Auth
The Auth page tracks all authentication attempts including logins, logouts, and failures for both local and OIDC authentication methods. Failed logins may indicate brute force attacks or credential stuffing. Successful logins from unexpected IPs may indicate account compromise.
Fields & Columns
| Name | Description |
|---|---|
| Time | Timestamp of the authentication event |
| Email address used in the authentication attempt | |
| Event | Outcome: Login (green), OIDC Login (green), Login Failed (red), OIDC Failed (red), Logout (yellow) |
| Method | Authentication method used: Local (password) or OIDC (single sign-on) |
| Failure Reason | Why the authentication failed, if applicable (e.g., invalid credentials) |
| IP Address | Client IP from which the authentication attempt originated |
Gotchas
- Multiple failed logins from the same IP may indicate a brute force attempt — filter by IP Address to investigate.
- Successful logins from unexpected IPs warrant investigation even if credentials were correct.
- OIDC failures may indicate misconfiguration of the external identity provider rather than an attack.
- Authentication audit records are retained indefinitely. Consult your compliance requirements to determine if periodic archival is needed.
API Calls (1)
| Method | Path | Description |
|---|---|---|
| GET | /api/audit/auth | List all authentication events (paginated) |
Related Pages
- Changes — Actions taken after authentication are logged here
- Views — Resource access after login is tracked here
- Port State Changes — Network state changes detected by scans rather than user actions
- Users — Manage the accounts that generate auth events
- Sessions — Active sessions created by authentication events