The auth log records every login, logout, user switch, and failed authentication attempt at your tenant. It's where you go to answer "was Sarah actually logged in when this happened?", to investigate suspicious activity, or to confirm a staff member's hours when their pay period is in dispute. This guide covers reading the log and what's recorded.
Opening the auth log
Go to Reports → Auth Log.
What's recorded
Each entry has:
- When — timestamp in your branch's timezone.
- User — who the entry relates to. For failed logins this is the email address that was attempted.
- Event — login, logout, user switch in, user switch out, failed login, failed PIN entry, 2FA challenge, 2FA reset.
- IP address — where the request came from.
- User agent — browser and operating system.
- Result — success, blocked (lockout), or failed.
Filtering
- Date range — defaults to the last 7 days.
- User — pick a staff member to see only their activity.
- Event type — show only failed logins, only user switches, etc.
- Result — only successes, only failures.
What it answers
Suspicious activity
If you see in the audit log that a sensitive action was performed (e.g. a large refund), the auth log tells you whether the user account was actually active at that moment, what IP it was used from, and whether there were any failed attempts beforehand that suggest a brute force.
Staff hours
For shift verification, filter by user and date. Login and switch-in events show when a staff member started taking actions on a shared device.
Failed login spikes
A burst of failed logins on the same email is a credential-stuffing attempt. Lockouts kick in after a configurable number of failures, but the auth log shows the attempt regardless. If you see this, force a password reset on the affected account and consider enabling 2FA tenant-wide if you haven't already.
Forgotten PINs
Repeated failed PIN entries from one device often mean a staff member forgot their PIN. Reset it for them (see User PINs & User Switching) rather than letting them rage-click.
IP addresses and what to expect
Most logins come from your venue's public IP — you can find your venue's IP at whatismyipaddress.com from any device on your network. Logins from other IPs are worth a quick check — it's usually a staff member working from home or on their phone, but occasionally it's a sign of compromise.
If you see a login from an unexpected country, treat it as serious:
- Force a password reset on the account.
- Reset 2FA if it was disabled.
- Check the audit log for any actions taken during the suspicious session.
- Notify the user and check whether they recognise the device.
Lockout policy
Multiple failed logins in a short window trigger a temporary lockout on the account. The lockout window resets after a cooldown period. Repeated lockouts are recorded in the auth log so you can see whether someone is actively trying to break in.
Retention
Auth log entries are kept for at least the same retention window as the audit log (typically 12 months). Useful for incident response months after the fact.
Exporting
The auth log can be exported as CSV from the filter panel, same as other reports. Combine with audit log exports if you're investigating a security incident or producing an internal report.
Practical patterns
Weekly security review
Once a week, glance at the auth log filtered to the last 7 days, looking for:
- Logins from unfamiliar IPs.
- Failed login spikes on a single account.
- 2FA resets you didn't authorise.
Five minutes of this catches most security issues early.
Compliance evidence
If your industry requires evidence of access controls (e.g. PCI scope, GDPR documentation), exports of the auth log demonstrate that authentication is logged and reviewable.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article