Audit Log for CrashPlan

Overview

The CrashPlan Audit Log provides a record of who did what and when in the CrashPlan environment. This article provides detailed descriptions of each item in the Audit Log in the CrashPlan console. Some uses of the Audit Log include: 

  • Determine how the CrashPlan environment ended up in its current state.
  • Spot check others' work to prevent abuse of privileged access.
  • Identify areas of training for users that caused inadvertent changes.
Use the Audit Log APIs to export results
The Audit Log in the CrashPlan console allows you to quickly search events and export the results to a comma-separated-values (CSV) file. While this is helpful to quickly perform spot checks, instead use the CrashPlan API if you need to export events to your internal security team tools. See Search Audit Log events with the CrashPlan API.

Considerations

  • You must have the Audit Log Viewer role to view events in the Audit Log.
  • The Audit Log records events for the last 90 days. If you want to maintain Audit Log output for longer than 90 days, export the results to your own systems for storage.
  • While there is no limit to the number of events recorded in Audit Log, you can export only a maximum of 100,000 events at once. To work around this limitation, see Troubleshooting.
  • Events that are recorded in the Audit Log can originate from actions taken in the CrashPlan consoleCrashPlan APIs, an integration with CrashPlan, or an external user provisioning system.
  • Event results are returned within five minutes of the event occurrence. Although event results of different event types are returned at different intervals, they are always listed in the order they occurred.

Audit Log in the CrashPlan console

To view the Audit Log:

  1. Sign in to the CrashPlan console.
  2. Select Administration > Status > Audit Log

Audit-Log-Main-Page.png

Item Description
a Export export icon.png Export the filtered events to a comma-separated values (CSV) file.
b Filter filter icon.png Filter the events by the criteria you select. 
c Filtered by The filters that are currently applied to the Audit Log events. Click the X to remove that filter. Remove all filters to view all events.
d Username The CrashPlan username associated with the event.
e Event type

The event type logged.

f Date observed Date and time the event occurred. The time is reported in Coordinated Universal Time (UTC).
g IP address Public IP address involved in the event. 
h View detail details icon.png Click to view event details. Includes event type, date observed, and device details.

Filter

To filter the events listed in the Audit Log, click Filter filter icon.png and select the criteria to use. When you click Apply, events that match all filters appear in the list.

console audit log filter reference.png

Item Description
a Username Returns events triggered by a specific CrashPlan user. Use commas to separate multiple usernames.
b Resource ID

Search for events related to a specific resource's ID.

Resources whose IDs you can search for include:

  • Affected user
  • Alert
  • Alert rule
  • Archive source compute GUID
  • Case
  • Client
  • Federation
  • Identity provider
  • Provisioner
  • User
  • Watchlist
c User type

The type of user to search for:

  • User
    Select to search for events triggered by a CrashPlan user.
  • CrashPlan support user
    Select to search for events triggered by a CrashPlan support user. CrashPlan support users are technical support engineers given support access to your CrashPlan environment to perform investigation and adjust settings as needed. By default, the CrashPlan support user's name is marvin@crashplan.com. The CrashPlan support user can create additional users that appear in the Audit Log. To find those users, you can filter on the user type CrashPlan support user and then filter on the Add user event type.
  • API client
    Select to search for events triggered by an API client.
  • System
    Select to search for events triggered by the CrashPlan system. 
d Date range

Filters the list by the selected date range. Select Custom to enter start and end dates to use to filter events. You can also select All dates to view all events that have been logged.

e Event type

Filters results by event types. All events filters by all available event types. 

Event types are organized into categories. Select All events in a category to filter by all available event types in that category. 

See the Event types section below for a description of each event type. 

