Community
Select to view content in your preferred language

Introducing ArcGIS Enterprise audit logs

662
1
06-10-2025 02:00 PM
RajkumarPadmanabhan
by Esri Contributor
Esri Contributor
4 1 662
‎06-10-2025 02:00 PM

In response to popular demand, the project to support audit logs in ArcGIS Enterprise has been successfully launched. Starting in release 11.4, you will begin to see incremental improvements in the audit logging capability of ArcGIS Enterprise.

So what are audit logs? While the regular system logs are primarily used to help troubleshoot errors, audit logs are used to monitor critical changes to the system and to reconstruct events that occured. When used to reconstruct past events, audit logs answer the question: Who(user or process) did what, when did they do it and how did the system behave or change as a result? Audit logs can also be used to analyze and obtain metrics related to user activity.

With rising cyber security threats, data breaches and changing regulatory requirements, enhanced software security and adherence to regulations have become critical to success. Audit logs can be used to monitor authorized and unauthorized access to the system and its resources, detect intrusion attempts and perform post mortem forensic analysis as part of an incident(data breach, etc) response. Audit logs can also be used to ensure compliance with industry standards, corporate policy or government laws. 

Portal for ArcGIS is the first component of ArcGIS Enterprise to support audit logs. ArcGIS Enterprise audit logs are recorded in the JSON format, which allows them to easily integrate with your organization's SIEM(Security Information and Event Management) tool. The following is a sample of a successful user login event:

{
	"version": "1.1",
	"timestamp": 1741643523,
	"eventId": "b22c4aeb-d197-4c37-af38-24991eaac46c",
	"event": "LOGIN",
	"eventLevel": "LEVEL_1",
	"status": "Success",
	"statusCode": "200",
	"actor": "arcgisadmin",
	"actorId": "64cda8ac82de434394f1f2c1314a5854",
	"actorRole": "account_admin",
	"sourceIp": "10.10.10.10",
	"destinationIp": "10.10.10.255",
	"destinationHost": "Portalhost",
	"resource": "/portal/sharing/oauth2/signin",
	"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36",
	"message": " User : arcgisadmin last login Mon Mar 10 14:52:36 PDT 2025"
}


In Portal for ArcGIS 11.4, audit records will be logged for:

  • Accessing the organization portal site.
  • Creating, deleting, updating, and disabling member accounts.
  • Creating and updating user roles.
  • Adding and configuring groups.
  • Adding and removing members from a group.
  • Sharing items.
  • Changing item ownership.
  • Adding, updating, moving, and deleting items.

As work progresses on this epic project, more operations will be recorded in the audit logs and support for this capability will added to the other components of ArcGIS Enterprise.

See Understand audit logs for more information and stay tuned for more posts related to audit logs.

Please leave us feedback on how you hope to use audit logs, what features are important to you, and what events you would like to see logged.

1 Comment
VenkataKondepati
by
Occasional Contributor
a month ago

This is a very welcome enhancement, audit logging is critical for governance, compliance, and incident response in enterprise environments. Being able to track who did what, when, and how the system responded directly in ArcGIS Enterprise helps align with security standards and makes it easier to integrate with SIEM workflows.

I’m glad to see Portal for ArcGIS as the first component with audit logs, and JSON output makes integration much more straightforward. Looking forward to expanded coverage across other components like ArcGIS Server and Data Store, as well as more granular events (e.g., privilege changes, service publishing, token usage).

This is a big step toward strengthening security posture in ArcGIS Enterprise. Great work by the team!

Regards,

Venkat

0 Kudos
Contributors