Access and configure AEM user audit logs
User audit activity in AEM can be difficult to track when audit events are written to unexpected locations or when repository queries return incomplete results. In AEM 6.5 deployments, user management audit events can remain in the default log until a dedicated logger is configured, while AEM as a Cloud Service can require narrower audit queries to avoid traversal-related failures. The resolution is to verify the deployment type, confirm or create the appropriate logger configuration, and validate audit data by checking logs or audit nodes. If the expected audit events still do not appear after validation, submit a support ticket for further investigation.
Description description
Environment
- Adobe Experience Manager as a Cloud Service
- Adobe Experience Manager Managed Services
- Adobe Experience Manager On-Premise
Issue/Symptoms
- Audit logs such as
useraudit.logoraudit.logremain empty after configuration changes. - User creation, modification, or deletion events appear only in
error.log. - Queries under
/var/auditreturn incomplete results or fail when the search scope is too broad. - Audit events are available in one environment but not in another.
- To confirm the issue, identify whether the environment is AEM as a Cloud Service, Managed Services, or On-Premise.
- Review the existing Sling logger configuration to determine whether user audit events are routed to a dedicated file.
- Check whether audit events appear in
error.logwhen they do not appear in a dedicated audit log. - For AEM as a Cloud Service, test whether querying a more specific path under
/var/auditreturns results.
Root cause
Audit logging behavior differs by deployment type. In AEM 6.5 environments, user management audit events can remain in the default log unless they are redirected to a dedicated Apache Sling logger. In AEM as a Cloud Service, audit data is stored as repository nodes under /var/audit, and broad queries may need to be narrowed to return usable results.
Resolution resolution
Try the following steps to solve the issue:
- Verify which AEM deployment type is in use so you can validate audit data in the correct location.
- Open the Sling log configuration and review whether loggers for
com.adobe.granite.security.user.internal.auditandcom.adobe.granite.security.user.internal.servlets.AuthorizableServletalready exist. - If these logger mappings are missing in AEM 6.5 environments, create an
Apache Sling Logging Logger Configurationand route the log output tologs/useraudit.log. - Trigger a user management action, such as updating a user or changing group membership, and confirm that the event is written to the dedicated audit log.
- In AEM as a Cloud Service, retrieve audit data from
/var/auditand confirm that audit nodes are returned. - If the audit query is too broad, narrow it to a more specific sub-path under
/var/auditand test again. - If ACS Commons is available, use its audit log search interface to validate page, publish, or user-related audit activity.
If the symptoms described above still occur after all troubleshooting steps have been completed, or if the results of those steps show that the issue is not caused by user error, missing permissions, or an unsupported configuration, support-entitled users should submit a ticket to Adobe Support through the Experience League Support portal. If the affected person is unable to create a case because the open case or create case option is unavailable, the correct organization is missing, or a support entitlement message is shown, contact your organization’s System Administrator or Support Admin to verify support access before retrying.