Reviewing Admin logs
The Admin log page will display all admin activity within the Forcepoint ONE SSE.
You can access the Admin logs by navigating to .
Admin Activity/Actions Tracked
For the admin logs, Activity is the high level activity that the admin was doing while action is the subcategory or more refined thing that was interacted with. For example The Critical activity is a high level tag for an error/issue whereas the Deviceprofileerror Action is the more specific item that had the issue.
Activity Name | Description |
---|---|
Add | Adding items to the Forcepoint ONE SSE platform (users, objects, apps, etc). |
Config | Editing the Forcepoint ONE SSE portal setting configurations. |
Critical | An error/issue was identified. |
Deactivate | Admin has deactivated a user on the IAM page. |
Delete | Deleting items on the Forcepoint ONE SSE platform (users, objects, apps, etc). |
Edit | User info has been edited |
Endpoint | Log related to an endpoint device with the agent installed. |
Error | An error/issue was identified |
Login | Admin logged into the Forcepoint ONE SSE portal |
Logout | Admin logged out of the Forcepoint ONE SSE portal |
Restarting | AD sync was restarted |
Search | Log related to AD sync and searching/finding users/groups. |
Start | AD sync was started |
System | Log related to the Forcepoint ONE SSE system. |
Action is the more defined action that was taken if applicable. Activities such as Login/Logout will not have an associated action.
Action Name | Description |
---|---|
Admin | |
Agent | Logs related to the Forcepoint ONE SSE endpoint agent. |
Alert | Alerts of events and issues. |
AppConfig | Admin has made an edit to an application setting configuration. |
AppPolicy | Admin has made an edit to an application's policy. |
ConfirmDeactivation | A user requires confirmation for deactivation. |
Customdomaincategory | Admin has made a change to a custom domain category object |
Customregion | Admin has made a change to the custom region (location) object |
Datapattern | Admin has made a change to a data pattern object |
Deviceprofileerror | Errors directly related to the Forcepoint ONE SSE endpoint agent on a user's device. |
Directory | All logs related to the Forcepoint ONE SSE Directory Sync integration. |
Group | Admin has made a change to a group settings |
Groupmigrationtype | |
Inactivity | Admin was logged out due to inactivity |
Membership | User's group membership was modified |
Notification | A notification was sent to an admin. |
NotificationObjects | An admin modified a notification object |
OauthApp | Admin modified an OAuth Application |
ProfileMatch | Endpoint device logging in matched a device profile object policy (managed vs unmanaged device detection). |
Syncconfig | Admin made changes to the Active Directory Sync configuration settings. |
Timeout | Admin timed out due to inactivity and was logged off. |
User | All logs related to events around a user account (user account was created, modified, deactivated, deleted, etc) |
The page is setup similarly to the Proxy logs page where you see a map display of admin login locations, the filter card for filtering events or data/time range and the event logs listed below.
The Event logs will display all admin actions including logins, logouts, device profile matches, configuration/settings changes, etc.