User Activity Logs

User activity logs provide visibility into users' online records (such as login time, online/lockout duration, and login IP addresses) and the actions users perform. User activity logs help you identify exceptions during user login and network access activities.

Context

User activity logs are generated when users log in, log out, change passwords, or are locked/unlocked.

Before querying user activity logs on the USG6510E/6510E-POE/6530E,, you have run the log type um enable command on the FW to enable the recording of user activity logs.

Procedure

Choose Monitor > Logs > User Activity Logs to view user activity logs.
Optional: Click to export user activity logs in CSV format to the management PC.
Click Add Filter and enter search criteria to search for user activity logs.
If the device has no disk, click Advanced Search to filter logs.
Optional: You can click to save the current log query conditions as a log query template for future use.
The next time you want to use these query conditions, you only need to click to select the template name and click OK. Then the system queries logs based on the template conditions. The device administrator can click Template Distribution to view the number of templates created by each user. In addition, you can click to delete a log query template.

Only the user that creates a log query template can view or use this template.

Each log page supports a maximum of 10 log query templates, and a device supports a maximum of 1000 log query templates.

Log Sample

The following figure shows the user activity logs generated within a specific time range:

The following table lists the fields in a user activity log.

Field	Description
Time	Time when a user activity log is generated
User	Name of a user
Group	Group to which a user belongs
Login IP Address	Login IP address of a user
Authentication Mode	User authentication mode: Local Authentication Third-Party Server Authentication Authentication Exemption SSO Authentication
Access Mode	User access mode: PPP SVN LOCAL
Device	Devices are identified using device types, such as Huawei-Android, Lenovo-Android, and HP-JetDirect-Printer. When the device type information carried in the login message for the Agile Controller SSO user, this field is not empty.
Online Duration/Lockout Duration	Online/Lockout duration
Type	User activities: User Login Succeeded User Login Failed User Logout Password Change Succeeded Password Change Failed User Unlocked User Frozen User Unfrozen Unknown
Details	Cause of a failed user activity and user offline
Virtual System	Virtual system that generates the traffic

Click Advanced Search and then select PPP, LOCAL in Access Mode to view user activity logs. Take the following actions if exceptions occur during user login or network access activities:

Modify user configurations.
Blacklist user login IP addresses.

The following table lists the fields in a user activity log and describes how to set these fields.

**Table 1** User activity log field settings
Field	Setting
User	Click the User field value of a specific user activity log. Modify User is displayed. You can modify user configurations.
Login IP Address	Click the Login IP Address field value of a specific user activity log. Add Blacklist Entry is displayed. The parameters in Add Blacklist Entry are as follows: Type: The login IP address is automatically blacklisted. Source IP: The source IP address is automatically blacklisted. Protocol: The protocol type is automatically blacklisted. Source Port: The source port is automatically blacklisted. Timeout: You can use either of the following methods to set a timeout period for a blacklist entry: Select Unlimited to permanently blacklist the source IP address. Enter a timeout period.