The Journaling (Audit Log) feature enables secure, structured tracking of all user and system activities across the CYFOX platform. It supports platform-wide visibility for compliance, troubleshooting, and operational transparency, and can be viewed in different contexts depending on the type of action or feature being audited.
Only users with appropriate permissions (system administrators) can access the Audit Log. Access is limited to the environments and features for which you have been granted permission.
How to Access the Audit Log
CYFOX's platform provides two main ways to view audit data:
System Settings > Audit Log
This is the centralized overview of all actions across the platform.
Initially, this page may be empty until features are loaded for the first time.
Audit Log Tab within Individual Features
Most features in CYFOX (e.g., Policies, IDS, Reports, etc.) also include a dedicated “Audit Log” tab.
This provides a focused view of changes relevant to that specific feature
(This view is ideal for admins reviewing policy changes, malware rules, or network configurations.)
🧭 How to find it:
Go to a feature like Policy > Event Response, then click the Audit Log tab.
📌 Example:
This screenshot is also an example of the feature-specific Audit Log, filtered for changes in the Event Response section under Policy.
All entries relate to rules applied to IDS and Malware Detection.
The filter bar at the top allows narrowing by event, action type, mode, or keyword.
Types of Audit Log Views
CYFOX organizes audit data into multiple view formats depending on the nature of the action or component.
Feature Table View
Used by most modules in CYFOX, the Feature Table View provides a clear timeline of actions performed on configurations within a specific feature:
Initialize
- Feature tracking startedAdded
- A new item was createdUpdated
- An existing configuration was modifiedDeleted
- An item was removedApplied Changes
- A batch of edits was confirmed via “Apply Changes.”
Key Interface Elements
User
who acted (clickable in On-Prem environments)Timestamp
- hover to see localized time and full formatSubject Name
- identifies the object being changedAction Type
- what was doneDetails Button
- expands to show changes, highlighted in orange if updated
Field-Level View
For some configurations, audit records are displayed in a vertical, form-like format:
Each property appears on a new line
Details section maintains the same format and logic.
This view is especially useful for comparing structured before/after values and fields.
Update Hosts View
Used for features like Assign Group or Whitelist Updates:
Lists all devices affected
Shows side-by-side values for:
Updated from
(previous setting)Updated to
(new value)
System Settings Audit Table
The System Settings page shows a high-level summary of changes made to configurations and global settings.
Columns include:
Main Menu
- origin of the actionPage
– Where in the UI the action occurredFeature
– The specific module modifiedChange
– What was changed
Tip: All columns are searchable and filterable for easy navigation.
Agent Mitigations View
This specialized view shows logs related to file mitigations and manual analyst actions.
Read-only actions
Reflects only what has been done (not editable)
Appears in both the Forensics view and System Settings Audit Log
Expanding Details
Clicking on “Details” for any log entry provides a comprehensive breakdown of the change.
What you'll see
Previous and current values (if applicable)
Fields highlighted in orange if modified
Consistent layout matching the source feature
Local date/time with timezone-aware tooltip
In On-Prem: clickable user links
In Single-Tenant: user info is shown in plain text
Search & Filtering
Use the toolbar at the top of the table to:
Search by user, feature, action type, or keywords
Filter by date, category, or feature
Sort by timestamp, alphabetical order, or action
Security and Compliance Notes
Only authorized users can view audit logs.
Logs cannot be edited once recorded.
Each audit entry is also saved to a secure local log file (e.g.,
audit-2025-05-11.log
) in On-Prem environments.Audit data is retained according to your organization’s policy (3 months is the default)
Best Practices
Always start from a feature’s Audit Log tab when making a configuration change. This ensures that logs are initialized correctly.
Use the System Settings Audit Log for high-level reviews or investigations.
Regularly export or back up logs as part of your compliance procedures (Excel/PDF export available)
Refer to the Applied Changes action for bulk changes to understand group-level edits.
Glossary
Term | Description |
Feature | A functional module in CYFOX (e.g., IDS, Policies, Settings) |
Action | A logged user/system activity (e.g., Update, Delete) |
Subject | The object being affected by the action (e.g., policy name, hostname) |
Details | A breakdown of what changed and when |
Transposed View | Vertical detail layout showing field-by-field changes |
Forensics Log | Read-only audit records for manual or automated mitigations |
Example Use Case
Scenario: A user updates an IDS policy from "Normal" to "Aggressive" mode.
Entry appears in Policies > Audit Log tab.
Action: Updated
User: [email protected]
Subject: Group: "Finance VLAN"
Timestamp: 2025-05-01 12:42:15
Details:
Mode
changed: Normal → AggressiveActions
changed: Send email → Send email + SyslogModified fields highlighted in orange
Still Have Questions?
Please get in touch with your system administrator or CYFOX support for further assistance with Audit Log access or interpretation.