Elevate Your Egnyte Expertise. Join our Customer Community to connect with a network of peers and share game-changing strategies. Join Today

Help Desk
Contact Support

Welcome to
Help Desk

Product Updates
 Training
Support
 Ideas Community Contact Support

File Audit Report

The File Audit Report includes information about the activities performed by each user on the files and folders in the domain, making it easy to track down various activities across assets at a user level. The article covers steps on how to run a File Audit Report, what each parameter does, and what's included in the report.

Audit Reports are available for Business, Enterprise Lite, or Enterprise Platform plans. General reports are available to Admin Users, and Power Users who also have the role can run reports.

To learn more, click on the Reports & Auditing Overview article that covers all of the available reports.

Run a Report

Navigate to Reports -> Audit -> File Reports. Click on + New Report.

FileAuditReport -2.png

The user will need to name the report and choose the parameters for the report.

webui_redesign_reports_new_file_audit_report.png

Parameters

The user may select one or more parameters to narrow down the file and folder activity that they would like to view.

  • Date range: Narrow down auditing by activity day or date range.

    Egnyte purges all audit logs older than 3 months, so the user cannot run a new report for data older than 3 months. To be able to save data older than 3 months, please review the Save or Schedule Audit Reports article.

  • Actions: Specify the type of file or folder activities to audit. If the user leaves the option as Any action, all of the actions listed will be included in the report. The user may also choose to only pull certain actions from the following such as Upload, Download, Create folder, Move, Copy, Delete, Workspace Activity etc.  Review File Audit Report Description of Actions article for a complete list of actions.
  • Folders: The user may enter folder names (e.g., /Shared/Marketing) or choose a folder by clicking selected folders and navigating the folder structure.

    The user has the option to automatically include or exclude subfolders.

  • Files: Choose to view activity on specific files. The user may use a wildcard ‘*’ character anywhere except in the beginning of the file name.
  • Users: Choose the users or groups whose activity to view

When the user selects multiple parameters, the report will generate results matching all of them. For instance, if they enter both a file name and a folder name, the report will include activity for the files within those matching folders.

Downloads from Share Links

To check how much data has been downloaded using Share Link, start a new report and select the action Download via Link, select date range and folder(s) and run the report.

FileAuditReport -3.png

The report will show the size of data downloaded from each link.

FileAuditReport -1.png

File Audit Report Output

When the user submits any audit report, they will receive an email and alert within a few minutes letting them know that the report is ready for viewing. If it is a smaller audit report, they will have access to it right away.

Since audit logs for file activity are captured periodically throughout the day, the user may not see activity for the last few hours in their report.

 

File Audit Report -2.png
The file audit report displays the following information:

  • Date: Provides the time stamp of the file or folder activity.
  • User: The user who performed the file or folder action.
  • IP Address: The IP address where the action originated.
  • Access: Indicates the access interface over which the file activity happened.
  • Path: Shows the folder path for the file or folder.
  • Device: The device where the action took place.
  • Action: The type of file activity performed.
  • Action Info: Where applicable, shows additional info on the action taken. For example, a move/copy action would display the destination folder that the file or folder was moved to. For link create/delete/download actions, the link URL is displayed.

The File Audit Report might contain "Read" actions. These are file content "reading" actions on behalf of a user. These actions originate from a user's device (e.g. accessing files locally on Desktop App or Mobile App, or accessing files on Storage Sync via mapped drive). These actions might be initiated by the user but sometimes they might also indicate system-level activities on the user's machine (e.g. antivirus scanning or indexing file's content by the operating system to highlight the content in the search provided by the OS).

The File Audit Report includes several events with a - Parent suffix. These events indicate that an action was performed on an item's parent or ancestor folder, affecting the item. For example, if a folder contains 25 files or folders and the user deletes the folder, they will see a single Delete Folder event and 25 Delete - Parent events, one for each item. The - Parent events are a convenience feature, as they help see the side effects of a user action. The audit report includes up to 500 associated - Parent events for any parent folder event. For example, if the user deletes a folder with 1 million contained items, they will have a single Delete Folder event and 500 Delete - Parent events. Note that the actual user action is always logged (e.g. the Delete Folder event in this case). It is only the additional convenience entries that are limited to 500.

This is applicable for Move, Copy, and Delete actions. The additional events are referred to as exploded events and their details are available in the Exploded Events Count column.

File Audit Report -3.png

File Audit Report -1.png

Learn more about File Audit Reports by watching a Quick Tip on Egnyte University:  File Audit Reports

Was this article helpful?
3 out of 4 found this helpful

For technical assistance, please contact us.