---
title: "Web Access Auditing"
slug: "web-access-auditing"
updated: 2026-03-25T15:00:41Z
published: 2026-03-25T15:00:41Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://docs.nasuni.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Web Access Auditing

## Introduction

Web Access includes built-in integration with the **NEA auditing system** and publishes a range of audit events. This document describes the available events and the audit output formats supported by Web Access. The information in this document applies to Web Access version 10.3 and later.

## Audit Formats

Most audit data is currently available in the CSV format. Additional output options might be introduced in later releases based on customer demand. The examples given pertain to the CSV format.

### CSV Format

Audit events can be exported in CSV format. Each row represents a single audit event and includes the columns listed below:

#### Columns

The columns of the CSV format include: timestamp (UTC), category, event type, path from, new path to, user, group, sid, share or export name, volume type, client IP, snapshot timestamp (UTC), shared link, and extra properties.

#### Column definitions

| **Column title** | **Definition** |
| --- | --- |
| **timestamp (UTC)** | The date and time when the event occurs, in UTC. |
| **category** | The high-level category of the event (for example, Read). |
| **event type** | The specific event recorded (for example, Read File). *(New event types in version 10.3: Read File, Write File, Create Directory, Delete File, Delete Directory, Read Directory, Read Shared Link, Read Multiple Files, Write Multiple Files, Login User, Logout User)* |
| **path from** | The path of the item on which the action occurs, relative to the volume. *Not always present.* |
| **new path to** | The destination or target path for the action. *Not always present.* |
| **user** | The user who performed the action. Might be logged as nobody for anonymous or unauthenticated operations. In this case, the sid is S-1-5-7. |
| **group** | The user’s primary group. Might be logged as nobody for anonymous or unauthenticated operations. In this case, the sid is S-1-5-7. |
| **sid** | The Security Identifier (SID) of the user who performed the action. |
| **share or export name** | The name of the Share where the action occurred. *Not always present.* |
| **volume type** | The protocol used for the operation. *(New volume type in version 10.3: WEBACCESS)* |
| **client IP** | The IP address of the client that performed the action. *Not always present.* |
| **snapshot timestamp (UTC)** | The timestamp of the most recent snapshot at the time the event occurs. *Not always present. Included for file and folder operations for previous versions.* |
| **shared link** | The identifier code of the Web Access shared link involved in the action. *Not always present.* |
| **extra properties** (new in version 10.3) | Additional event-specific fields (key-value data). *Not always present.* |

Additional information on errors is available in **extra properties**:

| **Error** | **Category** | **Extra Properties** |
| --- | --- | --- |
| Read File Error | Read | error_ref_id=365ea9ab-461d-435c-8836-0bc1aab000a9; status_code=404; operation=GET; trace_id=nx8HAAAAAAA; error=***ObjectNameNotFound*** |
| Create Directory Error | Create | error_ref_id=37e59f7d-deeb-4e7b-b726-a0ebadf241d6; status_code=409; trace_id=XiAHAAAAAAA; error=***FileAlreadyExists*** |

## 

## Enabling Web Access Audit Events

Web Access auditing can be enabled by visiting the **Auditing** section within the NMC, and enabling **Auditing** for the share. No further configuration is required.

## Audit Events

Web Access generates audit events for significant user and system activity. This section outlines the event types available and what each event represents.

### **User authentication events**

#### **User Login**

This event is generated when a user authenticates to Web Access. It applies to both **SSO** and **non-SSO** login flows.

Here is an example:

| **Timestamp(UTC)** | 2026-02-19 13:23:01 |
| --- | --- |
| **Volume Type** | WEBACCESS |
| **Category** | Access |
| **Event Type** | User Login |
| **User** | CORPORATE\john.smith |
| **Extra Properties** | operation=LOGIN; authenticated=True; trace_id=MVAGAAAAAAA |

#### **User Logout**

This event is generated when a user signs out of Web Access.

Here is an example:

| **Timestamp(UTC)** | 2026-02-19 13:23:01 |
| --- | --- |
| **Volume Type** | WEBACCESS |
| **Category** | Access |
| **Event Type** | User Logout |
| **User** | CORPORATE\john.smith |
| **Extra Properties** | operation=LOGOUT; trace_id=oI8KAAAAAAA; auth_used=LOGIN |

#### **User Login Failure**

This event is generated when a user authentication attempt fails with Web Access.

