Auditing user file access

Helix Core Server is capable of logging individual file accesses to an audit logfile. Auditing is disabled by default, and is only enabled if P4AUDIT is set to point to the location of the audit log file, or the server is started with the -A auditlog option (see General options in Helix Core Server (p4d) Reference).

If you are auditing server activity in a replicated environment, each of your build farm or forwarding replica servers must have its own P4AUDIT log set.

Important

If P4AUDIT is configured on any active server, the audit log file becomes large very quickly because it grows each time any user gets file content. Make a plan to manage the disk space. Include in your plan any retention policies for storing historical copies of the audit log files.

Lines in the audit log appear in the form:

date time user@client clientIP command file#rev

For example:

tail -2 auditlog
2023/05/09 09:52:45 maria@nail 192.168.0.12 diff //depot/src/x.c#1
2023/05/09 09:54:13 anna@stone 127.0.0.1 sync //depot/inc/file.h#1

If a command is run on the machine that runs the Helix Core Server, the clientIP is shown as 127.0.0.1.