Audit Logging
Track authentication events and admin activity
What Gets Logged
Warden maintains comprehensive logs for security, compliance, and troubleshooting. Every significant event is recorded:
Authentication Events
- Successful and failed login attempts
- User identity and credentials used
- Host/device that made the request
- 2FA method and result
- Reason for any rejections
Admin Activity
- Configuration changes
- User and group modifications
- Policy updates
- Host/host group changes
- Admin portal logins
RADIUS Accounting
- Session start and stop
- Session duration
- Data transferred (in/out)
- Disconnect reason
- Device MAC addresses
Viewing Logs
Access logs through the Warden dashboard:
- Go to Logs in the sidebar
- Select the log type (Authentication, Admin, Accounting)
- Use filters to narrow results by date, user, host, or status
- Click any entry to view full details
Filtering Tips
- Use the date range picker for specific time periods
- Filter by "Failed" to quickly find authentication problems
- Search by username to see a user's activity history
- Filter by host to see what's happening on a specific device
Log Entry Details
Each authentication log entry contains:
Exporting Logs
Export logs for compliance, analysis, or integration with external systems:
- Apply filters to select the logs you want
- Click Export
- Choose format (CSV, JSON, or Syslog)
- Download or configure automatic export
Spreadsheet-friendly format for Excel, Google Sheets, or database import
Structured data for programmatic processing and APIs
Standard format for SIEM integration (Splunk, ELK, etc.)
Real-Time Log Streaming
For immediate visibility, configure Warden to stream logs to external systems:
Syslog Configuration
- Go to Settings > Logging
- Enable Remote Syslog
- Enter your syslog server address and port
- Select protocol (UDP or TCP/TLS)
- Choose which log types to stream
SIEM integration: Most SIEM platforms (Splunk, ELK, Graylog, QRadar) can ingest Warden's syslog format directly. Check our integration guides for platform-specific setup.
Log Retention
Configure how long logs are kept:
Compliance note: Many regulations (PCI-DSS, HIPAA, SOC 2) require specific retention periods. Check your compliance requirements before reducing defaults.
Using Logs for Troubleshooting
When authentication fails, logs are your first stop:
Common Investigation Steps
- Filter by the username or MAC address having issues
- Look at the "Reject Reason" field
- Check if the correct identity provider was tried
- Verify the host is recognized and has a valid policy
- Look for patterns - same time every day? Same host?
Common Reject Reasons
For complex issues, use NAC Tracer to see the full authentication flow step-by-step.
Security Monitoring
Use logs proactively to detect security issues:
- Multiple failed logins - May indicate brute force attempts
- Logins from unusual hosts - Could be unauthorized devices
- Off-hours activity - Suspicious if users typically work 9-5
- Disabled account attempts - Someone trying credentials that shouldn't work
- Admin changes - Unauthorized configuration modifications
Alert setup: Configure alerts in Settings > Alerts to get notified of suspicious patterns automatically. Set thresholds for failed logins, unusual times, and configuration changes.
What's Next?
- Use NAC Tracer for detailed debugging
- Security best practices
- Configure two-factor authentication