not using to reduce visual clutter
• Load multiple pages before exporting: Click Next a few times to load more data, then Export for a comprehensive CSV
• Use Investigate User: This is the fastest way to see all activity for a problematic user
• Copy parameters: Click any parameter tag in expanded events to copy technical details for tickets

Security Monitoring

• Check login events weekly: Set Action=“Login” and Date Range=“Last 7 Days” as a regular routine
• Watch for failed logins: Red badges indicate failed authentication attempts
• Review IP addresses: Unfamiliar IPs could indicate unauthorized access attempts
• Monitor delete actions: Regularly review deletions across your territory to catch accidents

Performance and Speed

• Shorter date ranges load faster: Last 7 Days returns results quicker than Last Year
• Use 25 per page for investigations: Reduces clicks when reviewing many events
• Keep 10 per page for monitoring: Easier to spot recent changes in smaller batches
• Clear filters between searches: Use the Clear button to start fresh and avoid confusion

Important Considerations

What You Can See (Role-Based Access)

Your access is automatically scoped based on your role

You don’t need to configure anything—the integration automatically filters results based on your permissions.

Data Availability

• How far back can I search? Typically several months to years, depending on your system’s retention policy
• How current are the logs? Near real-time (usually within seconds to a few minutes)
• Are logs ever deleted? Old logs are archived based on your organization’s retention policy

Search Performance

• Faster searches - Recent dates (last 7-30 days), specific domains, and fewer filters
• Slower searches - Very large date ranges (1+ years), no domain filter, complex multi-object searches
• Typical response time - Most searches return results in 2-5 seconds
• Large exports - May take 10-30 seconds for hundreds of events

Tip: If a search is taking too long, try reducing the date range or adding a domain filter.

Understanding Action Colors

Action badges use colors to indicate event types:

• Blue: Login (successful and most failed types), Import, Validate
• Green: Create/Add, Activate
• Orange: Modify/Update
• Red: Delete, Failed Login (specifically bad password attempts)
• Purple: Logout, Export/Upload

Note: Only failed logins with bad passwords show in red. Other failed login types (bad IP, unknown user, etc.) appear in blue.

Understanding Object Colors

In the Object column, different types of objects are color-coded for quick identification:

• Blue: Authentication objects (OAuth, JWT, API Key)
• Green: User objects (Subscriber, User accounts)
• Purple: Administrative objects (Domain, Admin)
• Orange: Communication objects (Conference, Recording)
• Cyan: Configuration objects (Timerange, Dial Plan, Answer Rule)
• Default (gray): Other object types

Data Accuracy

• All timestamps reflect when the action occurred in the NetSapiens system
• IP addresses show where the action originated
• “System” as the user means an automated process performed the action
• Empty fields (showing “-” or “N/A”) mean that data wasn’t captured for that event

Frequently Asked Questions

Q: Why don’t I see certain domains in my results?

A: You only see domains within your assigned permissions. This is automatic based on your account permissions.

Q: How far back can I search?

A: Typically several months to years. The exact retention period depends on your organization’s policy. If you need historical data beyond what’s available, contact support.

Q: Can I export my search results?

A: Yes! Click the Export button to download all currently loaded results as a CSV file. Load multiple pages (using Next) before exporting to capture more data in one file.

Q: What’s the difference between “Performed By” and “Affected” fields?

A:

• Performed By = Who did the action (the admin making changes)
• Affected = Who/what was changed (the user or domain being modified)

Example: If admin1@company.com modifies user100@customer.com, then: - Performed By User = admin1 - Performed By Domain = company.com - Affected User = user100 - Affected Domain = customer.com

Q: Why are my search results empty?

A: Try these troubleshooting steps:

1. Broaden your date range - Try “Last 30 Days” instead of a narrow window
2. Remove some filters - Too many filters can over-restrict results
3. Check the domain - Make sure you spelled it correctly (use autocomplete)
4. Clear and start over - Click Clear and search with just a date range

Q: What does “System” mean as a user?

A: “System” indicates an automated process performed the action rather than a human user. This is normal for scheduled tasks, automated configurations, or system-generated events.

Q: Can I see login attempts?

A: Yes! Set Action to “Login” and search. You’ll see all authentication events including:

• Successful logins (blue badges)
• Failed logins (red badges)
• The IP address and timestamp for each attempt

Q: How do I investigate a suspicious login?

A:

1. Find the suspicious login event in your results
2. Expand the event to see full details
3. Note the IP address and timestamp
4. Click Investigate User to see all recent activity for that user
5. Look for unusual patterns or unauthorized changes
6. If confirmed suspicious, report to your security team immediately

Q: Why do some events have parameters and others don’t?

A: Parameters are additional technical details captured for certain event types. Complex operations (like OAuth logins, configuration changes) have more parameters than simple events (like logouts). Not all events generate parameter data.