  • Administration
    • All events
    • CrashPlan support user access disabled
    • CrashPlan support user access enabled
    • Risk setting changed
    • Risk setting created
  • API Clients
    • All events
    • API client created
    • API client deleted
    • API client description changed
    • API client name changed
    • API client permissions assigned
    • API client permissions revoked
    • API client secret reset
  • Authorization
    • All events
    • Console login
  • File access
    • All events
    • Path purged
    • Restore ended
    • Restore started
    • ZIP file downloaded
  • Identity and access management 
    • Federation created
    • Federation deleted
    • Federation metadata updated
    • Federation updated
    • Identity provider assigned to org
    • Identity provider created
    • Identity provider deleted
    • Identity provider metadata updated
    • Identity provider removed from org
    • Identity provider updated
    • SCIM provisioner configuration updated
    • SCIM provisioner created
    • SCIM provisioner credentials changed
    • SCIM provisioner deleted
  • User updates
    • All events
    • Activate user
    • Add user
    • Deactivate user
    • Email change
    • External attributes change
    • External reference change
    • Local auth only change
    • Name change
    • User roles assigned
    • User roles revoked
    • Username change
f IP address Filters the events by a specific public IP address involved in the event. Use commas to separate multiple IP addresses.
g Cancel / Apply Click Apply to apply the selected filter criteria to the list and display only the events that match that criteria. To return to the list without applying any filters, click Cancel.

Export

Click export icon.png Export to export the filtered events in the Audit Log to a comma-separated values (CSV) file. Any filters that are applied are shown above the Audit Log list. Click the X on a filter to remove that filter from the exported results.

In addition to exporting events to CSV in the CrashPlan console, you can also export events with the CrashPlan API. See Search Audit Log events with the CrashPlan API

Event details

For any event listed in the Audit Log, click View details details icon.png to see more information about the event.

audit-log-event-details.png

Following are the fields that can appear in event details.

Event

Following are the fields that can appear in the Event section of the Event details panel. The fields that display vary depending on the type of activity that triggered the event. 

Item Description
Event type

The event type logged.

Date observed Date and time the event occurred. The time is reported in Coordinated Universal Time (UTC).

User

Following are the fields that appear in the User section of the Event details panel.

Item Description
Acting user (CrashPlan)

The CrashPlan username of the acting user who triggered the event. The acting user can be a CrashPlan user, CrashPlan API (via an API client), or SCIM provisioning system.

If the acting user was a SCIM provisioning system (for example, for an External attributes change event), the entry appears as the provisioning provider Username credentials from CrashPlan (for example, "azure_1234@cloud.crashplan.com").

If the acting user was an API client, clicking View Profile opens the API client in the CrashPlan console.

User type

The type of user who triggered the event: a CrashPlan user, a CrashPlan support user, an API client, or the CrashPlan system. To search for events triggered by specific user types, use the search filter

CrashPlan support users are users given support access to your CrashPlan environment to perform investigation and adjust settings as needed. By default, the username of support users is marvin@crashplan.com.

IP address (public)

The public IP address of the device used to trigger the event.
User agent

Details of the browser and device used to trigger the event.

If the acting user was an API call (for example, for a Console login event), this field displays details of the API.

Additional event details

Following are the fields that appear in the Additional event details section of the Event details panel.

Item Description Applies to events
Affected user The CrashPlan username of the person who was acted upon in the event.

Activate user

Add user

Deactivate user

External attributes change

External reference change

Local auth only change

Name change

Username change

User roles assigned

User roles revoked

Affected user UID The CrashPlan unique UID (userUid) of the person who was acted upon in the event.

Activate user

Add user

Deactivate user

External attributes change

External reference change

Local auth only change

Name change

Username change

User roles assigned

User roles revoked

Affected user type The type of user who triggered the event, either a CrashPlan user or a CrashPlan support user.

Activate user

Add user

Deactivate user

External attributes change

External reference change

Local auth only change

Name change

Username change

User roles assigned

User roles revoked

Amount of data deleted The total amount of data that was deleted (in bytes). Path purged

Amount of data downloaded

The total amount of data contained in the downloaded ZIP file. 

