Audit Logs

Additional items within the audit log would decrease our effort in hunting down the information:

• When Groups were created (if they were made incorrectly, we can see how long the impact was happening)
• The ability to filter out logins (logins consume pages of data and does not prove useful for our team)
• Additional filter options as we specifically need to look for actions happening but sometimes do not know the time frame or who performed the action

Hey folks, thanks for continuing to keep this thread alive and adding your feedback and events that you'd like to see in the Audit log - it's been tremendously valuable. We now have a team dedicated to working on Audit log so we're ready to make some great progress on this feature 🎉 There are two themes we're working towards:

• The data in the Audit log needs to be easy to find. This means better filtering capabilities and allowing you to find the event you're looking for faster. 
• The data needs to be there to find. This means closing the gaps on events we know, and you know, are missing and need to be added (focusing initially on Support). We're partnering with several teams to get those events in, currently working on User profile updates and Organisation updates which we're targeting in the next few months. 

Then there's the bigger project of moving onto the other products and make sure the Audit log captures all create, update and delete events in your account. 

Appreciate all your feedback on this topic.

It would be great if changes to User Fields in profiles were logged, as this was requested over 3 years ago, and marked completed, but still isn't a feature that is available. 
https://support.zendesk.com/hc/en-us/community/posts/4409222520986-Audit-Logs-for-End-User-Field-Changes

Hey CJ, at the top of that post is my announcement that User Fields is captured and available in the audit log. Is there something in particular that you're missing?

 Checkboxes, text fields, and user tags, all do not, for example, log any changes. I haven't tested the rest of the user field types to see just how many, but effectively none of my user fields actually log any changes currently. 

Oh, do you mean updates to the User fields as they appear on the user profile? Gotcha - that's correct that we don't currently capture that in the audit log. What we do surface is the configuration of the User fields in Admin Center. Now I understand what you're saying.

Our efforts right now are towards capturing changes to settings and configurations in Admin Center - I'll create a task on our backlog for changes to the User fields on the user profile. 

@caroline13 the message you posted on the post says "Hi folks, just here to let you know that updates to the User profile and updates to Organisations are now available in the audit log. " 

You specifically stated that "updates to the user profile" are available in the audit log. This was posted on a request for "What Agent/Admin changes what End-User Field on what End-User when - if that makes sense." 

There's no part of this mentions "configuration of these fields in the admin center", and the request very specifically states that they want to know what agent made what action on what field, on *what end-user*. This request was never about logging changes to the settings for existing user fields. 

So was this removed? Never created? Because nothing they requested seems to available.  https://support.zendesk.com/hc/en-us/community/posts/4409222520986-Audit-Logs-for-End-User-Field-Changes

Support has updated me that the feature request to record changes to fields in user profiles was never implemented.
They will not un-mark the request completed despite being completely misleading, and this isn't a priority for them to implement, so it won't be happening any time soon. I was told to file a brand request to request this again, despite already having done so almost a year ago and *also* having that request marked as solved out when it was not. 

Hi :waves: I was advised by Dave to add my request to this thread:

It's imperative we're able to see a version history or track changes of ticket fields, especially if you have more than one administrator -- if you click in the ticket field, at the top it even tells you when it was last modified but not "what" was modified or by whom. It seems pointless to indicate a field was recently updated but not say what information was changed. Secondly, since automations and triggers can rely on tags, it's even more important to know of any changes made since it can break other configurations. It would also be very hard to correct any offending behavior regarding updates when you don't know who made them. Thanks!

@Caroline Kello -- any chance of logging Emails sent to Users in the Audit Log?  Many vendor platforms offer this now.  Great for troubleshooting end-user support requests.  Thank you for considering.

Hey Randy, that's an interesting one! Like a success/failure log when... A comment is submitted on a ticket where the channel is email? When we send you a password reset email? If you could give some examples of what would be beneficial for you to see that'd be super helpful.

Would love some pointers to other platforms that do this too if you have it handy. 

Pulling the user audit log via API into SIEM does not include `Actor name` field? How can I correlate `Actor_id` with `Actor_name`? Am I missing something here?

