Cloud Administration Retrieve Authentication Audit Logs API

Document created by RSA Information Design and Development on Nov 16, 2018Last modified by RSA Information Design and Development on Nov 15, 2019
Version 13Show Document
  • View in full screen mode

The Cloud Administration Retrieve Authentication Audit Logs API enables Help Desk administrators to retrieve authentication audit logs for a specific user for the 100 most recent events sorted in descending order by event time. The API filters by event code and specified date range. Pagination is not supported.

Authentication

Clients calling this API must authenticate themselves by including a JSON Web Token in a request. For instructions on using this token, see Authentication for the Cloud Administration APIs .

Administrative Roles

This API can use an API key that is associated with either the Super Administrator or Help Desk Administrator role. For more information, see Manage the Cloud Administration API Keys.

Software Developer Kit

You can download the API Software Developer Kit (SDK) from Cloud Administration REST API Download.

Request Requirements

Use the following information to retrieve authentication audit logs for a specific user. The <userId> parameter is a unique user identifier that is sent in the response to the Cloud Administration User Details API .

                     
MethodRequest URLResponse Content TypeResponse Codes
GET /AdminInterface/restapi/v1/users/
<userId>/authlogs/
application/json200, 400, 403, 404, 500

Resource Identifiers

The following table describes resource identifiers for the Retrieve Authentication Audit Logs API.

                                 
PropertyDescriptionType
<userId>Identifies the user.String
eventCode

(Optional) User event code. Limits results to events with the specified eventCode value.

For more information, see User Event Monitor Messages for the Cloud Authentication Service.

Integer
startTimeAfter(Optional) Limits results to events that occurred after the specified date. Must be before endTimeOnOrBefore if that is also specified.

ISO 8601 Date Time

See https://www.w3.org/TR/NOTE-datetime for information on ISO 8601 format.

endTimeOnOrBefore(Optional) Limits results to events that occurred before or on the specified date. Must be after startTimeAfter if that is also specified.

ISO 8601 Date Time

See https://www.w3.org/TR/NOTE-datetime for information on ISO 8601 format..

Example Request Data

The following example displays a request.

GET http://localhost:8886/AdminInterface/restapi/v1/users/a780e57f-98e7-4303-9ce4-34afed539928/authlogs?

startTimeAfter=2018-11-08T22:44:00.000Z&endTimeOnOrBefore=2018-11-10T22:44:00.000Z&eventCode=902

Authorization: Bearer <JWT token>

Example Response Data

The following example displays a response when the request succeeds.

[

{

"eventId": "9a6772f1-d80c-4b6f-8841-c0f32521a534",

"eventLogDate": "2018-11-09T15:54:44.000Z",

"eventType": "user",

"eventLevel": "error",

"eventCategory": "Authentication",

"customerName": "mycompanyname",

"user": "mabbott",

"sourceIPAddress": "191.237.22.167",

"eventCode": "902",

"eventDescription": "Portal logon failed - Authentication failed.",

"application": "Portal",

"method": "password",

"deviceName": "null",

"authenticationDetails": null,

"assuranceLevel": null

}

]

Property Response Descriptions

The following table shows API response data.

                                                                                        
PropertyDescriptionType
eventIdThe user event log.String
eventLogDate

Date/time of user event log, in Universal Time Coordinated (UTC) time. Example: 2018-05-13T16:29:59.000Z

See https://www.w3.org/TR/NOTE-datetime for information on ISO 8601 format.

ISO 8601 Date Time
eventType Set to user. String
eventLevel

Event log level values are:

  • Notice: Activity is successfully completed.
  • Error: Activity completed with an error.
String
eventCategoryAuthentication or Device Management.String
customerNameSpecified in the Cloud Administration Console on the Company Settings page.String
userUser identifier.String
sourceIPAddressIP address of the user who generated the event.IP Address
eventCodeUser event code.

For more information, see User Event Monitor Messages for the Cloud Authentication Service.

Integer
eventDescriptionUser event description.String
applicationApplication authenticated.String
methodAuthentication method.Integer
deviceNameAuthentication device name.String
authenticationDetailsAuthentication details.String
assuranceLevelAuthentication assurance level.String

Response Codes

The API returns the following response codes.

                               
CodeDescription
200Authentication logs are successfully found.
400

Operation is not performed. One of the following messages is returned:

  • StartDateTime equals or exceeds EndDateTime.
  • Date format not in ISO format.
  • Unrecognized parameter is passed.
403Not authorized to perform the request.
404User ID is not found.
500Internal error occurred when processing the request.

 

 

We want your feedback! Tell us what you think of this page.

You are here
Table of Contents > Cloud Administration APIs > Cloud Administration Retrieve Authentication Audit Logs API

Attachments

    Outcomes