ZIP file downloaded

Amount of data restored

The total amount of file data restored in the event.  Restore ended 
API permissions The read and write permissions given to or removed from API clients.

API client permissions assigned

API client permissions revoked

Archive owner The CrashPlan username of the person who owned the device from which the data was archived. Path purged
Assignable roles The roles available for role mapping in the SCIM provisioning provider. SCIM provisioner configuration updated
Attribute mapping inherited Whether the attribute mapping for the authentication provider was changed as part of the event (true or false).

Identity provider created

Identity provider updated

Authentication contexts The context class reference to authenticate users. For more information about context classes, see the SAML 2.0 specification.

Identity provider created

Identity provider updated

Authentication enabled Whether the authentication provider is assigned to an organization and therefore enabled for use (true or false).

Identity provider created

Identity provider updated

Changed at The date and time when the SCIM provisioning provider's credentials were changed. SCIM provisioner credentials changed
Client ID The ID of an API client.

API client created

API client deleted

API client description changed

API client name changed

API client permissions assigned

API client permissions revoked

API client secret reset

Context comparison

The comparison method used to evaluate the requested context class. Valid values are:

  • EXACT
  • MINIMUM
  • MAXIMUM
  • BETTER

For more information about context comparison, see the SAML 2.0 specification.

Identity provider created

Identity provider updated

Created at When the authentication provider, identity provider provider, or SCIM provisioning provider was created.

Federation created

Identity provider created

SCIM provisioner created

Deactivation delay The length of time that user deactivation is delayed after provisioning.

SCIM provisioner configuration updated

SCIM provisioner created

Default organization ID The organization ID of the default organization that users are provisioned to.

SCIM provisioner configuration updated

SCIM provisioner created

Deleted at The date and time when the SCIM provisioning provider was deleted. SCIM provisioner deleted
Deleted directory count  The number of directories that were removed from the archive. Path purged
Deleted file count  The number of files that were removed from the archive. Path purged
Description The description of the API client. API client created

Destination holding the archive

The backup destination containing the files that were restored.

Path purged

Restore ended 

Restore started 

Device guid data is pushed to

The globally unique ID (GUID) of the device that received restored files.

Restore ended 

Restore started 

Device guid that owned the data The globally unique ID (GUID) of the device where the files originated.

Path purged

Restore ended 

Restore started 

Device hostname data is pushed to The hostname of the device that received restored files.

Restore ended 

Restore started 

Device hostname that owned the data The hostname of the device where the restored files originated.

Path purged

Restore ended 

Restore started 

Display name attribute The display name of the federation.

Federation created

Federation updated

Downloading user account (uid)

The CrashPlan unique UID (userUid) of the person who initiated the file restore. ZIP file downloaded

Duration

The length of time it took for the file restoration process from start to finish. Restore ended
Email attribute The email attribute in the authentication provider's attribute mapping.

Federation created

Federation updated

Identity provider created

Identity provider updated

Event success

Whether the event execution was successful:

  • true
    The event completed successfully.
  • false
    The event did not complete successfully. (For example, if data was being changed to a new value in the event, the string may have been malformed or contained illegal characters).

Deactivate user

External attributes change

External reference change

Name change

Username change

External IP address of device pushed to

The ISP-assigned IP address of the device that received restored files. Restore ended 
Family name attribute The last name attribute in the authentication provider's attribute mapping.

Federation created

Federation updated

Identity provider created

Identity provider updated

Federation ID The unique identification number of the federation.

Federation created

Federation deleted

Federated metadata updated

Federation updated

Identity provider created

Federation metadata MD5 checksum The checksum of the federation's metadata to ensure it was not edited in transit. 

Federation created

Federated metadata updated

Federation updated

Federation metadata URL The metadata URL for the federated authentication provider. 

