ArcGIS Server records user activity and any changes that are made to the system to audit logs. Audit logs are a tool for monitoring and troubleshooting critical or breaking changes and identifying the organization members or processes that made those changes, their effects on the system, and the times those events occurred.

Audit logs can be processed by Security Information and Event Management (SEIM) tools to generate an audit trail, track trends in user activity, and monitor and address security threats and vulnerabilities.

Audit logs capture information for the following types of events:

• Creating, deleting, and updating member accounts
• Updating properties of hosted feature services

ArcGIS Server records each event in the audit log using the following JSON syntax:

{
    "version": "Audit record version number",
    "loggedby": "ArcGIS for Server [version number]",
    "timeStamp": "Epoch time value",
    "eventId": "Unique audit record identifier",
    "event": "Event Name",
    "eventLevel": "Event level",
    "status": "Success/Failure indicator",
    "statusCode": "Status code value",
    "actor": "username",
    "actorId": "user id",
    "actorRole": "User's role",
    "sourceIp": "Source IP address",
    "destinationIp": "Destination IP address",
    "destinationHost": "Destination host name",
    "resource": "Resource URI",
    "data": {
        "data_attribute1": "attribute value",
        "data_attribute2": "attribute value"
    },
    "userAgent": "user agent information",
    "message": "Any corresponding message if applicable"
}

Feedback on this topic?