We want to do some statistics on the use of "Act as ...", and try to do this by checking the CD2 web_logs (/dap/query/canvas_logs/table/web_logs/data).

When we look in the column "value.real_user_id" we get hundreds of lines for users who do not have the "Users - act as" permission. How can this happen? Until a good explanation I can't trust the column "value.real_user_id"?

We can find all rows with the word "masquerade" in the column "value.url", and as far as I have seen this is much more reliable?

Have I misssed something here? Any help is appreciated!