Auditing user file access

Helix Server is capable of logging individual file accesses to an audit logfile. Auditing is disabled by default, and is only enabled if P4AUDIT is set to point to the location of the audit log file, or the server is started with the -A auditlog flag (see General options in Helix Core Server (p4d) Reference).

When auditing is enabled, the server adds a line to the audit log file every time file content is transferred from the server to the client. On an active server, the audit log file will grow very quickly.

Lines in the audit log appear in the form:

date time user@client clientIP command file#rev

For example:

$ tail -2 auditlog
2020/05/09 09:52:45 karl@nail 192.168.0.12 diff //depot/src/x.c#1
2020/05/09 09:54:13 jim@stone 127.0.0.1 sync //depot/inc/file.h#1

If a command is run on the machine that runs the Helix Server, the clientIP is shown as 127.0.0.1.

If you are auditing server activity in a replicated environment, each of your build farm or forwarding replica servers must have its own P4AUDIT log set.