Sitecore Quicktip: Auditing Sitecore Logins
It’s the middle of the night and something has been published that should not have been, but you don’t know who logged into Sitecore during this time… or do you? Fortunately, out of the box, you can audit who logged into Sitecore with some minor caveats. To be clear, we are not assuming that a user is being nefarious, but need to keep strict governance around activities in our content management environment.
IMPORTANT: If your Sitecore CMS is exposed to the internet at all… stop reading, pick up the “Red Phone” to your networking team and get that CMS only available internally. If someone says they need it public for a partner or someone else… don’t do it, give the partner a VPN to access your network where the CMS is running since you don’t want anyone brute force attacking your publicly accessibly CMS (just imagine the damage if someone got into Sitecore!).
Contents
CMS Login Audit Options
When you log in using the default Sitecore Membership provider (instead of through Identity Server), the Sitecore CM instance records Audit logs for both successful and unsuccessful login attempts, as illustrated below:
Successful login example
INFO AUDIT (sitecore\Anonymous): Login successful: sitecore\Admin.Unsuccessful login example
INFO AUDIT (sitecore\Anonymous): Login failed: asdf.A few caveats to consider
- This is only available when not using Identity Server which is the most common setup for Sitecore
- You must have INFO log levels enabled, which can chew up a lot of log space (you should always have a retention period for your logs set irrespective of logging level)
Identity Server Login Audit Options
Upon authenticating through the Identity Server, the Sitecore CM instance generates logs exclusively for successful login events. Conversely, the Identity Server instance records a log segment for each login attempt, regardless of its success or failure. Each log segment initiates with the entry “Request starting …” and terminates with the entry “Request finished …”. The key difference is that the log segment for a successful login includes the entry “AuthenticationScheme: \”idsrv\” signed in.”, while the logs for a failed login solely contain the entry “idsrv\” was not authenticated.”.
Successful login example
2026-01-21T13:37:38.7855438+02:00 [INF] (Sitecore Identity/LT-VIAM-T-UA) Request starting HTTP/1.1 POST http://10.4_xp0_identityserver.dev.local/Account/Login?ReturnUrl=%2Fconnect%2Fauthorize%2Fcallback%3Fclient_id%3DSitecore%26response_type%3Dcode%2520id_token%2520token%26scope%3Dopenid%2520sitecore.profile%26state%3DOpenIdConnect.AuthenticationProperties%253D9k1h7vJf6pqFg6gE2dG1GSeenzefeW-hzY5Gn462XvQHzyyJz1emnPezpSzupNMP8oTT6yVyGbrujXf-738m_RcbQL1TBKkcMX2jyLaBoSkaaJoJNOqseT-cN0J_4W4AYitRSuwrPIhOzbacJl5PSRqGPsiA-FFeGL_VuBXTX3nb50cdgZ33k09CKpu4iwrn4tTj-OErH60OZ0NF2udh5A%26response_mode%3Dform_post%26nonce%3D639045921836254894.Y2JlNzA2OTAtNjIyZi00ZWRjLWEzYzUtM2U1ZGY1MzM1MWVkNDEyNmIwNDgtYjEyNi00NTUwLWE5ZGYtZTUyZTk5MDljYmM3%26redirect_uri%3Dhttps%253A%252F%252F10.4_xp0_sc.dev.local%252Fidentity%252Fsignin%26sc_account_prefix%3Dsitecore%255C%26x-client-SKU%3DID_NET461%26x-client-ver%3D5.7.0.0 application/x-www-form-urlencoded 1011
2026-01-21T13:37:38.7862985+02:00 [INF] (Sitecore Identity/LT-VIAM-T-UA) CORS policy execution failed.
2026-01-21T13:37:38.7865536+02:00 [INF] (Sitecore Identity/LT-VIAM-T-UA) Request origin "null" does not have permission to access the resource.
2026-01-21T13:37:38.7868121+02:00 [INF] (Sitecore Identity/LT-VIAM-T-UA) No CORS policy found for the specified request.