Here is an example:

| **Timestamp(UTC)** | 2026-02-19 13:23:01 |
| --- | --- |
| **Volume Type** | WEBACCESS |
| **Category** | Access |
| **Event Type** | User Login Error |
| **User** | nobody |
| **Extra Properties** | error_detail=Username not found; status_code=401; trace_id=MlAGAAAAAAA; error_ref_id=708cd5e3-5bd4-49b7-b972-d2dee063adb1; error=UsernameResolutionError; operation=LOGIN |

### **File Actions**

#### **Read File**

This event is generated when a user reads the contents of a file.

Here is an example:

| **Timestamp(UTC)** | 2026-02-19 13:23:01 |
| --- | --- |
| **Volume Type** | WEBACCESS |
| **Category** | Read |
| **Event Type** | Read File |
| **User** | CORPORATE\john.smith |
| **Path from** | /Demonstration/Training Materials/File IQ Single Sign-On (SSO).pdf |
| **Extra Properties** | length=2281613; operation=GET; offset=0; trace_id=q48KAAAAAAA; file_size=2281613 |

#### **Write File**

This event is generated when a user creates a new file, or overwrites an existing file with new contents.

Here is an example:

| **Timestamp(UTC)** | 2026-02-19 13:23:01 |
| --- | --- |
| **Volume Type** | WEBACCESS |
| **Category** | Write |
| **Event Type** | Write to File |
| **User** | CORPORATE\john.smith |
| **Path from** | /Demonstration/Training Materials/File IQ Single Sign-On (SSO).pdf |
| **Extra Properties** | operation=UPLOAD; trace_id=NVAGAAAAAAA; file_size=2281613 |

#### **Delete File**

This event is generated when a user deletes a file.

Here is an example:

| **Timestamp(UTC)** | 2026-02-19 13:23:01 |
| --- | --- |
| **Volume Type** | WEBACCESS |
| **Category** | Delete |
| **Event Type** | Delete File |
| **User** | CORPORATE\john.smith |
| **Path from** | /Demonstration/Training Materials/File IQ Single Sign-On (SSO).pdf |
| **Extra Properties** | operation=DELETE; trace_id=rI8KAAAAAAA |

### **Folder Actions**

#### **List Folder**

This event is generated when a user operation lists the contents of a folder.

Here is an example:

| **Timestamp(UTC)** | 2026-02-19 13:23:01 |
| --- | --- |
| **Volume Type** | WEBACCESS |
| **Category** | Read |
| **Event Type** | Read Directory |
| **User** | CORPORATE\john.smith |
| **Path from** | /Demonstration/Training Materials/ |
| **Extra Properties** | operation=GET; num_links=0; num_items=2; trace_id=rY8KAAAAAAA |

#### **Create Folder**

This event is generated when a user creates a new folder.

Here is an example:

| **Timestamp(UTC)** | 2026-02-19 13:23:01 |
| --- | --- |
| **Volume Type** | WEBACCESS |
| **Category** | Create |
| **Event Type** | Create Directory |
| **User** | CORPORATE\john.smith |
| **Path from** | /Demonstration/Training Materials/example |
| **Extra Properties** | trace_id=SMcNAAAAAAA |

#### **Delete Folder**

This event is generated when a user deletes a folder.

Here is an example:

| **Timestamp(UTC)** | 2026-02-19 13:23:01 |
| --- | --- |
| **Volume Type** | WEBACCESS |
| **Category** | Delete |
| **Event Type** | Delete Directory |
| **User** | CORPORATE\john.smith |
| **Path from** | /Demonstration/Training Materials/example |
| **Extra Properties** | operation=DELETE; trace_id=sY8KAAAAAAA |

### **Multiple File or Folder Actions**

#### **Multiple Item Download**

This event is generated when a user requests multiple files to be downloaded as a single compressed archive (for example, a **.zip** file).

