Administrator Events
Administrator Events logs under Analytics > Events provide granular logs that are useful to monitor and audit administrator activities such as login, MSSP portal access, configuration changes made by normal Identity & Access Management (IAM)/single sign on (SSO)/API user accounts or impersonated SSO/IAM accounts, contributing to effective auditing and compliance management. FortiSASE stores Administrator Events logs for the number of days that you specify in the log retention policy. See Log retention policy.
Currently, in FortiSASE, administrator event logs are displayed after some delay. Therefore, different timestamp fields are available for administrator events only to distinguish between the event’s actual occurrence time and the time that the log was exported to FortiSASE.
| Administrator Events log type | Timestamp field for actual event time (Unix timestamp in seconds) |
Timestamp field for log export time to FortiSASE (Unix timestamp in nanoseconds) |
|---|---|---|
| FortiSASE Log Detail Window | Date/Time | Log Event Original Timestamp |
| Log forwarding to self-managed syslog or FortiSASE Downloaded Log File | audittime | eventtime |
| Log forwarding to self-managed FortiAnalyzer | Security Rating Time | Event Time |
To view an Administrator Events log:
- Go to Analytics > Events.
- Click Administrator Events.
- Double-click the desired log. A slide in window appears where you can view the log in detail.