# Audits

Lenses audits all user actions. Audit events can be viewed in Lenses and also sent to two channels, **Splunk** and **Webhook**.

{% hint style="success" %}
Audits can also written to a file by setting a file path in the **lenses.audit.to.log.file** option in **lenses.conf.** Lenses will then write audit entries to disk as JSON for collection by your log aggregation systems.
{% endhint %}

## Viewing audit logs in Lenses

Go to **Admin->Audits->Log**s. Lenses will display the activity including, who performed the action and when. Details can also be viewed (dependent on the action).

## Sending audit logs to Splunk

To send audit logs to Splunk, you first need a Splunk connection. Go to **Admin->Connection->New Connection** and select Splunk.

Enter the connection details for your Splunk HTTP Event collector deployment.

Next, go to **Admin->Audits->Channels->New Channel** and select Splunk. Select a Splunk connection and set a `Source`.

## Sending audit logs to a Webhook

First, you need a Webhook connection. Go to **Admin->Connections->New Connection**

Enter the URL, port and credentials.

Create a Channel to use the connection. Go to **Admin->Audits->Channels->New Channel** and select **`Webhook`**`.`

1. Choose a name for your Channel instance.
2. Select your connection.
3. Set the HTTP method to use.
4. Set the Request path. A URI-encoded request path, which may include a query string. Supports alert-variable interpolation.
5. Set the HTTP Headers
6. Set the Body payload

{% hint style="info" %}
Lenses can also audit users' access to data and send events to multiple channels at the same time.
{% endhint %}

### Template variables

In `Request path`, `HTTP Headers` and `Body payload` fields there is a possibility of using template variables, which will be translated to audit specific fields. In order to use template variables you have to use this format: `{{VARIABLE}}`, i.e. `{{TYPE}}`.

Supported template variables:

* TYPE - high level source of the audit (i.e. `USER` in case of action related to user management - like user creation).
* ACTION - name of the action audit refers to (i.e. `UPDATE` in case of editing group).
* USER
* TIMESTAMP
* RESOURCE\_ID - low level source id of the audit (i.e. alert id group in case of creating new alert rule). Can be empty for some audits.
* RESOURCE\_NAME - low level source name of the audit (i.e. connection name in case of creating new connection). Can be empty for some audits.
* CREDS - `CREDS[0]` etc. - variables specified in connection's `Credentials` as a list of values separated by comma.
* CONTENT - complete content of the audit entry. This variable is in JSON, so it should not be quoted.

E.g.:

```
{
  "type": "{{TYPE}}",
  "user": "{{USER}}",
  "timestamp": "{{TIMESTAMP}}",
  "content": {{CONTENT}}
}
```