Re: Access to Email logs.  When integrating customer engagement workflows across cloud apps, it's often a requirement to send an end-user email communication (new subscription, service request confirmation, partner deal registrations, etc.).  When using shared tenant platforms like Zendesk, we can't control exactly when an email communication is sent or the outcome (e.g., bounce).  And with so many different email clients (public ones, private ones), we can't be sure it reaches the intended users inbox.  So having access to Email send logs is very helpful when building a new workflow or troubleshooting one.  Platforms like Salesforce (& Service Cloud) provide self-service access to the email send logs.  Magentrix provides admin visibility to any email sent from any portal or community site, and as another example, Highspot also provides logs of Email sending.   I'm sure Zendesk is capturing and logging this information -- it would be great if admins had visibilty -- if only for 7 days (Salesforce Service Cloud is 30 days with 7 day window per request).  Thank you for considering.

Hi team,

I'd also like to see end user data in the audit logs (similar to what we see today for agent users). Our end users are looking for this data for security audit reasons. The data they're looking for is:

• user
• source ip
• login timestamps
• user upload/download events

If this data was added on to the audit logs, we would be able to generate these reports for our end users.

Thanks!

@pris - you're right, the audit log API doesn't contain an attribute for the name of the Actor. I think you'll need to cross-reference with the Users API. I think you raise a valid point so I'll add this to our backlog to investigate us adding in the Actor name. 

@randy26 - thanks for this additional context! Appreciate it. It's not something we've any current plans on addressing but I understand why it'd be beneficial for you. 

@michelle33 - we're deliberately not adding any end-user events to the audit log at the moment as there are additional guardrails for compliances such as GDPR that we need to understand beforehand. Do you have more details as to why your end users are looking for the data you mentioned? This is for their record of their own activity? 

@caroline51, that's right. It would be for their own record. They let us know they need the log data for their internal audit because they're using a third-party web site. They would use the login/logout data for a kind of user behavior analytics. For example, they would monitor how often a user logged into Zendesk and when the user logged in/logged out Zendesk. If activities of a user are abnormal, for instance the user logged into Zendesk at midnight, their audit team contacts the user to check the activities.

They laid out some additional items on what they're looking for:
Every login and logout events for each of their user. This logging should include:

Mandatory: User's email address, timestamp when the user login/logout.
Optional: The source IP address from which the user accessed to Zendesk.

They understand some cases, a user may not logout explicitly and so in those scenarios, they'd want to see something like:

[Date/time] [User] - [User email] at [IP] was logged out due to inactivity.

We noticed that the Audit Log does not contain an entry when the external ID is changed manually via the API. Please take this into consideration. 

Audit log really needs App changes listed. 

What kind of App changes are you interested in? Setting changes that you can make to the app in  Admin Center > Apps and integrations, or something else?

I would love to know when apps were: 
Activated
Deactivated
Added 
Deleted 
Settings were changed, such as group or admin access. 

Gotcha. In my test account I can see Audit log events for install and uninstall, and then just Updated events for enable/disable and permission changes with no additional details in the Activity column. I'll create a JIRA for our backlog to add more descriptive info in the Activity column for the events we currently capture.

2 requests: 

- Ability to see granular changes like ticket form conditions

- Seeing the exact changes straight away, instead of having to parse it manually through the "From" to "To" in the activity section.  

Thanks 

Hey Yasser, can you explain a little bit more about what you mean by "seeing the exact changes straight away"?

When exporting the audit log data as a csv, I am finding myself having to go through each individual activity (I am interested in investigating) and laying all the "From" and "To" changes and parsing through the text and often times Field or member IDs to track the actual distinct change that occurred.  

It would be very helpful to be able to only see the added or removed condition or action in a given activity.  

Thanks for explaining; it'll be interesting to see if any other folks on this thread agree as it's been a consistent piece of feedback that it's the preference to the see the from/to values. The reasoning has been that most often the next step that's taken after finding the right audit event is to revert the change back to its previous state, meaning I'd need to know the before and after value in order to do that.