Introduction
Web Access includes built-in integration with the NEA auditing system and publishes a range of audit events. This document describes the available events and the audit output formats supported by Web Access. The information in this document applies to Web Access version 10.3 and later.
Audit Formats
Most audit data is currently available in the CSV format. Additional output options might be introduced in later releases based on customer demand. The examples given pertain to the CSV format.
CSV Format
Audit events can be exported in CSV format. Each row represents a single audit event and includes the columns listed below:
Columns
The columns of the CSV format include: timestamp (UTC), category, event type, path from, new path to, user, group, sid, share or export name, volume type, client IP, snapshot timestamp (UTC), shared link, and extra properties.
Column definitions
Column title | Definition |
timestamp (UTC) | The date and time when the event occurs, in UTC. |
category | The high-level category of the event (for example, Read). |
event type | The specific event recorded (for example, Read File). |
path from | The path of the item on which the action occurs, relative to the volume. |
new path to | The destination or target path for the action. |
user | The user who performed the action. |
group | The user’s primary group. |
sid | The Security Identifier (SID) of the user who performed the action. |
share or export name | The name of the Share where the action occurred. |
volume type | The protocol used for the operation. |
client IP | The IP address of the client that performed the action. |
snapshot timestamp (UTC) | The timestamp of the most recent snapshot at the time the event occurs. |
shared link | The identifier code of the Web Access shared link involved in the action. |
extra properties | Additional event-specific fields (key-value data). |
Additional information on errors is available in extra properties:
Error | Category | Extra Properties |
|---|---|---|
Read File Error | Read | error_ref_id=365ea9ab-461d-435c-8836-0bc1aab000a9; status_code=404; operation=GET; trace_id=nx8HAAAAAAA; error=ObjectNameNotFound |
Create Directory Error | Create | error_ref_id=37e59f7d-deeb-4e7b-b726-a0ebadf241d6; status_code=409; trace_id=XiAHAAAAAAA; error=FileAlreadyExists |
Enabling Web Access Audit Events
Web Access auditing can be enabled by visiting the Auditing section within the NMC, and enabling Auditing for the share. No further configuration is required.
Audit Events
Web Access generates audit events for significant user and system activity. This section outlines the event types available and what each event represents.
User authentication events
User Login
This event is generated when a user authenticates to Web Access. It applies to both SSO and non-SSO login flows.
Here is an example:
Timestamp(UTC) | 2026-02-19 13:23:01 |
Volume Type | WEBACCESS |
Category | Access |
Event Type | User Login |
User | CORPORATE\john.smith |
Extra Properties | operation=LOGIN; authenticated=True; trace_id=MVAGAAAAAAA |
User Logout
This event is generated when a user signs out of Web Access.
Here is an example:
Timestamp(UTC) | 2026-02-19 13:23:01 |
Volume Type | WEBACCESS |
Category | Access |
Event Type | User Logout |
User | CORPORATE\john.smith |
Extra Properties | operation=LOGOUT; trace_id=oI8KAAAAAAA; auth_used=LOGIN |
User Login Failure
This event is generated when a user authentication attempt fails with Web Access.
Here is an example:
Timestamp(UTC) | 2026-02-19 13:23:01 |
Volume Type | WEBACCESS |
Category | Access |
Event Type | User Login Error |
User | nobody |
Extra Properties | error_detail=Username not found; status_code=401; trace_id=MlAGAAAAAAA; error_ref_id=708cd5e3-5bd4-49b7-b972-d2dee063adb1; error=UsernameResolutionError; operation=LOGIN |
File Actions
Read File
This event is generated when a user reads the contents of a file.
Here is an example:
Timestamp(UTC) | 2026-02-19 13:23:01 |
Volume Type | WEBACCESS |
Category | Read |
Event Type | Read File |
User | CORPORATE\john.smith |
Path from | /Demonstration/Training Materials/File IQ Single Sign-On (SSO).pdf |
Extra Properties | length=2281613; operation=GET; offset=0; trace_id=q48KAAAAAAA; file_size=2281613 |
Write File
This event is generated when a user creates a new file, or overwrites an existing file with new contents.
Here is an example:
Timestamp(UTC) | 2026-02-19 13:23:01 |
Volume Type | WEBACCESS |
Category | Write |
Event Type | Write to File |
User | CORPORATE\john.smith |
Path from | /Demonstration/Training Materials/File IQ Single Sign-On (SSO).pdf |
Extra Properties | operation=UPLOAD; trace_id=NVAGAAAAAAA; file_size=2281613 |
Delete File
This event is generated when a user deletes a file.
Here is an example:
Timestamp(UTC) | 2026-02-19 13:23:01 |
Volume Type | WEBACCESS |
Category | Delete |
Event Type | Delete File |
User | CORPORATE\john.smith |
Path from | /Demonstration/Training Materials/File IQ Single Sign-On (SSO).pdf |
Extra Properties | operation=DELETE; trace_id=rI8KAAAAAAA |
Folder Actions
List Folder
This event is generated when a user operation lists the contents of a folder.