Federation created

Federated metadata updated

Federation updated

Filename

The name of the downloaded ZIP file. ZIP file downloaded
Given name attribute The given name (first name) attribute in the authentication provider's attribute mapping.

Federation created

Federation updated

Identity provider created

Identity provider updated

Group to organization map The organization mapping for the SCIM provisioning provider. SCIM provisioner configuration updated
Hash algorithm The digest algorithm that performs a checksum of the contents of the SAML request to ensure it was not edited in transit. For more information about digest algorithms, see the W3 XML Security Algorithm Cross-Reference.

Identity provider created

Identity provider updated

Identity provider ID The unique ID of the authentication provider. 

Identity provider assigned to org

Identity provider created

Identity provider metadata updated

Identity provider removed from org

Identity provider updated

Identity provider metadata URL The metadata URL for the authentication provider. 

Identity provider created

Identity provider metadata updated

Identity provider updated

Identity provider metadata uploaded Whether the metadata file was uploaded (true or false).

Identity provider created

Identity provider updated

Integration name The name of the authentication provider, federation, or SCIM provisioning provider.

Federation created

Federated metadata updated

Federation updated

Identity provider created

Identity provider metadata updated

Identity provider updated

SCIM provisioner configuration updated

SCIM provisioner created

Integration name inherited Whether the name of the authentication provider was changed as part of the event (true or false).

Identity provider updated

Internal IP address of device pushed to

The local IP address of the device that received restored files.  Restore ended

Internal IP address of requestor

The local IP address of the device that requested the file restoration. Restore started

Local timestamp

The local time the file download or restore event occurred.

Restore ended

Restore started

ZIP file downloaded

Name

The name of the item at the time the event occurred. Note that the name of the item can be changed later.

API client created

API client deleted

API client permissions assigned

API client permissions revoked

API client secret reset

New value The value of the data after the event. 

API client description changed

API client name changed

External attributes change

External reference change

Local auth only change

Name change

Username change

Number of files restored

The total number of files restored in the event. Restore ended

Number of files that failed to restore

The total number of files that were not successfully restored in the event. Restore ended
Old value The value of the data before the event.

API client description changed

API client name changed

External attributes change

External reference change

Local auth only change

Name change

Username change

Organization ID The ID of the organization to which the authentication provider is assigned.

Identity provider assigned to org

Identity provider deleted

Identity provider removed from org

Organization mapping type The type of organization mapping used for the SCIM provisioning provider.

SCIM provisioner configuration updated

SCIM provisioner created

Owner uid of device data pushed to

The CrashPlan unique ID (userUid) of the person that received restored files.

Restore ended 

Restore started 

Owner of device data pushed to

The CrashPlan username of the person that received restored files.

Restore started

Restore ended 

Provider entity ID The entity ID submitted by the authentication provider to the identity provider.

Identity provider created

Identity provider updated

Provider type The type of SCIM provisioniong provider (default or CrashPlan User Directory Sync).

SCIM provisioner configuration updated

SCIM provisioner created

Provisioner ID The unique ID of the provisioning provider.

SCIM provisioner created

SCIM provisioner deleted

SCIM provisioner configuration updated

SCIM provisioner credentials changed

Purged path

The path that was purged. 

 

The following message appears when the purge path is suppressed by the person running the purge.path command:
CLI command path display suppressed 

Path purged

Restore ID

The unique ID of a file restoration. The same restore ID will appear on a Restore started and Restore ended event. 

Restore ended 

Restore started 

ZIP file download 

Result

The result of the file restore event:

  • CANCELED
    The restore was canceled before it could be completed.
  • SUCCESS
    The restore completed successfully.
Restore ended 
Role mapping type The type of role mapping (manual or group).

SCIM provisioner configuration updated

SCIM provisioner created

Role names The roles assigned to or revoked from a user. 

