The File Audit Report includes information about the activities performed by each user on the files and folders in your domain, making it easy to track down various activities across your assets at a user level. We'll walk you through how to run a File Audit Report, what each parameter does, and what's included in the report.
If you'd like to learn more, our Reports & Auditing Overview article covers all of the reports available to you.
Run a Report
From the Reports Center, expand the Audit section, and select File Reports.
Click on the + New Report button to begin. You'll need to name the report and choose the parameters for the report.
You may select one or more parameters to narrow down the file and folder activity you would like to view.
- Date range: Narrow down auditing by activity day or date range.
Egnyte purges all audit logs older than 3 months, so you cannot run a new report for data older than 3 months. If you would like to be able to save data older than 3 months, please review the Save or Schedule Audit Reports article.
- Actions: Specify the type of file or folder activities that you want to audit. If you leave the option as Any action, all of the actions listed will be included in the report. You may also choose to only pull certain actions from the following list: upload, create folder, download, move, copy, delete, promote file version, delete from trash, restore from trash, preview, create link, delete link, download via link, create upload link, delete upload link, upload via link, lock file, unlock file, add metadata, delete metadata, and preview via link. Please review File Audit Report Description of Actions
- Folders: You may enter folder names (e.g., /Shared/Marketing) or choose a folder by clicking selected folders and navigating the folder structure.
You have the option to automatically include or exclude subfolders.
- Files: Choose to view activity on specific files. You may use a wildcard ‘*’ character anywhere except in the beginning of the file name.
- Users: Choose the users or groups whose activity you wish to view.
When you select multiple parameters, the report will generate results matching all of them. For instance, if you enter both a file name and a folder name, the report will include activity for the files within those matching folders.
Downloads from Share Links
To check how much data has been downloaded using Share Link, start a new report and select the action "Download via Link", select date range and folder(s) and run report.
The report will show the size of data downloaded from each link.
File Audit Report Output
When you submit any audit report, you will receive an email and alert within few minutes letting you know that the report is ready for viewing. If it is a smaller audit report, you'll have access to it right away.
Since audit logs for file activity are captured periodically throughout the day, you may not see activity for the last few hours in your report.
The file audit report displays the following information:
- Date: Provides the time stamp of the file or folder activity.
- User: The user who performed the file or folder action.
- IP Address: The IP address where the action originated.
- Access: Indicates the access interface over which the file activity happened.
- Path: Shows the folder path for the file or folder.
- Device: The device where the action was taken place.
- Action: The type of file activity performed.
- Action Info: Where applicable, shows additional info on the action taken. For example, a move/copy action would display the destination folder that the file or folder was moved to. For link create/delete/download actions, the link URL is displayed.
The File Audit Report might contain "Read" actions. These are file content "reading" actions on behalf of a user. These actions originate from a user's device (e.g. accessing files locally on Desktop App or Mobile App, or accessing files on Storage Sync via mapped drive). These actions might be initiated by the user but sometimes they might also indicate system-level activities on the user's machine (e.g. antivirus scanning or indexing file's content by the operating system to highlight the content in the search provided by the OS).
The File Audit Report includes several events with a "- Parent" suffix. These events indicate that an action was performed on an item's parent or ancestor folder, affecting the item. For example, if a folder contains 25 files/folders and you delete the folder, you will see a single "Delete Folder" event and 25 "Delete - Parent" events, one for each item. The “- Parent” events are a convenience feature, as they help you see the side effects of a user action. The audit report includes up to 500 associated "- Parent" events for any parent folder event. For example, if you delete a folder with 1 million contained items, you will have a single "Delete Folder" event and 500 "Delete - Parent" events. Note that the actual user action is always logged (e.g. the “Delete Folder” event in this case). It is only the additional convenience entries that are limited to 500.
Learn more about File Audit Reports by watching a Quick Tip on Egnyte University: File Audit Reports