Authentication Logs
Review detailed logs of user login and logout activities to track authentication events and monitor access to the system, providing a clear record of user sessions for security and auditing purposes. Authentication Logs help you identify who accessed the system, when they logged in, and from which IP address.
Navigate to Tools → Logs → Authentication Logs to view authentication history.
Authentication Logs Table
The page displays a chronological list of authentication events with the most recent events at the top.
Controls
| Control | Description |
|---|---|
| Show entries | Control how many authentication records are displayed per page - the system may contain hundreds or thousands of entries, so adjust this based on how much history you need to review at once |
| Search | Find specific authentication events by typing keywords - searches across user names, IP addresses, and descriptions to quickly locate login activity for a particular user or from a specific IP |
Table Columns
| Column | Description |
|---|---|
| ID | A unique sequential identifier for each authentication event - useful for referencing specific login records in security investigations or support requests |
| Name | The name of the user account that was authenticated - shows which user logged in or out, making it easy to track individual user access patterns |
| IP Address | The IP address from which the authentication request originated - essential for identifying where users are logging in from and detecting logins from unusual or unauthorized locations |
| Activity | The type of authentication event: Login when a user successfully authenticated, or Logout when a user ended their session |
| Description | A detailed description of the event, showing the username (as a clickable link) followed by "has been logged in" or "has been logged out" |
| Created on | The exact date and time when the authentication event occurred - critical for establishing timelines during security investigations or correlating access with other activities |
Activity Types
| Activity | Description |
|---|---|
| Login | A user successfully authenticated and gained access to the system - this records every successful login, whether from the web interface, API, or other access methods |
| Logout | A user ended their session, either by clicking logout or through session timeout - helps track how long users remain logged in |
Reading Authentication Descriptions
The Description column provides a human-readable summary of each event:
Description Format
Descriptions follow a consistent pattern:
- Username - Shown as a clickable link (in teal/cyan color) that navigates to the user's profile
- Action - "has been logged in" for logins or "has been logged out" for logouts
Examples
| Description | Meaning |
|---|---|
| "John has been logged in" | User John successfully authenticated and started a session |
| "Sarah has been logged out" | User Sarah's session ended |
| "admin has been logged in" | The admin account was used to log in |
Security Monitoring
Authentication Logs are a critical tool for monitoring system security and detecting unauthorized access.
What to Watch For
| Pattern | Concern | Action |
|---|---|---|
| Logins from unfamiliar IPs | Someone may have obtained user credentials | Verify with the user if the login was legitimate; consider requiring password change |
| Multiple logins in quick succession | Could indicate credential sharing or automated access | Review if the user should have multiple sessions; check if it's legitimate use |
| Logins at unusual hours | Unauthorized access often occurs outside business hours | Confirm with the user or investigate further if unexpected |
| Logins from different geographic regions | Credentials may be compromised if a user appears to log in from distant locations within a short timeframe | Investigate immediately as this is a strong indicator of account compromise |
| High volume of logins for one account | May indicate automated scripts or shared credentials | Review the account's purpose and access patterns |
Correlating with Activity Logs
For comprehensive security monitoring, use Authentication Logs together with Activity Logs:
- Authentication Logs tell you WHO logged in and WHEN
- Activity Logs tell you WHAT they did after logging in
If you notice suspicious login activity, check the Activity Logs for the same timeframe to see what actions were taken during that session.
Common Use Cases
Verifying User Access
When a user reports they couldn't access the system:
- Search for their username in Authentication Logs
- Check if there are any recent login records
- Verify the timestamps match when they claim to have tried logging in
- If no login records exist, the issue is likely with credentials or the login process itself
Investigating Security Incidents
When suspicious activity is detected:
- Note the timeframe of the suspicious activity
- Search Authentication Logs for logins during that period
- Identify which users were logged in
- Cross-reference with Activity Logs to see what actions were taken
- Check IP addresses to identify if access came from expected locations
Compliance Auditing
For organizations requiring access audit trails:
- Authentication Logs provide evidence of who accessed the system and when
- Export or document login records for compliance reporting
- Use the data to verify that only authorized users are accessing the system
Best Practices
Regular Review
- Check daily - Briefly review recent logins each day to spot anomalies early
- Know your patterns - Understand normal login patterns so you can recognize unusual activity
- Investigate promptly - Don't ignore suspicious logins; investigate them immediately
Preventive Measures
- Enable Two-Factor Authentication - Adds a second layer of security beyond passwords
- Use strong passwords - Enforce password complexity and regular changes
- IP restrictions - Where possible, restrict access to known IP addresses or ranges
- Session timeouts - Configure automatic logout after periods of inactivity
Documentation
- Record incidents - Document any suspicious activity you investigate, even if it turns out to be benign
- Export for compliance - If your organization requires access logs for compliance, export authentication records regularly
- Retention policy - Understand how long authentication logs are retained and archive if needed for longer periods
Troubleshooting
Login Events Not Being Recorded
Possible causes:
- Authentication logging may be disabled
- Database connectivity issues
- The login method bypasses standard authentication
Solutions:
- Verify authentication logging is enabled in settings
- Check database connectivity and permissions
- Ensure all login methods go through the standard authentication system
Cannot Find Specific User's Logins
Possible causes:
- User hasn't logged in during the retained period
- Search term doesn't match exactly
- Logs have been purged due to retention policy
Solutions:
- Try searching with different variations of the username
- Expand the date range you're reviewing
- Check if logs older than the retention period have been automatically deleted
IP Addresses Show as Internal/Private
If logins show private IP addresses (like 192.168.x.x or 10.x.x.x) instead of public IPs:
- This typically means a reverse proxy or load balancer is in front of Mumara
- Configure the proxy to forward the real client IP using X-Forwarded-For headers
- Ensure Mumara is configured to trust and read the forwarded IP header
Next Steps
- Activity Logs - See what users did after logging in
- Debug Logs - View application error logs
- Staff Management - Manage user accounts and permissions
- Application Settings - Configure session and security settings