# Auditing Auditing can be enabled in the settings by setting *Auditing* to *All*. Once enabled auditing can only be disabled by running `sudo pritunl unset app.auditing` on a Pritunl host. Gaining access to the web console will not allow auditing to be disabled or cleared. Once enabled the two auditing outputs below will be enabled. ### Administrator and User Audit The administrator and user audit is stored in the database. This can be viewed from any host by clicking the audit icon on the right side of a user in the web console. This audit shows actions performed by the user but does not include VPN connections. This audit log is never expires and is never removed from the database. ### Journal Audit The audit journal stores detailed events in the file `/var/log/pritunl_journal.log`. This file rotates five times starting with `/var/log/pritunl_journal.log.1` and ending at `/var/log/pritunl_journal.log.5`. Each line will contain an audit even formatted as JSON. Each event has a `id` that is unique to each event. This can be used by parsing systems to identify each event. The `timestamp` is the epoch time in seconds. The `event` is the event type, the types can be found at [**Journal Events**](https://github.com/pritunl/pritunl/blob/master/pritunl/journal/events.py). The `reason` and `reason_long` describe why the event occurred. The values `user_name` and `remote_address` are included in most events and reference the clients IP address and the clients user name. ```json { "id": "5c75cfc15285f54158d75a36", "timestamp": 1551224769.767757, "event": "admin_auth_failure", "reason": "invalid_username", "reason_long": "Invalid username", "host_id": "fbcf3dcc59874186a92065879e408627", "host_name": "pritunl0", "host_local_address": "8.8.8.8", "host_public_address": "8.8.8.8", "user_name": "testuser", "remote_address": "8.8.4.4", } ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.pritunl.com/kb/vpn/system/auditing.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.