You are here:
Audit Trail Access Log Fields
View the audit data from the Audit Trail security event extract available in Automation Studio.
Security Event Extract Fields
This table describes the columns and values that are present in the Audit Trail Access Log.
| Column | Description |
|---|---|
| User | |
| UserName | |
| AccessDate | |
| FromIP | The field values contain IP addresses included on allowlists. |
| SecurityEventTypeID | See Security Events. |
| SecurityEventType | |
| LoginStatusID | See Login Status. |
| LoginStatusName | |
| UserAgent | The session ID associated with the access event. This column is only available to Advanced Audit Trail users. |
| Event Source | The source of the access event. |
Security Events
This table lists the possible values for SecurityEventTypeID and SecurityEventType.
| SecurityEventTypeID | SecurityEventType | Description |
|---|---|---|
| 1 | Login Attempted | Duplicate values can be present when users log in from different machines, or when viewed using spreadsheet software that truncates milliseconds from time values. |
| 2 | Security Question Answered | |
| 3 | Password Changed | |
| 4 | Administrator Access | A member of the Salesforce Support team has logged in to the account as an account user. |
| 5 | Administrator Unlock | An administrator unlocked a user. |
| 6 | Redirect | For users provisioned with IMH Redirect flow, the user is redirected to CAS pages and they try to log in from Members. |
| 7 | Security Setting Changed Impersonation | |
| 8 | Logout | |
| 9 | Request Authorization Code | |
| 10 | Request Token |
For context, review the Security Events table alongside the Login Status table. For example, a Login Attempted event (SecurityEventTypeID = 1) can have one of these statuses:
Failed (LoginStatusID = 1): The login attempt failed.
Successful (LoginStatusID = 4): The login attempt is successful.
Login Status
This table lists the possible values for LoginStatusID and LoginStatusName.
| LoginStatusID | LoginStatusName | Description |
|---|---|---|
| 0 | AccountDisabled | The account is disabled. |
| 1 | Failed | The login attempt failed. |
| 2 | MustChangePassword | The user's password has expired and must be changed. |
| 3 | NotSet | The login status hasn’t been set. |
| 4 | Successful | The login was successful. |
| 5 | UserAccountDisabled | The user's account is disabled. |
| 6 | InMaintenance | The login was unsuccessful because of a maintenance event. |
| 7 | UsernamePasswordLock | The user account was locked because they entered an incorrect password too many times. |
| 8 | SecurityQuestionAnswerLock | The user account was locked because they entered incorrect security question answers too many times. |
| 9 | BusinessUnitDisabled | The Business Unit account is no longer active. |
| 10 | SystemDBUnavailable | An internal database error occurred in the process of verifying a user. |
| 11 | AccountLocked | The account is locked. |
| 12 | FailedNotOnWhitelist | |
| 13 | FailedInvalidActivationLink | The login failed because the user clicked an invalid or expired activation link. |
| 14 | FailedDeviceNotActivated | Unable to activate the device using two-factor authentication. |
| 15 | FailedDeviceNotActivateNeedMobile | The login failed because the user's device isn’t activated as required by the account's security settings, and a mobile number is required for SMS verification. |
| 16 | FailedSsoOnlyLogin | Single Sign-On (SSO) is required to log in to the account, but the user attempted to log in using a different method. |
| 17 | SecurityActivationCodeLock | The user has been locked out from using their username or password, security question or answer, and activation code. |
| 18 | MustChangePasswordNoIDV | The user must change their password. |
| 19 | InvalidCasApplication | |
| 20 | Logout | The user logged out. |
| 21 | AppNotAuthorized | The app wasn't authorized using the OAuth2 Authorize API. |
Did this article solve your issue?
Let us know so we can improve!
