Cloud Administration Event Log API Cloud Administration Event Log API
The Cloud Administration Event Log API is a REST-based web services interface that allows audit log events to be retrieved from the Cloud Authentication Service. You can use this REST API to import the audit log events into your security information and event management (SIEM) solution, such as NetWitness. Events are retrieved in chronological order in batches, and do not contain duplicates. They can be filtered by date range. Events are retained for 90 days and then purged.
The endpoint, which can be either the SIEM or another client, uses the Administration API Key to call the Administration Event Log API. The Super Admin generates this key and provides it to the Client Developer, as described in Manage API Keys for the Administration Event Log, User Event Log, and Help Desk APIs.
For information on audit log messages that describe Super Admin activities, see Administration Log Messages for the Cloud Authentication Service .
Authentication Authentication
Clients calling this API must authenticate themselves by including a JSON Web Token in a request. For instructions on using this token, see Authentication for the Cloud Administration REST APIs.
Administrative RolesAdministrative Roles
This API can use an API key that is associated with either the Super Administrator or Help Desk Administrator role. For more information, see Manage the Cloud Administration REST API Keys.
Software Developer KitSoftware Developer Kit
You can download the API Software Developer Kit (SDK) from Cloud Administration REST API Download.
Request RequirementsRequest Requirements
Use the following method, request URL, body response, response body type, and response codes to retrieve audit log events from the Cloud Authentication Service and deliver them to your SIEM solution.
Method | Request URL | Response Body | Response Body Type | Response Codes |
---|---|---|---|---|
GET | /AdminInterface/restapi/v1/adminlog/exportlogs | Metadata plus array of Admin log events | application/json | 200, 400, 403 |
Request ParametersRequest Parameters
The Administration Log Event API allows the following optional parameters.
Note: The request query parameter values may contain reserve characters that need to be URL encoded. Otherwise, the server may send a 400 Bad Request error. For example, the ISO 8601 Date and Time format may contain the + character if the specific time zone has an offset from UTC, such as+05:30. The + character needs to be encoded as %2B.
Name | Description | Type | Default Value | Example |
---|---|---|---|---|
startTimeAfter | Start time of log events. | ISO 8601 Date Time | Current time - 1 day | 2018-05-01T11:22:12.828-05:30 |
endTimeOnOrBefore | End time of log events. | ISO 8601 Date Time | Current time | 2018-05-09T21:06:33.125-05:30 |
pageNumber | Zero-based index of the page to return. | Integer | 0 | 5 |
pageSize | Number of records to return in a page (or batch). Value between 1-100. Any value specified outside of this range will be treated as 100. | Integer | 100 | 50 |
Request ExamplesRequest Examples
The following example displays a REST API request with no parameters.
GET /AdminInterface/restapi/v1/adminlog/exportlogs
Accept: application/json
Authorization: Bearer <JWT token>
The following example shows a REST API request with a specified start time.
GET /AdminInterface/restapi/v1/adminlog/exportlogs?startTimeAfter=2018-05-01T11:22:12.828-05:30
Accept: application/json
Authorization: Bearer <JWT token>
Responses Responses
The following table shows response metadata.
Parameter | Description | Type |
---|---|---|
totalPages | Total number of pages (or batches) of results. | Integer |
totalElements | Total number of results | Integer |
pageSize | Number of results returned in a page (or batch) | Integer |
The following example shows sample response metadata with 684 total results and a default page size of 100.
{
"totalPages": 7,
"totalElements": 684,
"pageSize": 100,
"elements": [
{
......
}
]
}
The following table shows API response data.
Parameter | Description | Type |
---|---|---|
eventId | Identifies the event. | String |
eventLogDate | Date and time of the log event, in UTC timezone. Example: 2018-05-13T16:29:59.000 UTC | ISO 8601 Date Time |
eventType | Always set to Administration. | String |
serverURL |
The Administration Server URL. |
String |
serverIPAddress |
|
IP Address |
application | SecurID. | String |
customerId | Internal company specifier. | String |
customerName | Company name, as specified in Company Settings. | String |
sourceIPAddress | IP address used by the Super Admin account that performed the operation. | IP Address |
adminUserName | Username or email address used by the Super Admin who performed the operation. | String |
adminUserRole | Role of the administrator who performed the operation. Values are Super Administrator, Help Desk Administrator, and Support Administrator. | String |
activityKey | Activity key of the administration operation. See Cloud Authentication Service Administration Log Messages. | String |
activityCode | Unique activity code of the administration operation. See Cloud Authentication Service Administration Log Messages. | Integer |
result | Result of the administration operation. (SUCCESS or FAILURE) | String |
reasonKey | Reason for failure. | String |
message | Describes the administration operation. | String |
requiresPublish | Administration operation requires a publish. Values are true or false. | Boolean |
targetObject1Id targetObject1Name targetObject1Type targetObject2Id targetObject2Name targetObject2Type |
Identifies the target object of the administrative activity. Examples of administrative activity are ADD_POLICY and DELETE_POLICY. Publishing does not have a target object. | String |
Example ResponseExample Response
{
"totalPages": 1,
"totalElements": 2,
"pageSize": 100,
"elements": [
{
"eventId": 767,
"eventLogDate": "2018-05-13T16:29:59.000 UTC",
"eventType": "Administration",
"serverURL": "https://access.securid.com/AdminInterface/",
"serverIPAddress": "191.237.22.167",
"application": "SecurID",
"customerId": 3,
"customerName": "mycompanyname",
"sourceIPAddress": "1.2.3.4",
"adminUserName": "admin@mycompany.com",
"adminUserRole": "Super Administrator",
"activityKey": "SIGNIN_SUCCESS",
"activityCode": 80001,
"result": "SUCCESS",
"reasonKey": "",
"message": "admin@mycompany.com successfully signed in",
"requiresPublish": false
"targetObject1Id": null,
"targetObject1Name": null,
"targetObject1Type": null,
"targetObject2Id": null,
"targetObject2Name": null,
"targetObject2Type": null
},
{
"eventId": 768,
"eventLogDate": "2018-05-13T16:32:09.000 UTC",
"eventType": "Administration",
"serverURL": "https://access.securid.com/AdminInterface/",
"serverIPAddress": "191.237.22.167", ,
"application": "SecurID",
"customerId": 3,
"customerName": "mycompanyname",
"sourceIPAddress": "1.2.3.4",
"adminUserName": "admin@mycompany.com",
"adminUserRole: "Super Administrator",
"activityKey": "ADD_ADMIN_API_KEY",
"activityCode": 80400,
"result": "SUCCESS",
"reasonKey": "",
"message": "admin@mycompany.com added an
Admin API Key 139f6495-e447-4a26-a765-5c01b6152d5",
"requiresPublish": false,
"targetObject1Id": 18,
"targetObject1Name": "139f6495-e447-4a26-a765-5c01b6b152d5",
"targetObject1Type": "ADMIN_API_KEY",
"targetObject2Id": null,
"targetObject2Name": null,
"targetObject2Type": null
}
]
}