Home » Support » Appian Knowledge Base » KB-2386 Log ingestion pipelines fail for login-audit.csv after upgrading to Appian 25.4

KB-2386 Log ingestion pipelines fail for login-audit.csv after upgrading to Appian 25.4

Symptoms

After upgrading to Appian 25.4, automated log ingestion pipelines (such as Splunk, Datadog, ELK, or custom Appian expression rules) that process the <APPIAN_HOME>/logs/login-audit.csv file and rely on strict positional parsing or headerless formats may fail or parse data incorrectly.

As a result, administrators may experience a temporary loss of login audit data visibility in downstream reporting stores, or trigger internal security/IT alerts due to these ingestion job failures.

Cause

This issue is caused by schema changes introduced in Appian 25.4 to support the new "Multi-Factor Authentication: Authenticator Apps" feature.

Pipelines relying on headerless parsing or strict positional index mapping will fail due to two structural modifications:

  1. Inclusion of Headers: Row 1 of login-audit.csv now contains column headers. Historically, this file was headerless.

  2. New MFA Tracking Column: A new column was appended to the log to track native MFA events.

    • In Appian 25.4, this column was initially introduced as MFA User.

    • In Appian Hotfix 25.4.371.0, this column was renamed to MFA Authenticated and its behavior was refined to accurately distinguish genuine Appian MFA events from SSO/LDAP authentications.

    • Note: true indicates successful authentication using Appian native MFA, while false indicates external authentication (SSO/LDAP), primary authentication failure, or MFA not being enabled.

Strict positional parsing of the login-audit.csv file without accounting for the newly added header row is no longer a supported ingestion approach.

For more information about login-audit.csv, refer to Logging.

Action

To resolve this issue and prevent future disruptions, log ingestion scripts and parsers must be updated:

  1. Account for the Header Row: Update ingestion scripts to ignore the first row as data, treating it instead as the schema definition.

  2. Update Parsing Logic: Switch from positional indexing to header-based mapping (e.g., map by the exact header string MFA Authenticated). This guarantees pipeline stability even if column orders change in future releases.

Affected Versions

This article applies to Appian 25.4 and later.

Last Reviewed: June 2026

Related
Recommended
© 2026 Appian. All rights reserved.
We want to hear from you! Submit a review on Gartner or G2.