Here is an example of an individual file being included in a .zip download:

| **Timestamp(UTC)** | 2026-02-19 13:23:01 |
| --- | --- |
| **Volume Type** | WEBACCESS |
| **Category** | Read |
| **Event Type** | Read File |
| **User** | CORPORATE\john.smith |
| **Path from** | /Demonstration/Training Materials/actions.log |
| **Extra Properties** | length=29126; operation=ZIP_DOWNLOAD; offset=0; trace_id=s48KAAAAAAA; file_size=29126 |

The following audit event is produced at the end of the .zip download after all files are included:

| **Timestamp(UTC)** | 2026-02-19 13:23:01 |
| --- | --- |
| **Volume Type** | WEBACCESS |
| **Category** | Read |
| **Event Type** | Read Multiple Files |
| **User** | CORPORATE\john.smith |
| **Path from** | /Demonstration/Training Materials/ |
| **Extra Properties** | num_files=2; operation=ZIP_DOWNLOAD; trace_id=s48KAAAAAAA; total_files_size=58252 |

### **Sharing**

#### **Create Shared Link**

This event is generated when a user creates a shared link to a file or folder.

Here is an example:

| **Timestamp(UTC)** | 2026-02-19 13:23:01 |
| --- | --- |
| **Volume Type** | WEBACCESS |
| **Category** | Shared Link |
| **Event Type** | Create Shared Link |
| **User** | CORPORATE\john.smith |
| **Path from** | /Demonstration/Training Materials/example |
| **Extra Properties** | CRKFUmr9Ql6DMkhS3uMQJYGkQdp5XBRN3,auth_required=password; expiration_date=2026-04-19; link_access=modify; trace_id=tY8KAAAAAAA; expiration_days=60; is_dir=True |

#### **Access Shared Link**

This event is generated when a user successfully accesses a shared link to a file or folder.

Here is an example:

| **Timestamp(UTC)** | 2026-02-19 13:23:01 |
| --- | --- |
| **Volume Type** | WEBACCESS |
| **Category** | Access |
| **Event Type** | Access Shared Link |
| **User** | CORPORATE\john.smith |
| **Path from** | /Demonstration/Training Materials/example |
| **Extra Properties** | QBAF8uvitxeM0XLrcE3nqPQNahqut7Ng6,auth_required=password; status_code=307; link_access=read; trace_id=v48KAAAAAAA; auth_used=LINK_PASSWORD; expiration_date=2026-04-19; expiration_days=60; is_dir=True |

#### **Delete Shared Link**

This event is generated when a user deletes a link to a file or folder.

Here is an example:

| **Timestamp(UTC)** | 2026-02-19 13:23:01 |
| --- | --- |
| **Volume Type** | WEBACCESS |
| **Category** | Shared Link |
| **Event Type** | Delete Shared Link |
| **User** | CORPORATE\john.smith |
| **Path from** | /Demonstration/Training Materials/example |
| **Extra Properties** | 3CIeCVnhFrpDjhOTYpoMILmm4ofNzmDxq,auth_required=anonymous; expiration_date=2026-04-19; link_access=read; trace_id=w48KAAAAAAA; actor=CARBON\test_user_1; expiration_days=60; operation=LINK_DELETE; is_dir=True |

#### **List Shared Links**

This event is generated when a user operation lists the shared links against a file or folder, or for “Shared Items”.

Here is an example:

| **Timestamp(UTC)** | 2026-02-19 13:23:01 |
| --- | --- |
| **Volume Type** | WEBACCESS |
| **Category** | Shared Link |
| **Event Type** | Read Shared Link |
| **User** | CORPORATE\john.smith |
| **Path from** | /Demonstration/Training Materials/example |
| **Extra Properties** | operation=LIST; num_links=3; is_dir=True; trace_id=xI8KAAAAAAA |

## Audit Logs

Web Access audit logs track user-related events that occur within the Edge Appliance, including file access and use of shared links.

File system access is logged using the standard file system audit events such as “Create Directory” and “Read File”. Web Access adds other audit events such as “Create Shared Link” and “Access Shared Link”.

Auditing is configured for a given volume and Nasuni Edge Appliance. Auditing is disabled by default. After volume auditing is enabled, shared link audit events are always logged. To log file system audit events, select the “Event Types” that are relevant. We recommend Create, Delete, Rename, Write, and Read to limit the number of events generated. For configuration, see [File System Auditing](/v1/docs/chapter-7-volumes-page#file-system-auditing).

##