Audit Logs Guide

One Model provides exportable JSON Audit Logs to help Admins, Security, and Compliance officers monitor system usage, meet regulatory requirements, and investigate security incidents.

Technical Requirement: One Model does not provide in-app searching or filtering. Logs must be ingested into your SIEM (e.g., Splunk, Sentinel, Datadog) or a secure  tool for analysis.

Getting Started

Required Permission CanViewAuditLogs (under Application Access)
Access Path Admin > Admin Reports > Audit Logs
Format Exportable JSON files

Log Availability & Retention

  • Permanent Record: One Model maintains your audit history for the lifetime of your instance.
  • Download Expiry: Once a log file is generated for download, that specific file remains available in the Admin Reports UI for 14 days. After 14 days, the file is deleted from the list, though the underlying data remains archived in the system.
  • Recommendation: Download and ingest logs into your SIEM every 7 days to maintain a searchable local history.

Best Practices

  1. Automate Ingestion: Regularly upload the daily JSON batches to your SIEM for long-term analysis and retention.
  2. Stay Current: Download “partial-day” logs if you need immediate visibility between daily batches.
  3. Monitor Volume: Large volumes may slow down downloads; frequent exports keep file sizes manageable.

What Is Tracked? 

Logs track activity from the moment the feature is enabled (no historical data). Each log entry includes:

  • Event Type: The specific action taken.
  • Timestamp: Recorded in UTC
  • Actor: Name and Person ID (including proxy users). May appear “Unidentified” when logging out of the system, terminating a session or pre-auth actions
  • Context: IP address, Hostname, and data changes.
  • Data Changes: May appear across a series of logs to reflect each itemised event. 
  • Method: Distinguishes between manual and automated activity.

Sample log below:

{ "EventId": "17696486169631832806",

        "AuthEvent": "Unassign Data Access Role Column",

        "EventTS": "2026-01-29T01:03:36.000Z",

        "Hostname": "sandbox-dev.preprod.onemodel.io",

        "IP": "172.22.139.208",

        "AppId": "OneModel",

        "Result": "Success",

        "Actor": {"email": "name.person@onemodel.co" },

        "Changes": {

            "OldValue": {

                "DataAccessRoleId": 616,

                "DataWarehouseTableId": 7,

                "CompanyId": "sandbox-dev"},

                 "NewValue": "" },

                "EventData": {}},

{ "EventId": "17696486169637935403",

        "AuthEvent": "Assign Data Access Role Column",

        "EventTS": "2026-01-29T01:03:36.000Z",

        "Hostname": "sandbox-dev.preprod.onemodel.io",

        "IP": "172.22.139.208",

        "AppId": "OneModel",

        "Result": "Success",

        "Actor": {

            "email": "name.person@onemodel.co"},

        "Changes": {

            "OldValue": "",

            "NewValue": {

                "DataAccessRoleId": 616,

                "DataWarehouseTableId": 5649,

                "CompanyId": "sandbox-dev" }

{"EventId": "17472736439764621904",

  "AuthEvent": "Password Reset Request",

  "EventTS": "15/05/2025 1:47:23 AM",

  "Hostname": "onemodeldev.dev.onemodel.us",

  "IP": "172.31.247.190",

  "AppId": "OneModel",

  "Result": "success",

  "Actor": "Unidentified",

  "Changes": {}},

{"EventId": "17472710113556153103",

  "AuthEvent": "Modify User Account",

  "EventTS": "15/05/2025 1:03:31 AM",

  "Hostname": "onemodeldev.dev.onemodel.us",

  "IP": "172.31.245.223",

  "AppId": "OneModel",

  "Result": "success",

  "Actor": {

    "email": "name.person@onemodel.co",

    "personId": "000000012" },

  "Changes": {

    "QueryRowLimit": {

      "OldValue": "1000",

      "NewValue": "500"  }}

{ "EventId": "17472737646115607705",

  "AuthEvent": "Password Reset Request",

  "EventTS": "15/05/2025 1:49:24 AM",

  "Hostname": "onemodeldev.dev.onemodel.us",

  "IP": "172.31.240.60",

  "AppId": "OneModel",

  "Result": "success",

  "Actor": "Unidentified",

  "Changes": {}

 