2026-01-21T13:37:38.7871443+02:00 [INF] (Sitecore Identity/LT-VIAM-T-UA) "idsrv" was not authenticated. Failure message: "Ticket expired"
2026-01-21T13:37:38.7874127+02:00 [INF] (Sitecore Identity/LT-VIAM-T-UA) "idsrv" was not authenticated. Failure message: "Ticket expired"
2026-01-21T13:37:38.7877187+02:00 [INF] (Sitecore Identity/LT-VIAM-T-UA) Executing endpoint '"Sitecore.Plugin.IdentityServer.Controllers.AccountController.Login (Sitecore.Plugin.IdentityServer)"'
2026-01-21T13:37:38.7879906+02:00 [INF] (Sitecore Identity/LT-VIAM-T-UA) Route matched with "{action = \"Login\", controller = \"Account\"}". Executing controller action with signature "System.Threading.Tasks.Task`1[Microsoft.AspNetCore.Mvc.IActionResult] Login(Sitecore.Plugin.IdentityServer.Models.Account.LoginInputModel, System.String)" on controller "Sitecore.Plugin.IdentityServer.Controllers.AccountController" ("Sitecore.Plugin.IdentityServer").
2026-01-21T13:37:38.7950609+02:00 [INF] (Sitecore Identity/LT-VIAM-T-UA) "idsrv" was not authenticated. Failure message: "Ticket expired"
2026-01-21T13:37:38.7954386+02:00 [INF] (Sitecore Identity/LT-VIAM-T-UA) "idsrv" was not authenticated. Failure message: "Ticket expired"
2026-01-21T13:37:38.7961160+02:00 [INF] (Sitecore Identity/LT-VIAM-T-UA) AuthenticationScheme: "idsrv" signed in.
2026-01-21T13:37:38.7964673+02:00 [INF] (Sitecore Identity/LT-VIAM-T-UA) Executing RedirectResult, redirecting to "/connect/authorize/callback?client_id=Sitecore&response_type=code%20id_token%20token&scope=openid%20sitecore.profile&state=OpenIdConnect.AuthenticationProperties%3D9k1h7vJf6pqFg6gE2dG1GSeenzefeW-hzY5Gn462XvQHzyyJz1emnPezpSzupNMP8oTT6yVyGbrujXf-738m_RcbQL1TBKkcMX2jyLaBoSkaaJoJNOqseT-cN0J_4W4AYitRSuwrPIhOzbacJl5PSRqGPsiA-FFeGL_VuBXTX3nb50cdgZ33k09CKpu4iwrn4tTj-OErH60OZ0NF2udh5A&response_mode=form_post&nonce=639045921836254894.Y2JlNzA2OTAtNjIyZi00ZWRjLWEzYzUtM2U1ZGY1MzM1MWVkNDEyNmIwNDgtYjEyNi00NTUwLWE5ZGYtZTUyZTk5MDljYmM3&redirect_uri=https%3A%2F%2F10.4_xp0_sc.dev.local%2Fidentity%2Fsignin&sc_account_prefix=sitecore%5C&x-client-SKU=ID_NET461&x-client-ver=5.7.0.0".
