You are currently reviewing an older revision of this page.

[DRAFT SUPP-2591] Log ingestion pipelines fail for login-audit.csv after upgrading to Appian 25.4

Symptoms

After upgrading to Appian 25.4, automated log ingestion pipelines (such as Splunk, Datadog, ELK, or custom Appian expression rules) that process the <APPIAN_HOME>/logs/login-audit.csv file and rely on strict positional parsing or headerless formats may fail or parse data incorrectly.

As a result, administrators may experience a temporary loss of login audit data visibility in downstream reporting stores, or trigger internal security/IT alerts due to these ingestion job failures.

Cause

This issue is caused by schema changes introduced in Appian 25.4 to support the new "Multi-Factor Authentication: Authenticator Apps" feature.

Pipelines relying on headerless parsing or strict positional index mapping will fail due to two structural modifications:

  1. Inclusion of Headers: Row 1 of login-audit.csv now contains column headers. Historically, this file was headerless.

  2. New MFA Tracking Column: A new column was appended to the log to track native MFA events.

    • In Appian 25.4, this column was initially introduced as MFA User.

    • In Appian Hotfix 25.4.371.0, this column was renamed to MFA Authenticated and its behavior was refined to accurately distinguish genuine Appian MFA events from SSO/LDAP authentications.

    • Note: true indicates successful authentication using Appian native MFA, while false indicates external authentication (SSO/LDAP), primary authentication failure, or MFA not being enabled.

Strict positional parsing of the login-audit.csv file without accounting for the newly added header row is no longer a supported ingestion approach.

For more information about login-audit.csv, refer to Logging

Action

To resolve this issue and prevent future disruptions, log ingestion scripts and parsers must be updated:

  1. Account for the Header Row: Update ingestion scripts to ignore the first row as data, treating it instead as the schema definition.

  2. Update Parsing Logic: Switch from positional indexing to header-based mapping (e.g., map by the exact header string MFA Authenticated). This guarantees pipeline stability even if column orders change in future releases.

Affected Versions

  • This article applies to Appian 25.4 and later.

© 2026 Appian. All rights reserved.
We want to hear from you! Submit a review on Gartner or G2.