Audit logs

Changes that are made by IBM QRadar users are recorded in the audit logs.

All audit logs are stored in plain text and are archived and compressed when the audit log file reaches 50 MB. The current log file is named audit.log. When the file reaches 50 MB, the file is compressed and renamed to audit.1.gz. The file number increments each time that a log file is archived. QRadar stores up to 25 archived log files.

Audit log data is also stored in the SIM Audit-2 log source, which can be used for filtering and reporting to track how users interact with QRadar. The data retention is determined by your event retention configuration.