The System_data.Audit is usually generated from system logs that track user actions and system events. It's used to monitor user activity within a system. However, there might be cases where all user actions aren't showing up in the audit data, especially concerning reports visited in the last 7 days.
To ensure the audit data is complete and accurate, it's possible to compare the original system logs directly with the information in the audit dataset. This helps confirm if there's any missing data when moving from the logs to the audit dataset.
For instance, we can specifically check if there's more detailed information available in the original logs for user Mike that might not have made it into the System_data.Audit table. This comparison can help identify any gaps or discrepancies in the audit data, making sure nothing important gets lost or overlooked.
Hi. Thanks for sharing. I wanted to point out one clarification. The data in the SystemData.AUDIT table does not come from system or application logs. That data comes from audit records that are stored in the SAS Infrastructure Data Server (PostgreSQL database). When a user performs some action against a service, that service might create an audit record for the action. The audit record might be recorded in the database by the audit microservice. A job runs every two hours to extract the audit records from the database and load them into SystemData.AUDIT.
As for the example where audit data about reports being read not showing up, that is because, by default, the audit microservice does not record report "read" actions. The reason for this is due to the volume of audit records that can be generated.