2026-01-21T13:37:38.7969347+02:00 [INF] (Sitecore Identity/LT-VIAM-T-UA) Executed action "Sitecore.Plugin.IdentityServer.Controllers.AccountController.Login (Sitecore.Plugin.IdentityServer)" in 8.6277ms
2026-01-21T13:37:38.7973410+02:00 [INF] (Sitecore Identity/LT-VIAM-T-UA) Executed endpoint '"Sitecore.Plugin.IdentityServer.Controllers.AccountController.Login (Sitecore.Plugin.IdentityServer)"'
2026-01-21T13:37:38.7977342+02:00 [INF] (Sitecore Identity/LT-VIAM-T-UA) Request finished HTTP/1.1 POST http://10.4_xp0_identityserver.dev.local/Account/Login?ReturnUrl=%2Fconnect%2Fauthorize%2Fcallback%3Fclient_id%3DSitecore%26response_type%3Dcode%2520id_token%2520token%26scope%3Dopenid%2520sitecore.profile%26state%3DOpenIdConnect.AuthenticationProperties%253D9k1h7vJf6pqFg6gE2dG1GSeenzefeW-hzY5Gn462XvQHzyyJz1emnPezpSzupNMP8oTT6yVyGbrujXf-738m_RcbQL1TBKkcMX2jyLaBoSkaaJoJNOqseT-cN0J_4W4AYitRSuwrPIhOzbacJl5PSRqGPsiA-FFeGL_VuBXTX3nb50cdgZ33k09CKpu4iwrn4tTj-OErH60OZ0NF2udh5A%26response_mode%3Dform_post%26nonce%3D639045921836254894.Y2JlNzA2OTAtNjIyZi00ZWRjLWEzYzUtM2U1ZGY1MzM1MWVkNDEyNmIwNDgtYjEyNi00NTUwLWE5ZGYtZTUyZTk5MDljYmM3%26redirect_uri%3Dhttps%253A%252F%252F10.4_xp0_sc.dev.local%252Fidentity%252Fsignin%26sc_account_prefix%3Dsitecore%255C%26x-client-SKU%3DID_NET461%26x-client-ver%3D5.7.0.0 application/x-www-form-urlencoded 1011 - 302 0 - 12.1870msUnsuccessful login example
2026-01-21T13:37:20.2799235+02:00 [INF] (Sitecore Identity/LT-VIAM-T-UA) Request starting HTTP/1.1 POST http://10.4_xp0_identityserver.dev.local/Account/Login?ReturnUrl=%2Fconnect%2Fauthorize%2Fcallback%3Fclient_id%3DSitecore%26response_type%3Dcode%2520id_token%2520token%26scope%3Dopenid%2520sitecore.profile%26state%3DOpenIdConnect.AuthenticationProperties%253D9k1h7vJf6pqFg6gE2dG1GSeenzefeW-hzY5Gn462XvQHzyyJz1emnPezpSzupNMP8oTT6yVyGbrujXf-738m_RcbQL1TBKkcMX2jyLaBoSkaaJoJNOqseT-cN0J_4W4AYitRSuwrPIhOzbacJl5PSRqGPsiA-FFeGL_VuBXTX3nb50cdgZ33k09CKpu4iwrn4tTj-OErH60OZ0NF2udh5A%26response_mode%3Dform_post%26nonce%3D639045921836254894.Y2JlNzA2OTAtNjIyZi00ZWRjLWEzYzUtM2U1ZGY1MzM1MWVkNDEyNmIwNDgtYjEyNi00NTUwLWE5ZGYtZTUyZTk5MDljYmM3%26redirect_uri%3Dhttps%253A%252F%252F10.4_xp0_sc.dev.local%252Fidentity%252Fsignin%26sc_account_prefix%3Dsitecore%255C%26x-client-SKU%3DID_NET461%26x-client-ver%3D5.7.0.0 application/x-www-form-urlencoded 1021
2026-01-21T13:37:20.2812879+02:00 [INF] (Sitecore Identity/LT-VIAM-T-UA) CORS policy execution failed.
2026-01-21T13:37:20.2817512+02:00 [INF] (Sitecore Identity/LT-VIAM-T-UA) Request origin "null" does not have permission to access the resource.
2026-01-21T13:37:20.2821996+02:00 [INF] (Sitecore Identity/LT-VIAM-T-UA) No CORS policy found for the specified request.
2026-01-21T13:37:20.2828804+02:00 [INF] (Sitecore Identity/LT-VIAM-T-UA) "idsrv" was not authenticated. Failure message: "Ticket expired"
2026-01-21T13:37:20.2833565+02:00 [INF] (Sitecore Identity/LT-VIAM-T-UA) "idsrv" was not authenticated. Failure message: "Ticket expired"
2026-01-21T13:37:20.2839237+02:00 [INF] (Sitecore Identity/LT-VIAM-T-UA) Executing endpoint '"Sitecore.Plugin.IdentityServer.Controllers.AccountController.Login (Sitecore.Plugin.IdentityServer)"'
2026-01-21T13:37:20.2845788+02:00 [INF] (Sitecore Identity/LT-VIAM-T-UA) Route matched with "{action = \"Login\", controller = \"Account\"}". Executing controller action with signature "System.Threading.Tasks.Task`1[Microsoft.AspNetCore.Mvc.IActionResult] Login(Sitecore.Plugin.IdentityServer.Models.Account.LoginInputModel, System.String)" on controller "Sitecore.Plugin.IdentityServer.Controllers.AccountController" ("Sitecore.Plugin.IdentityServer").
