The log audit feature provides comprehensive security audit logs, providing a reliable record for event tracing and compliance inquiries. This topic describes how to view various types of logs, including private access audit logs, administrator operation logs, internet access audit logs, excess registration request logs, uninstallation request logs, application acceleration logs, access control logs, antivirus logs, and dynamic decision logs.
Agent logs
AI service logs
On the AI Service Log tab, view AI service-related logs.
Agent activity logs
On the Agent Activity Logs tab, view Agent session logs on endpoints. In the Operation column, click Download to download the raw session log of the corresponding Agent.
Private access audit
Regular logs
After you configure and enable a private access policy, SASE detects events that match the policy and performs the configured action, such as allowing or denying access. These actions are recorded in the Private Access Audit > Regular Logs.
View log details: For a specific log, click Details in the Actions column. You can view policy match details, basic information, access records, and endpoint information.
View a user's device list, authorized applications, and O&M exceptions: Click a username to open the user's log summary page, which displays the following information.
Section | Description | Actions |
Data statistics | Displays the following statistics to provide an overview of their access behavior:
| View detailed list: Click a metric to view the corresponding information in the detailed list below. |
Detailed list | You can view the detailed list of data in three categories: Devices, Authorized Applications, and O&M Exceptions. | View risk description: In the Actions column for an item, click Details to view its risk description, which helps you identify the issue. |
Web application access logs
SASE supports access hardening for web applications. This includes security checks, such as inspecting the Host request header to prevent malicious bypasses, and access tracing, which adds user information to the HTTP header for auditing purposes.
On the Private Access Audit > Web Application Access Logs tab, view access logs that triggered web application access hardening. For more information about how to configure this feature, see Configure office applications.
Application acceleration logs
On the Acceleration Logs tab, query application acceleration logs.
Internet access audit
On the Internet Access Audit tab, view the Website Access Records.
Endpoint management
On the Endpoint Management tab, view logs related to employees using the SASE app. These include Logon and Logoff Logs, Over-quota Registration Application Logs, Uninstallation Application Logs, Terminal Logs, Software Application, and Unauthorized Software Discovery.
For more information about endpoint devices, see Configure and approve endpoint registration information.
For more information about software management, see Software management.
Sensitive file detection
On the Sensitive File Detection tab, query logs of sensitive files sent by employees. For more information about this feature, see Secure data by detecting outgoing files.
Intelligent behavior analysis
For audit logs related to outgoing sensitive files, SASE provides AI analysis of user behavior. This analysis covers multiple dimensions, including outgoing screenshots, screenshot content recognition, sensitive information identification, user intent analysis, and data leakage risk assessment.
In the AI Analysis column for the target audit log, click
.In the Intelligent Behavior Analysis panel, view the analysis results.
Detection details
In the Actions column for the target audit log, click Details.
In the Details panel, view information such as Data Flow, Key Information, Sensitive Message, Screenshot Evidence, Hit Policy, Office Terminal, Outbound Transfer Channel, and Account Information.
The Data flow section displays information such as the outbound transfer link, event, file size, file source, and time in a table. The Sensitive message section displays detailed attributes as key-value pairs, including file name, file type, file size, file category, file preview, outbound path, outbound time, record time, advanced edition, source application, application address, specific path, and data source.
Access control logs
On the Access Logs tab, you can query User Authentication Logs, Dumb Terminal Authentication Logs, and Guest Authentication Logs. For more information about network access control for your corporate office network, see Configure network access control.
Antivirus logs
On the Antivirus Logs tab, query virus scan logs and virus file handling logs that SASE generates for corporate endpoints. For more information about endpoint antivirus protection, see Configure endpoint antivirus capabilities.
Dynamic decision logs
On the Dynamic Decision-making Logs tab, view disposal and restoration logs for dynamic decisions.
Log on to the Secure Access Service Edge console.
In the left-side navigation pane, choose .
On the Log Audit page, select the Dynamic Decision-making Logs tab. You can filter the data by criteria such as Time, Restoration Method, and User.
Click the Handling Logs tab to view information such as Log generation time, User, Device, Hit Policy, and Action.
Click the Restoration Logs tab to view information such as Log generation time, User, Device, Hit Policy, and Restoration Method.
In the Actions column, click View Handling Process to navigate to the Handling Process page, where you can view disposal and restoration information. For related operations, see View the disposal flow.
Administrator operation logs
On the Administrator Operation Logs tab, view detailed information about administrator operations on the system. This includes Operation Time, Account ID, Operation Source, Operation Feature, Operation Page, and Operation Type.
In the Actions column, click Details to view the detailed configuration parameters before and after the operation.