Audit Trail Report
The Audit Trail Report is a chronological log of everything that happens to your documents — who did what, to which document, and when. It's your go-to record for security reviews, investigations, and compliance audits.
How to open this report
From the left navigation menu, open Reports & Analytics → Audit Trail.
- Direct route:
/reports/audit-trail - Access required: permission to view reports (
REPORTS.VIEW). If you don't see the Reports section in the menu, contact your administrator.
What you see on this report
Top bar
The header shows the report title plus two buttons: Advanced Filter and Export (look for the download icon).
Filter bar
A dedicated filter row lets you narrow the log:
- Search — type a user name or document name to filter the log.
- Action — pick a single action type: Create, Edit, View, Delete, Download, Share, Approve, Lock, Restore, or Export.
- Workspace — limit results to one workspace.
- Clear — reset all filters.
- A running count on the right shows how many events match your current filters.
The four summary cards (KPIs)
| Card | What it means |
|---|---|
| Total Events | All audit events in the last 30 days. |
| Critical | Delete and Restore events — the high-risk actions to watch. |
| Approvals | How many documents were approved. |
| Users | The number of unique active users in the log. |
Events by action
A breakdown of the log by action type (View, Edit, Create, Download, Approve, Share, Delete, Lock), each with a colored icon, a small bar, and a count — so you can see the mix of activity at a glance.
Recent activity timeline
A vertical timeline of the most recent events. Each entry shows the user, a colored action badge, the document name, a short description, and the timestamp.
Full audit log
The complete table, with one row per event:
- Timestamp — date and time of the action.
- User — name and role.
- Action — a colored badge (CREATE, EDIT, VIEW, DELETE, DOWNLOAD, SHARE, APPROVE, LOCK, RESTORE, or EXPORT).
- Document — name and ID.
- Workspace — where it happened.
- IP Address — where the action originated.
- Details — a short note about what changed.
If nothing matches your filters, the table shows "No audit events match the current filter."
Filtering and searching
- Combine the Search, Action, and Workspace filters to zero in on exactly the events you need (for example, all Delete actions in Legal & Compliance).
- Use Clear to start over.
- The event count next to the filters confirms how many results you're looking at.
Privacy note: Activity in users' Personal Vaults is never included in the audit trail — only shared workspace events appear here.
Exporting
Click the Export button in the top-right to download the audit log for your records or for an external auditor.
Tips
- Start with the Critical card to review Delete and Restore activity — these are the actions most worth a second look.
- Filter by Action → Delete to quickly produce a list of removed documents.
- The IP Address column helps confirm where an action came from during a security review.
Troubleshooting
| Problem | What to do |
|---|---|
| The Reports menu isn't visible | You may not have the REPORTS.VIEW permission. Ask your administrator. |
| The table is empty | Your filters may be too narrow — click Clear to reset them. |
| I can't find a specific event | Check the Action and Workspace filters, then search by the user or document name. |
| Personal Vault actions are missing | This is intentional — Personal Vault activity is never recorded in the shared audit trail. |