Here is an example:
Timestamp(UTC) | 2026-02-19 13:23:01 |
Volume Type | WEBACCESS |
Category | Read |
Event Type | Read Directory |
User | CORPORATE\john.smith |
Path from | /Demonstration/Training Materials/ |
Extra Properties | operation=GET; num_links=0; num_items=2; trace_id=rY8KAAAAAAA |
Create Folder
This event is generated when a user creates a new folder.
Here is an example:
Timestamp(UTC) | 2026-02-19 13:23:01 |
Volume Type | WEBACCESS |
Category | Create |
Event Type | Create Directory |
User | CORPORATE\john.smith |
Path from | /Demonstration/Training Materials/example |
Extra Properties | trace_id=SMcNAAAAAAA |
Delete Folder
This event is generated when a user deletes a folder.
Here is an example:
Timestamp(UTC) | 2026-02-19 13:23:01 |
Volume Type | WEBACCESS |
Category | Delete |
Event Type | Delete Directory |
User | CORPORATE\john.smith |
Path from | /Demonstration/Training Materials/example |
Extra Properties | operation=DELETE; trace_id=sY8KAAAAAAA |
Multiple File or Folder Actions
Multiple Item Download
This event is generated when a user requests multiple files to be downloaded as a single compressed archive (for example, a .zip file).
Here is an example of an individual file being included in a .zip download:
Timestamp(UTC) | 2026-02-19 13:23:01 |
Volume Type | WEBACCESS |
Category | Read |
Event Type | Read File |
User | CORPORATE\john.smith |
Path from | /Demonstration/Training Materials/actions.log |
Extra Properties | length=29126; operation=ZIP_DOWNLOAD; offset=0; trace_id=s48KAAAAAAA; file_size=29126 |
The following audit event is produced at the end of the .zip download after all files are included:
Timestamp(UTC) | 2026-02-19 13:23:01 |
Volume Type | WEBACCESS |
Category | Read |
Event Type | Read Multiple Files |
User | CORPORATE\john.smith |
Path from | /Demonstration/Training Materials/ |
Extra Properties | num_files=2; operation=ZIP_DOWNLOAD; trace_id=s48KAAAAAAA; total_files_size=58252 |
Sharing
Create Shared Link
This event is generated when a user creates a shared link to a file or folder.
Here is an example:
Timestamp(UTC) | 2026-02-19 13:23:01 |
Volume Type | WEBACCESS |
Category | Shared Link |
Event Type | Create Shared Link |
User | CORPORATE\john.smith |
Path from | /Demonstration/Training Materials/example |
Extra Properties | CRKFUmr9Ql6DMkhS3uMQJYGkQdp5XBRN3,auth_required=password; expiration_date=2026-04-19; link_access=modify; trace_id=tY8KAAAAAAA; expiration_days=60; is_dir=True |
Access Shared Link
This event is generated when a user successfully accesses a shared link to a file or folder.
Here is an example:
Timestamp(UTC) | 2026-02-19 13:23:01 |
Volume Type | WEBACCESS |
Category | Access |
Event Type | Access Shared Link |
User | CORPORATE\john.smith |
Path from | /Demonstration/Training Materials/example |
Extra Properties | QBAF8uvitxeM0XLrcE3nqPQNahqut7Ng6,auth_required=password; status_code=307; link_access=read; trace_id=v48KAAAAAAA; auth_used=LINK_PASSWORD; expiration_date=2026-04-19; expiration_days=60; is_dir=True |
Delete Shared Link
This event is generated when a user deletes a link to a file or folder.
Here is an example:
Timestamp(UTC) | 2026-02-19 13:23:01 |
Volume Type | WEBACCESS |
Category | Shared Link |
Event Type | Delete Shared Link |
User | CORPORATE\john.smith |
Path from | /Demonstration/Training Materials/example |
Extra Properties | 3CIeCVnhFrpDjhOTYpoMILmm4ofNzmDxq,auth_required=anonymous; expiration_date=2026-04-19; link_access=read; trace_id=w48KAAAAAAA; actor=CARBON\test_user_1; expiration_days=60; operation=LINK_DELETE; is_dir=True |
List Shared Links
This event is generated when a user operation lists the shared links against a file or folder, or for “Shared Items”.
Here is an example:
Timestamp(UTC) | 2026-02-19 13:23:01 |
Volume Type | WEBACCESS |
Category | Shared Link |
Event Type | Read Shared Link |
User | CORPORATE\john.smith |
Path from | /Demonstration/Training Materials/example |
Extra Properties | operation=LIST; num_links=3; is_dir=True; trace_id=xI8KAAAAAAA |
Audit Logs
Web Access audit logs track user-related events that occur within the Edge Appliance, including file access and use of shared links.
File system access is logged using the standard file system audit events such as “Create Directory” and “Read File”. Web Access adds other audit events such as “Create Shared Link” and “Access Shared Link”.
Auditing is configured for a given volume and Nasuni Edge Appliance. Auditing is disabled by default. After volume auditing is enabled, shared link audit events are always logged. To log file system audit events, select the “Event Types” that are relevant. We recommend Create, Delete, Rename, Write, and Read to limit the number of events generated. For configuration, see File System Auditing.