Audit Log Events: 

Event Description
Users

User added, User edited, User deactivated, User password reset, Enable account, Account lockout

User logins and logouts, User logins with SSO. Failed Login attempts, Related IP addresses

Proxy
User Roles

User Application Access Role added or edited

User Data Access Role added or edited
Application Access Roles Role added, edited, deleted. Permissions added or edited.
Data Access Roles

Role added, Role edited, Role deleted

Metric added, Metric edited

Storyboard added, Storyboard edited

Dimensions added, Dimensions edited

Columns added, Columns edited

Rules added, Rules edited, Rules deleted

Share with (was Publish to Roles) added, edited
Data Destinations Data Destination added, Data Destination edited, Data Destination deleted
Data Sources Data Source added, Data Source edited, Data Source deleted
Exports

Export CSV, Export Drill-through,* Exports page is logged under Downloads

*Excludes Export Chart and Export to Powerpoint
Downloads

Admin Reports*, Exports - Download button & File Name Download, PGP

*Excludes Entity Relationship Diagrams
Build / Edit Metric Metric created, Metric edited, Metric deleted
Storyboards Storyboard copied, Storyboard Settings edited, Storyboard Sharing edited, Storyboard deleted, Storyboard modified, Replace Storyboard, Storyboards Viewed
Metadata Who gave permission to see the logs, when. Tracked under AAR permissions - CanViewAuditLogs, Who downloaded the logs and when
SQL Explorer SQL Explorer Query Start, SQL Explorer Query Results

 

Coming Soon: 

Event Description
Integrations Integration Rule added, Integration Rule edited, Integration Rule deleted
User Consent

User Consent Requested: Logs successful and failed attempts to access the consent page (including reasons for failure like unauthorized access or invalid client).

User Consent Accept Redirect: Records when a user accepts a third-party connection.

User Consent Reject Redirect: Records when a user rejects a connection request.
  • Integration into Data Destinations (or similar) for automated log delivery.
  • Expanded tracking for additional system and user events.

Feedback Form

We encourage our users to complete this Feedback Form to let us know what’s working well, report any issues encountered, and share ideas for future enhancements.

Troubleshooting & FAQs

Common Troubleshooting Scenarios

  • Missing Logs for a Specific Date:
    • Audit logging only captures activity from the moment the feature was enabled. Historical data prior to activation is not available.
  • "Unidentified" Actor in the Log:
    • This typically occurs during Logouts or session timeouts, where the user's active session has ended before the event is finalized. It can also appear for pre-authentication events like hitting the login page.
  • Download is Slow or Times Out:
    • High-traffic instances generate very large JSON files. Try downloading logs in smaller increments (e.g., daily instead of weekly) or during off-peak hours to reduce the load.
  • Missing "Changes" Data:
    • Not all events have "Before/After" states (e.g., a "View" event or a "Login"). In these cases, the Changes block will be empty {}.

Frequently Asked Questions

Q: I missed the 14-day download window. Is the data gone?

A: No. The data is stored permanently for the life of your instance. However, the pre-generated file is removed from the Admin Reports page to keep the interface clean. You can retrieve data older than 14 days that wasn't downloaded by using the date picker in the Audit Logs download window.

Q: Why use JSON instead of CSV?

A: Audit data is often "nested" (e.g., one event might change five different permissions). JSON handles this complex data structure much more reliably than a flat CSV, making it the industry standard for ingestion into SIEM tools like Splunk or LogRhythm.

Q: Can I automate the download process?

A: Currently, downloads are manual via the Admin Reports page. Automated delivery to Data Destinations is on our active roadmap to allow for seamless "push" integration into your security stack.

Q: Does "Success" in the Result field mean the data was correct?

A: "Success" means the system successfully processed the request (e.g., a role was updated). It does not validate the intent—security officers should still review "Success" logs for unauthorized but technically valid changes.

Q: Are Storyboard views tracked?

A: Yes, Storyboards Viewed is included in the logs, allowing you to audit who is accessing specific sensitive storyboards.

 


 

 


 

Was this article helpful?

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.