# Audits Lenses audits all user actions. Audit events can be viewed in Lenses and also sent to two channels, **Splunk** and **Webhook**. {% hint style="success" %} Audits can also written to a file by setting a file path in the **lenses.audit.to.log.file** option in **lenses.conf.** Lenses will then write audit entries to disk as JSON for collection by your log aggregation systems. {% endhint %} ## Viewing audit logs in Lenses Go to **Admin->Audits->Log**s. Lenses will display the activity including, who performed the action and when. Details can also be viewed (dependent on the action). ## Sending audit logs to Splunk To send audit logs to Splunk, you first need a Splunk connection. Go to **Admin->Connection->New Connection** and select Splunk. Enter the connection details for your Splunk HTTP Event collector deployment. Next, go to **Admin->Audits->Channels->New Channel** and select Splunk. Select a Splunk connection and set a `Source`. ## Sending audit logs to a Webhook First, you need a Webhook connection. Go to **Admin->Connections->New Connection** Enter the URL, port and credentials. Create a Channel to use the connection. Go to **Admin->Audits->Channels->New Channel** and select **`Webhook`**`.` 1. Choose a name for your Channel instance. 2. Select your connection. 3. Set the HTTP method to use. 4. Set the Request path. A URI-encoded request path, which may include a query string. Supports alert-variable interpolation. 5. Set the HTTP Headers 6. Set the Body payload {% hint style="info" %} Lenses can also audit users' access to data and send events to multiple channels at the same time. {% endhint %} ### Template variables In `Request path`, `HTTP Headers` and `Body payload` fields there is a possibility of using template variables, which will be translated to audit specific fields. In order to use template variables you have to use this format: `{{VARIABLE}}`, i.e. `{{TYPE}}`. Supported template variables: * TYPE - high level source of the audit (i.e. `USER` in case of action related to user management - like user creation). * ACTION - name of the action audit refers to (i.e. `UPDATE` in case of editing group). * USER * TIMESTAMP * RESOURCE\_ID - low level source id of the audit (i.e. alert id group in case of creating new alert rule). Can be empty for some audits. * RESOURCE\_NAME - low level source name of the audit (i.e. connection name in case of creating new connection). Can be empty for some audits. * CREDS - `CREDS[0]` etc. - variables specified in connection's `Credentials` as a list of values separated by comma. * CONTENT - complete content of the audit entry. This variable is in JSON, so it should not be quoted. E.g.: ``` { "type": "{{TYPE}}", "user": "{{USER}}", "timestamp": "{{TIMESTAMP}}", "content": {{CONTENT}} } ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.lenses.io/latest/devx/5.5/user-guide/self-service-and-governance/audits.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.