Cisco Catalyst Center Administrator Guide, Release 3.2.x

View audit logs

Updated: May 5, 2026

Want to summarize with AI?

Overview

Information about viewing audit logs. Audit logs collect information about the applications running on Catalyst Center, device public key infrastructure (PKI) notifications, and system events.

Audit logs capture information about the various applications running on Catalyst Center. Audit logs also capture information about device public key infrastructure (PKI) notifications. The information in these audit logs can be used to help in troubleshooting issues, if any, involving the applications or the device CA certificates.

Audit logs also record system events that occurred, when and where they occurred, and which users initiated them. With audit logging, configuration changes to the system get logged in separate log files for auditing.

Procedure

	1.	From the main menu, choose Activities > Audit Logs. The Audit Logs window opens, where you can view logs about the current policies in your network. These policies are applied to network devices by the applications installed on Catalyst Center.
	2.	Click the timeline slider to specify the time range of data you want displayed on the window: In the Time Range area, select a time range—Last 2 Weeks, Last 7 Days, Last 24 Hours, or Last 3 Hours. To specify a custom range, click By Date and specify the start and end date and time. Click Apply.
	3.	Click the arrow next to an audit log to view the corresponding child audit logs. Each audit log can be a parent to several child audit logs. By clicking the arrow, you can view a series of additional child audit logs. Note An audit log captures data about a task done by Catalyst Center. Child audit logs are subtasks to a task done by Catalyst Center.
	4.	(Optional) From the list of audit logs in the left pane, click a specific audit log message. In the right pane, click Event ID > Copy Event ID to Clipboard. With the copied ID, you can use the API to retrieve the audit log message based on the event ID. The audit log displays the Description, User, Interface, and Destination of each policy in the right pane. Note The audit log displays northbound operation details such as POST, DELETE, and PUT with payload information, and southbound operation details such as the configuration pushed to a device. For detailed information about the APIs on Cisco DevNet, refer to Catalyst Center Platform Intent APIs.
	5.	(Optional) Click Filter to filter the log by User ID, Log ID, or Description.
	6.	Click the pencil icon to subscribe to the audit log events. A list of syslog servers is displayed.
	7.	Check the syslog server check box that you want to connect to and click Save. Note Uncheck the syslog server check box to unsubscribe from the audit log events and click Save.
	8.	In the right pane, use the Search field to search for specific text in the log message.
	9.	From the main menu, choose Activities > Tasks to view the upcoming, in-progress, completed, and failed tasks (such as operating system updates or device replacements) and existing, pending-review, and failed work items.

Export audit logs to syslog servers

Enabling syslogs for audit logs offers these benefits:

Centralized logging: Collect and store logs in one place for easier monitoring.
Security monitoring: Quickly detect unauthorized or suspicious activities.
Compliance: Maintain tamper-proof records for audits and investigations.

You can export the audit logs from Catalyst Center to multiple syslog servers by connecting to them.

Before you begin

Configure the syslog servers in the System > Settings > External Services > Destinations > Syslog area.

Procedure

	1.	From the main menu, choose Activities > Audit Logs.
	2.	At the top of the window, click the pencil icon.
	3.	Select the syslog servers that you want to connect to and click Save.
	4.	(Optional) To disconnect from a syslog server, deselect it and click Save.

Need help?

Open a support case

(Requires a Cisco Service Contract)

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.