User roles assigned

User roles revoked

Roles assigned to groups The roles assigned to users within groups at provisioniong time. SCIM provisioner configuration updated
Signature algorithm The cryptographic signature algorithm for the checksum of the contents of the SAML request. For more information about signature algorithms, see the W3 XML Security Algorithm Cross-Reference.

Identity provider created

Identity provider updated

Sub-type

The type of file restoration: 

Restore ended 

Restore started 

Sync user The username in the provisioning provider whose credentials are used for provisioning synchronization. SCIM provisioner created
Updated at When the SCIM provisioning provider was updated.  SCIM provisioner configuration updated

Updated local auth status

The authentication method was changed for the user:

  • true
    The user is authenticated as a local user (CrashPlan-based authentication).
  • false
    The user is authenticated by SSO. 
Local auth only change

URL of ZIP restore

The URL of the ZIP file downloaded in the file restoration process. ZIP file downloaded
Username attribute The username attribute in the authentication provider's attribute mapping. 

Federation created

Federation updated

Identity provider created

Identity provider updated

Username from name ID Whether the username attribute in the authentication provider's attribute mapping is derived from the user ID (true or false).

Federation created

Federation updated

Identity provider created

Identity provider updated

User that owned the data

The CrashPlan username of the person who owned the files that were restored.

Restore ended

Restore started 

User type that owned the data

The type of user who owned the files that were restored, either a CrashPlan user or CrashPlan support user.

Restore ended

Restore started 

User uid that owned the data

The CrashPlan unique UID (userUid) of the person who owned the files that were restored.

Restore ended

Restore started 

Where was restore initiated

The location where the restore process was triggered:

  • CONSOLE
    Restore was initiated from the CrashPlan console.
  • AGENT
    Restore was initiated from the CrashPlan app.

Restore ended

Restore started 

 

Event types

Following are the kinds of events that appear in the Audit Log.

Add user 

This event means that a new user was added in CrashPlan. 

An empty value for fields in this event type may result from the initial intake of users from your CrashPlan environment into the Audit Log. See Troubleshooting.

Activate user

This event means that a user was reactivated in CrashPlan. Reactivation occurs after a user had been previously deactivated

API client created

This event means that an API client was created

API client deleted

This event means that an API client was deleted

API client description changed

This event means that an API client's description was changed.

API client name changed

This event means that an API client's name was changed.

API client permissions assigned

This event means that read or write API permissions were given to an API client.

API client permissions revoked

This event means that read or write API permissions were removed from an API client.

API client secret reset

This event means that an API client's secret was reset.

CrashPlan support user access disabled

This event means that support access to your CrashPlan environment was turned off, so CrashPlan support users (also known as technical support engineers) no longer have permission to access your CrashPlan environment to troubleshoot or adjust settings.

CrashPlan support user access enabled

This event means that CrashPlan support users (also known as technical support engineers) were granted support access to your CrashPlan environment to troubleshoot and adjust settings as needed.

CrashPlan support users can log in after they are given support access. By default, the CrashPlan support user's name is marvin@crashplan.com

To find events performed by a CrashPlan support user, filter on the user type CrashPlan support user. The user information appears in the User type section of the event details. If the CrashPlan support user creates additional users, you can find them in the Audit Log by filtering on the user type CrashPlan support user and event type Add user.

Console login

This event means that a login to the CrashPlan console was recorded. The login could be from a direct user sign-in, a user signing in with single sign-on (SSO), or a sign-in initiated with an API call from the CrashPlan API or an integration. If the sign-in is initiated with an API call, the User agent field displays details of the API.

Deactivate user

This event means that a user was deactivated in CrashPlan. A user can be deactivated for many reasons, from leaving the company to being removed from a provisioning system. For more information about user deactivation performed by provisioning systems, see our articles on SCIM provisioning and CrashPlan User Directory Sync.

Email change

This event means that a user's email address was changed. In CrashPlan, the user's email address is also their CrashPlan username. Therefore, a change to a user's email address also results in a Username change event. 