2026-01-21T13:37:20.2890018+02:00 [INF] (Sitecore Identity/LT-VIAM-T-UA) "idsrv" was not authenticated. Failure message: "Ticket expired"
2026-01-21T13:37:20.2901317+02:00 [INF] (Sitecore Identity/LT-VIAM-T-UA) Executing ViewResult, running view "Login".
2026-01-21T13:37:20.2914901+02:00 [INF] (Sitecore Identity/LT-VIAM-T-UA) Executed ViewResult - view "Login" executed in 1.4112ms.
2026-01-21T13:37:20.2920434+02:00 [INF] (Sitecore Identity/LT-VIAM-T-UA) Executed action "Sitecore.Plugin.IdentityServer.Controllers.AccountController.Login (Sitecore.Plugin.IdentityServer)" in 7.0603ms
2026-01-21T13:37:20.2924166+02:00 [INF] (Sitecore Identity/LT-VIAM-T-UA) Executed endpoint '"Sitecore.Plugin.IdentityServer.Controllers.AccountController.Login (Sitecore.Plugin.IdentityServer)"'
2026-01-21T13:37:20.2928317+02:00 [INF] (Sitecore Identity/LT-VIAM-T-UA) Request finished HTTP/1.1 POST http://10.4_xp0_identityserver.dev.local/Account/Login?ReturnUrl=%2Fconnect%2Fauthorize%2Fcallback%3Fclient_id%3DSitecore%26response_type%3Dcode%2520id_token%2520token%26scope%3Dopenid%2520sitecore.profile%26state%3DOpenIdConnect.AuthenticationProperties%253D9k1h7vJf6pqFg6gE2dG1GSeenzefeW-hzY5Gn462XvQHzyyJz1emnPezpSzupNMP8oTT6yVyGbrujXf-738m_RcbQL1TBKkcMX2jyLaBoSkaaJoJNOqseT-cN0J_4W4AYitRSuwrPIhOzbacJl5PSRqGPsiA-FFeGL_VuBXTX3nb50cdgZ33k09CKpu4iwrn4tTj-OErH60OZ0NF2udh5A%26response_mode%3Dform_post%26nonce%3D639045921836254894.Y2JlNzA2OTAtNjIyZi00ZWRjLWEzYzUtM2U1ZGY1MzM1MWVkNDEyNmIwNDgtYjEyNi00NTUwLWE5ZGYtZTUyZTk5MDljYmM3%26redirect_uri%3Dhttps%253A%252F%252F10.4_xp0_sc.dev.local%252Fidentity%252Fsignin%26sc_account_prefix%3Dsitecore%255C%26x-client-SKU%3DID_NET461%26x-client-ver%3D5.7.0.0 application/x-www-form-urlencoded 1021 - 200 - text/html;+charset=utf-8 12.9731msA few caveats to consider
- This does not show you who the actual user is, but in the least you can see details on login time and success/failure
Seeing What Really Matters… Changed Content
Bottom line, using the methods above you may be able to catch a glimpse of who logged in… but does that really help you if you don’t know what content they affected so you can fix it?
This is where I love using Sitecore Sidekick’s Audit Log for viewing actual changes to items (Audit Log). Use the option to store the data in SQL, as its very performant (Configure SQL for Audit Log). With this in place, you can view and filter changed content, inclusive of the user.
Conclusion
While the out of the box capabilities for auditing Sitecore logins offer some basic glimpses into login activity, it’s far better to focus on what the user achieved after logging in (unless you are investigating the amount of failed logins from a brute force attack because you left your CMS publicly exposed).
To that end, while you could likely develop a custom logger that exposes more details than what Identity Server provides, add Sitecore Sidekick to your stack and leverage the Audit Log to find out what occurred after the login.