In response to popular demand, the project to support audit logs in ArcGIS Enterprise has been successfully launched. Starting in release 11.4, you will begin to see incremental improvements in the audit logging capability of ArcGIS Enterprise.
So what are audit logs? While the regular system logs are primarily used to help troubleshoot errors, audit logs are used to monitor critical changes to the system and to reconstruct events that occured. When used to reconstruct past events, audit logs answer the question: Who(user or process) did what, when did they do it and how did the system behave or change as a result? Audit logs can also be used to analyze and obtain metrics related to user activity.
With rising cyber security threats, data breaches and changing regulatory requirements, enhanced software security and adherence to regulations have become critical to success. Audit logs can be used to monitor authorized and unauthorized access to the system and its resources, detect intrusion attempts and perform post mortem forensic analysis as part of an incident(data breach, etc) response. Audit logs can also be used to ensure compliance with industry standards, corporate policy or government laws.
Portal for ArcGIS is the first component of ArcGIS Enterprise to support audit logs. ArcGIS Enterprise audit logs are recorded in the JSON format, which allows them to easily integrate with your organization's SIEM(Security Information and Event Management) tool. The following is a sample of a successful user login event:
{
"version": "1.1",
"timestamp": 1741643523,
"eventId": "b22c4aeb-d197-4c37-af38-24991eaac46c",
"event": "LOGIN",
"eventLevel": "LEVEL_1",
"status": "Success",
"statusCode": "200",
"actor": "arcgisadmin",
"actorId": "64cda8ac82de434394f1f2c1314a5854",
"actorRole": "account_admin",
"sourceIp": "10.10.10.10",
"destinationIp": "10.10.10.255",
"destinationHost": "Portalhost",
"resource": "/portal/sharing/oauth2/signin",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36",
"message": " User : arcgisadmin last login Mon Mar 10 14:52:36 PDT 2025"
}
In Portal for ArcGIS 11.4, audit records will be logged for:
- Accessing the organization portal site.
- Creating, deleting, updating, and disabling member accounts.
- Creating and updating user roles.
- Adding and configuring groups.
- Adding and removing members from a group.
- Sharing items.
- Changing item ownership.
- Adding, updating, moving, and deleting items.
As work progresses on this epic project, more operations will be recorded in the audit logs and support for this capability will added to the other components of ArcGIS Enterprise.
See Understand audit logs for more information and stay tuned for more posts related to audit logs.
Please leave us feedback on how you hope to use audit logs, what features are important to you, and what events you would like to see logged.