External attributes change

This event means that an external user provisioning system updated a user's attributes, such as CrashPlan User Directory Sync or a SCIM provisioning system like Azure AD provisioningOkta provisioning, or PingOne provisioning.

When a provisioning system triggers an event, the Username CrashPlan entry appears as the provisioning provider username credentials from CrashPlan (for example, "azure_1234@cloud.crashplan.com").

If multiple attributes for a user are changed as a result of a single provisioning action, then all the attribute changes appear in the same event. The changed attributes that can appear in this event type are:

  • country
  • division
  • department
  • employee_type
  • locality
  • manager_user_id
  • region
  • title

External reference change

This event means that a user's external reference information was changed. The External Reference field in CrashPlan is used by administrators to add descriptive information to users, devices, or organizations in the CrashPlan environment, such as serial numbers, asset tags, employee IDs, help desk issue IDs, and the like. This information provides additional context for administrators and helps to integrate with external systems.

Federation created

This event means that a federation was created in Identity Management. 

Federation deleted

This event means that a federation was deleted in Identity Management. 

Federation metadata updated

This event means that the metadata for a federation was edited. 

Federation updated

This event means that details of a federation were edited.  

Identity provider assigned to org

This event means that an authentication provider was assigned to an organization.

Identity provider created

This event means that an authentication provider was created

Identity provider deleted

This event means that an authentication provider was deleted. 

Identity provider metadata updated

This event means that the metadata for an authentication provider was edited. 

Identity provider removed from org

This event means that an authentication provider was removed from an organization

Identity provider updated

This event means that details of an authentication provider were edited.

Local auth only change

This event means that the local authentication method was changed for the user. Users with local authentication appear in the Local Users pane of the Authentication tab in Identity Management.

In the Updated local auth status field of the event details, a value of "true" indicates that the user is restricted to local (CrashPlan-based) authentication only, while a value of "false" indicates that the user is authenticated by SSO. 

An empty value for fields in this event type may result from the initial intake of users from your CrashPlan environment into the Audit Log. See Troubleshooting.

Name change

This event means that a user's first name or last name was changed. 

Path purged

This event means that the purge.path command was used to remove files or directories from backup archives. 

Restore ended

This event means that restoration (download) of files to a device has completed.

The additional event details show the type of restore and other information about the restore, such as the owner of the device that received the restored files.

Restore started

This event means that restoration (download) of files to a device has started.

Compare the restore start and end times for the same restore ID to find how long a restore took. Depending on the kind of restore and the amount of file content restored, the length of time for a restore can vary widely.

SCIM provisioner configuration updated

This event means that details of a SCIM provisioning provider were edited. 

SCIM provisioner created

This event means that a SCIM provisioning provider was created

SCIM provisioner credentials changed

This event means that the Provider Credentials were changed for the SCIM provisioning provider.

SCIM provisioner deleted

This event means that the SCIM provisioning provider was deleted. 

Users roles assigned

This event means that roles were assigned to a user. For a list of all available roles, see the Roles reference (CrashPlan).

User roles revoked

This event means that roles were removed from a user

Username change

This event means that a user's CrashPlan username was changed. In CrashPlan, the user's email address is also their CrashPlan username. Therefore, a change to a CrashPlan username also results in an Email change event for the user. 

The Affected user field in the event details is empty in this type of event because the username value is shown in the Old value and New value fields. See Troubleshooting.

ZIP file downloaded

This event means that a ZIP file was downloaded to a device while restoring files to a ZIP file.

Troubleshooting

Empty values in fields

Empty values in Audit Log fields (shown as — or "unknown") may occur for a number of reasons:

Export limit

The maximum number of events that can be exported from the Audit Log at once is 100,000. To work around this limitation, adjust your filters to reduce the number of events in any given export to be less than 100,000, then complete multiple exports to obtain the entire set of events.

Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more