RSA SecurID Access Administration Event Log API

Document created by RSA Information Design and Development on Sep 14, 2018Last modified by RSA Information Design and Development on Nov 16, 2018
Version 3Show Document
  • View in full screen mode

The RSA SecurID Access Administration Event Log API is a REST-based web services interface that allows audit log events to be retrieved from the Cloud Authentication Service. You can use this REST API to import the audit log events into your security information and event management (SIEM) solution, such as RSA NetWitness. Events are retrieved in chronological order in batches, and do not contain duplicates. They can be filtered by date range.

The endpoint, which can be either the SIEM or another client, uses the Administration API Key to call the Administration Event Log API. The Super Admin generates this key and provides it to the Client Developer, as described in Manage the Cloud Administration REST API Keys.

For information on audit log messages that describe Super Admin activities, see Administration Log Messages for the Cloud Authentication Service .

Authentication

Clients calling this API must authenticate themselves by including a JSON Web Token in a request. For instructions on using this token, see Authentication for the Cloud Administration REST APIs .

Software Developer Kit

You can download the API Software Developer Kit (SDK) from RSA SecurID Access Administration REST API Download.

Request Requirements

Use the following method, request URL, body response, response body type, and response codes to retrieve audit log events from the Cloud Authentication Service and deliver them to your SIEM solution.

                        
MethodRequest URLResponse BodyResponse Body TypeResponse Codes
GET/AdminInterface/restapi/v1/adminlog/exportlogs Metadata plus array of Admin log eventsapplication/json 200, 400, 403

Request Parameters

The Administration Log Event API allows the following optional parameters.

                                             
NameDescriptionTypeDefault ValueExample
startTimeAfterStart time of log events.ISO 8601 Date TimeCurrent time - 1 day2018-05-01T11:22:12.828-05:30
endTimeOnOrBefore End time of log events.ISO 8601 Date TimeCurrent time2018-05-09T21:06:33.125-05:30
pageNumberZero-based index of the page to return.Integer05
pageSizeNumber of records to return in a page (or batch). Value between 1-100. Any value specified outside of this range will be treated as 100.Integer10050

Request Examples

The following example displays a REST API request with no parameters.

GET /AdminInterface/restapi/v1/adminlog/exportlogs

Accept: application/json

Authorization: Bearer <JWT token>

The following example shows a REST API request with a specified start time.

GET /AdminInterface/restapi/v1/adminlog/exportlogs?startTimeAfter=2018-05-01T11:22:12.828-05:30

Accept: application/json

Authorization: Bearer <JWT token>

Responses

The following table shows response metadata.

                            
ParameterDescriptionType
totalPages Total number of pages (or batches) of results. Integer
totalElements Total number of resultsInteger
pageSize Number of results returned in a page (or batch)Integer

The following example shows sample response metadata with 684 total results and a default page size of 100.

{

"totalPages": 7,

"totalElements": 684,

"pageSize": 100,

"elements": [

{

......

}

]

}

The following table shows API response data.

                                                                                                       
ParameterDescriptionType
eventIdIdentifies the event.String
eventLogDateDate and time of the log event, in UTC timezone. Example: 2018-05-13T16:29:59.000 UTCISO 8601 Date Time
eventTypeAlways set to Administration.String
serverURLThe Administration Server URL.
Example: https://access.securid.com/AdminInterface
String
serverIPAddress

Public load balancer IP address of the Cloud Authentication Service.

IP Address
applicationRSA SecurID Access.String
customerIdInternal company specifier.String
customerNameCompany name, as specified in Company Settings.String
sourceIPAddressIP address used by the Super Admin account that performed the operation.IP Address
adminUserNameUsername or email address used by the Super Admin who performed the operation.String
adminUserRoleRole of the administrator who performed the operation. Values are Super Administrator, Help Desk Administrator, and Support Administrator.String
activityKeyActivity key of the administration operation. See Administration Log Messages for the Cloud Authentication Service .String
activityCodeUnique activity code of the administration operation. See Administration Log Messages for the Cloud Authentication Service .Integer
resultResult of the administration operation. (SUCCESS or FAILURE)String
reasonKeyReason for failure.String
messageDescribes the administration operation.String
requiresPublishAdministration operation requires a publish. Values are true or false.Boolean

targetObject1Id

targetObject1Name

targetObject1Type

targetObject2Id

targetObject2Name

targetObject2Type

Identifies the target object of the administrative activity. Examples of administrative activity are ADD_POLICY and DELETE_POLICY. Publishing does not have a target object.String

Example Response

{

"totalPages": 1,

"totalElements": 2,

"pageSize": 100,

"elements": [

{

"eventId": 767,

"eventLogDate": "2018-05-13T16:29:59.000 UTC",

"eventType": "Administration",

"serverURL": "https://access.securid.com/AdminInterface/",

"serverIPAddress": "191.237.22.167",

"application": "RSA SecurID Access",

"customerId": 3,

"customerName": "mycompanyname",

"sourceIPAddress": "1.2.3.4",

"adminUserName": "admin@mycompany.com",

"adminUserRole": "Super Administrator",

"activityKey": "SIGNIN_SUCCESS",

"activityCode": 80001,

"result": "SUCCESS",

"reasonKey": "",

"message": "admin@mycompany.com successfully signed in",

"requiresPublish": false

"targetObject1Id": null,

"targetObject1Name": null,

"targetObject1Type": null,

"targetObject2Id": null,

"targetObject2Name": null,

"targetObject2Type": null

},

{

"eventId": 768,

"eventLogDate": "2018-05-13T16:32:09.000 UTC",

"eventType": "Administration",

"serverURL": "https://access.securid.com/AdminInterface/",

"serverIPAddress": "191.237.22.167", ,

"application": "RSA SecurID Access",

"customerId": 3,

"customerName": "mycompanyname",

"sourceIPAddress": "1.2.3.4",

"adminUserName": "admin@mycompany.com",

"adminUserRole: "Super Administrator",

"activityKey": "ADD_ADMIN_API_KEY",

"activityCode": 80400,

"result": "SUCCESS",

"reasonKey": "",

"message": "admin@mycompany.com added an

Admin API Key 139f6495-e447-4a26-a765-5c01b6152d5",

"requiresPublish": false,

"targetObject1Id": 18,

"targetObject1Name": "139f6495-e447-4a26-a765-5c01b6b152d5",

"targetObject1Type": "ADMIN_API_KEY",

"targetObject2Id": null,

"targetObject2Name": null,

"targetObject2Type": null

}

]

}

 

 

You are here
Table of Contents > Cloud Administration REST APIs > RSA SecurID Access Administration Event Log API

Attachments

    Outcomes