Log audit gives security teams a centralized view of access events, endpoint activity, sensitive file transfers, and administrator actions across the SASE environment. Use these logs to investigate security incidents, verify policy enforcement, and support compliance reviews.
Private access audit
The Private Access Audit tab records events evaluated against your internal access policies — including both allowed and denied access attempts.
Regular logs
When an internal access policy is configured and enabled, SASE evaluates each access event against the policy and records the result on the Private Access Audit > Regular Logs page.
View log details
In the Actions column of a log entry, click Details to view the policy hit details, basic information, access details, and endpoint details for that event.
View a user's device, application, and O&M exception summary
Click a username to open the log summary page for that user.
Web application access logs
On the Private Access Audit > Web Application Access Logs tab, view access logs for events that triggered access hardening for web apps. Access hardening includes:
Security checks: Detects the Host request header to prevent malicious bypasses
Access tracing: Adds information such as usernames to the HTTP request header for tracing
For information about configuring access hardening, see Add an office application to SASE.
Internet access audit
On the Internet Access Audit tab, view Website Access Records for company employees.
Terminal management
On the Terminal Management tab, view logs generated by employees using the SASE app. The tab includes the following log sub-types:
| Log sub-type | What it records |
|---|---|
| Logon and Logoff Logs | When employees log on to or log off from the SASE app |
| Over-quota Registration Application Logs | Registration requests that exceed the allowed device quota |
| Uninstallation Application Logs | Requests to uninstall the SASE app from a device |
| Terminal Logs | General endpoint activity logs |
| Software Application | Software usage on managed endpoints |
| Unauthorized Software Discovery | Software detected on endpoints that violates policy |
For details on managing endpoint registrations, see Configure and approve endpoint registration information. For software management, see Software management.
Sensitive file detection
On the Sensitive File Detection tab, view logs of sensitive files sent by company employees. For details on how detection policies work, see Secure data by detecting outgoing files.
Analyze user behavior with AI
For any sensitive file detection log, use the built-in AI analysis to evaluate user behavior across multiple dimensions: outgoing screenshots, screenshot content recognition, sensitive information determination, user action and intent analysis, and data breach risk assessment.
In the AI Analysis column of a log entry, click the analysis icon.
In the Intelligent Behavior Analysis panel, review the analysis results.
View sensitive file detection details
In the Actions column of a log entry, click Details.
In the Details panel, review the following fields:
| Field | Description |
|---|---|
| Data Flow | The path the file took from source to destination |
| Key Information | Summary of the most relevant details for the event |
| Sensitive Message | The sensitive content identified in the file |
| Screenshot Evidence | Screenshots captured at the time of the event |
| Hit Policy | The sensitive file detection policy that was triggered |
| Office Terminal | The endpoint device from which the file was sent |
| Outbound Transfer Channel | The channel used to transfer the file |
| Account Information | The user account associated with the event |
Dynamic decision-making logs
On the Dynamic Decision-making Logs tab, view disposal and recovery operation logs generated by dynamic decisions for company employees.
Log on to the SASE console.
In the navigation pane, go to Log Analysis > Log Audit.
Click the Dynamic Decision-making Logs tab. Filter the log list by Time, Restoration Method, or User.
Select a sub-tab to view the specific log type:
Sub-tab Fields shown Handling Logs Log generation time, User, Device, Hit Policy, Action Restoration Logs Log generation time, User, Device, Hit Policy, Restoration Method In the Actions column, click View Handling Process to open the Handling Process page, where you can review the full disposal and recovery timeline. For details, see View the disposal flow.
Administrator operation logs
On the Administrator Operation Logs tab, view a complete record of configuration and management actions performed by administrators. Each log entry includes:
| Field | Description |
|---|---|
| Operation Time | When the operation was performed |
| Account ID | The administrator account that performed the operation |
| Operation Source | Where the operation originated |
| Operation Feature | The SASE feature that was operated on |
| Operation Page | The console page where the operation was performed |
| Operation Type | The type of action taken |
