Zendesk Audit Log
The Zendesk audit log is available only to Enterprise level customers. It includes the basic audit logging features in that it tracks Who, What, When and Where. However, it lacks many of the features that make audit logs a critical enterprise ready feature.
Retroactive Audit Record
The first thing you’ll notice if you enable it for an active account is that it does have a historical record of the audit events from the accounts inception (no matter what account type you started with). This can be useful if you need to enable the audit log after the fact for an incident analysis or post mortem.
Available from the API
Zendesk does maintain a well documented and easy to access API for the audit trail activity, which makes it easy to pull out data into external systems. The ticket level audit trail is also available from their API.
Zendesk has implemented some basic filtering into their audit trail. When you’re looking at an audit trail you can click on a month, actor, event, IP address or item to filter down to only matching events. However, this rudimentary filtering limits the user to filtering only to the months, actors and items immediately on the screen.
Light on Audited Events
As you look at the activity that is audited, there isn’t a ton of high value information as a very limited number of admin activities are actually logged. It is noticeably missing most agent actions including logins, account views, agent interactions etc.
Lack of Exactness
Zendesk provides event times down the second. Most audit logs provide event times down to the millisecond which can be helpful in avoiding sequencing collisions if you’re combining multiple audit logs together. In reality, the low number of audited events will decrease the impact of this oversight but that doesn’t excuse it entirely. Additionally, it isn’t immediately clear what timezone these events are being shown in (unless you use the API).
Deletable Ticket Audit Trail
Zendesk claims to include an audit trail of the ticket activity within the tickets themselves. The major problem here is that these tickets can be deleted and along with it, its audit trail. Hence, ticket audit trails are not immutable. This is a big gap (though something they plan to fix). It doesn’t look like the primary audit trail can be altered (API is read-only), but it doesn’t seem to be provably immutable either.
|Ticket Level Audit Log||Deleted Ticket Level Audit Log|
As mentioned earlier there is an API for the audit trail, but it isn’t available to be exported. This is generally a fairly simple feature that can take some pressure off of the need to do advanced searching and filtering in the UI.
Ticket level audit events are not captured in the primary audit trail making it very hard to get a clear picture of the complete activity in an account.