Aller au contenu principal
Version : la plus récente

The audit log shows no events

The VaultPAM audit log records security-relevant activity across sessions, credentials, and administrative actions. If the log appears empty or is missing expected events, the cause is almost always a filter or permission issue in the UI — not a gap in event capture. Work through the causes below before escalating.

Symptoms

  • The Audit page shows no events or a "No results found" message.
  • Only some events are visible but expected session or admin events are absent.
  • The log shows events from some time periods but not others.
  • A SIEM or log export pipeline shows fewer events than expected.

Causes

1. Wrong time range filter

The audit log view defaults to a specific time window (such as the last 24 hours). If the events you are looking for occurred outside the current filter window, they will not appear.

Check: Open Audit → Events and look at the Time range filter. Confirm it covers the time period when the events should have occurred.

Fix: Expand the time range filter to cover the period of interest. Use Custom range if the preset windows do not reach far enough back.

2. User lacks audit log view permission

Access to the audit log is a separate permission from general admin access. A user with an admin role may still lack the View audit log permission if it has not been explicitly granted.

Check: Open Profile → My Access and confirm your role includes View audit log. If you cannot see the Audit menu at all, you do not have this permission.

Fix: Ask a VaultPAM admin to grant your role the View audit log permission via Organization → Access → Roles → Edit role. The permission change takes effect immediately.

3. Events filtered by type

The audit log includes a filter for event category (for example, Session, Credential, Admin, Authentication). If one or more categories are deselected, their events will not appear in the current view.

Check: Open Audit → Events and look at the Event type filter. Confirm that all relevant categories are selected (or that the filter is set to All).

Fix: Select All in the event type filter or manually enable the categories you need. The filter does not affect what is recorded — only what is displayed in the current view.

4. SIEM forwarding delay

If your organisation forwards audit events to a SIEM (such as Splunk, Elastic, or a syslog collector), there is an inherent propagation delay between when an event is recorded in VaultPAM and when it appears in the SIEM. During periods of high event volume or connectivity interruption, this delay can extend from seconds to several minutes.

Check: Compare the event visible in the VaultPAM UI audit log with what your SIEM shows for the same time window. If the VaultPAM UI shows the event but the SIEM does not, the delay is in the forwarding pipeline, not in the VaultPAM audit record itself.

Fix: Wait for the forwarding delay to pass and refresh the SIEM query. If the delay exceeds your expected SLA, ask an operator to check the SIEM connector status in the VaultPAM integration settings and review the connectivity between VaultPAM and the SIEM endpoint.

Resolution steps

  1. Open Audit → Events and confirm the Time range filter covers the period you expect to find events in. Expand it to Custom range if needed.
  2. Confirm the Event type filter includes the category of event you are looking for. Select All to remove type filtering.
  3. Verify your role includes the View audit log permission via Profile → My Access. If not, contact a VaultPAM admin.
  4. If the events are visible in the VaultPAM UI but absent from your SIEM, wait for the forwarding delay and refresh. If the delay is persistent, ask an operator to check the SIEM integration health.
  5. After adjusting filters, refresh the audit log page and recheck.

Escalation path

If the audit log still shows no events after verifying filters and permissions:

  1. Note the exact time range, event types, and user or resource involved.
  2. Confirm whether the events appear in the VaultPAM UI log at all (before SIEM forwarding). This is the definitive record.
  3. Open a support ticket with: the time range you searched, the event types and filters applied, your role and permission level, and whether the VaultPAM UI log also shows no events.