System Audit Report

System Audit Report

The System Audit report contains data about all activity on your My1Login account. You can use this report to review all of the activities on your account or to review a specific user's activity within a specified timeframe.

System Audit Data is kept for 12 months.
Admin activity can not be deleted from the system audit outside of the 12 month retention policy.


The Login Attempts Summary page can be filtered using the following parameters:

  • Username

  • Date

  • "What" - Activity

  • Application

Running the Report

To run the System Audit Report:

  1. From the Admin Console, navigate to Reports> System Audit
  2. By default, the report will export all activity from the same calendar month. 
  3. You can filter the page results using Username, Start Date/End Date, What, and Application.
  4. Click Search to view filtered results on the report page. 
  5. Click Export to CSV in the top left hand corner to download the selected data as a comma separated value (CSV). 

Retrieving the Report

A toast notification will let you know that your report has been added to the queue:

Another will let you know when the report has been processed:

You can either click on the Report Complete popup or navigate to Reports> Generated Reports to see your reports ready for download. Click the Download button and your report will download to a CSV file. 
If you are waiting on the Generated Reports page and your report is still showing as "Queued" you may need to refresh the page for the Download button to appear.

Reports are available for download for 30 days after creation. 


The report page shows the following information:

  1. Who
  2. Domain
  3. What
  4. Label
  5. Date
  6. Outcome
  7. IP Address

The CSV report includes:

Field nameField description


User's My1Login username. This can be an email address or UPN.

Audit Entry Type

Nature of activity. Full list of types outlines below.

Target Label

Gives the detail of the page, application, activity.


Method of authentication.

Date of login attempt.

Timestamps are represented in UTC.
OutcomeWhether the login attempt was successful or failed.
IP address
IP address of where the login attempt was made. 

Audit Entry Type - 'What' - Explained

Field nameField description


Indicates new activity in My1Login. Can apply to new identities, password policies, users, applications, password shares, inclusion/exclusion list, implementing security questions. 


Shows pages on My1Login Admin Portal that have been viewed by a user. This will also show where a user has viewed passwords for stored identities through the Admin pages.


Shows any updates made by users or admins to identities, password policies, users, applications, password shares, security questions.
DeletedShows anything that has been deleted by a user or admin from My1login. Can apply to new identities, password policies, users, applications, inclusion/exclusion list, password shares, security questions. 

Credential Entry
Shows when users have entered credentials on a target application. The label will indicate the application or URL.
Timestamps are represented in UTC.
ExecutedApplication launch. Label will show the application used. 
Template Script Recording
Deprecated Label
Login Attempt
User has authenticated or attempted to authenticate with My1Login.
Transfer Credential
Ownership of credential(s) has been transferred to another user.
Active Directory Password Change
User has used Self Service Password Reset to change their AD password.
Report Generated
Admin has generated a report from the Admin Portal.

    • Related Articles

    • User Activation Report

      The User Activation report contains data about users' status and My1Login access. You can use this report to separate web users from AD synced users. The report gives visibility of whether or not users have accessed their My1Login service. Parameters ...
    • Application Usage Audit

      The Application Usage Audit report contains data about the applications accessed by users in your organisation. You can use this report to see which applications are the most used in your organisation, identify shadow IT, and make decisions about ...
    • Login Attempts Summary

      The Login Attempts Summary report contains data about users' My1Login access attempts. You can use this report to see users login activity and their method of authentication. The report gives visibility of whether or not users have been successful in ...