Cloud Administration User Event Log API
The Cloud Administration User Event Log API is a REST-based web services interface that allows user events to be retrieved from Cloud Access Service (CAS). Customers can use this REST API to import the user event logs into their security information and event management (SIEM) solution, such as NetWitness or write your own custom Administration Event Log API client software, or use RSA's Java rsa-securidaccess-rest-client-sdk or Python admin_api_cli command line utility to download events to a file. The utilities are part of the RSA SecurID Access Administration REST API which can be downloaded from the RSA ID Plus Downloads page (RSA Community login is required). Event logs are retrieved in chronological order in batches, and do not contain duplicates. Events are retained for 40 days in CAS and then purged, so events from the last 40 days are available for download using this API.
The API client, uses a JSON Web Token (JWT) with HTTP Bearer Authentication when calling the User Event Log API. The Super Admin creates a key in the Cloud Administration Console, then the key plus any other information required is used to generate the JWT, as described in Authentication for the Cloud Administration APIs .
For information on audit log messages that describe user activities, see User Event Monitor Messages in the Cloud Administration Console. For information on downloading audit log messages that describe Helpdesk Administrator and Super Administrator activities, see Cloud Administration Event Log API .
For information about managing access to this API, see Accessing the Cloud Administration APIs
Authentication
Clients calling this API must authenticate themselves by including a JSON Web Token in a request. For instructions on using this token, see Authentication for the Cloud Administration APIs.
Software Developer Kit
You can download the API Software Developer Kit (SDK) as the RSA SecurID Access Administration REST API. It is available from the RSA ID Plus Downloads page (RSA Community login is required).
Request Requirements
Use the following information in requests to retrieve user events from CAS and deliver them to your API client.
| Method | Request URL | Response Body | Response Body Type | Response Codes |
|---|---|---|---|---|
| GET | /AdminInterface/restapi/v1/usereventlog/exportlogs | Metadata, plus array of User Event logs | application/json | 200, 400, 403, 429 |
Request Parameters
The User Event Log REST API allows the following parameters.
Note: The request query parameter values may contain reserve characters that need to be URL encoded. Otherwise, the server may send a 400 Bad Request error. For example, the ISO 8601 Date and Time format may contain the + character if the specific time zone has an offset from UTC, such as+05:30. The + character needs to be encoded as %2B.
| Name | Description | Type | Default Value | Example |
|---|---|---|---|---|
| startTimeAfter | Timestamp limit. User events logged after this timestamp are exported. The duration must not exceed 7 days. | ISO 8601 Date Time | Current time - 1 day | 2018-05-01T11:22:12.828-05:30 |
| endTimeOnOrBefore | Timestamp limit. User events logged before or on this timestamp are exported. The duration must not exceed 7 days. | ISO 8601 Date Time | Current time | 2018-05-09T21:06:33.125-05:30 |
| pageNumber | The pageNumber parameter will be validated when it exceeds the application's maximum limit of 10,737,417. If this limit is crossed, the system returns an HTTP 400 response. | Integer | 0 | 5 |
| pageSize | Number of records to return in a page (or batch). Value between 1-200. Any value specified outside of this range is treated as 200. | Integer | 200 | 50 |
Example Request with No Parameters
The following example returns log data for the previous 24 hours.
GET /AdminInterface/restapi/v1/usereventlog/exportlogs
Accept: application/json
Authorization: Bearer <bearer token>
Example Request with Start Time Specified
The following example shows an API request with a specified start time.
GET /AdminInterface/restapi/v1/usereventlog/exportlogs?startTimeAfter=2018-05-01T11:22:12.828-05:30
Accept: application/json
Authorization: Bearer <bearer token>
Response Body
The following table shows the name, description, and type used for API response metadata.
| Name | Description | Type |
|---|---|---|
| totalPages | Total number of pages (or batches) of results. | Integer |
| totalElements | Total number of results. | Integer |
| pageSize | Number of results returned in a page (or batch). | Integer |
| currentPage | Page number associated with the results returned in the response. Pages are numbered from 0 to (totalPages - 1). | Integer |
| userEventLogExportEntries | List of exported event log entries. | Array |
The following sample response metadata displays 684 results with a page size of 100.
{
"totalPages":7,
"totalElements":684,
"pageSize":100,
"currentPage":0,
"userEventLogExportEntries":
userEventLogExportEntries
The following table shows the elements of entries in the userEventLogExportEntries array.
| Name | Description | Type | Required |
|---|---|---|---|
| eventId | ID of user event log. | Long | Yes |
| eventLogDate | Date and time of user event log, in UTC timezone. Example: 2018-05-13T16:29:59.000 UTC | ISO 8601 Date Time | Yes |
| eventType | Always set to user. | String | Yes |
| eventLevel | Event log level, notice, or error. | String | Yes |
| eventCategory | Authentication or Device Management. | String | Yes |
| serverIPAddress | IP address of the server where the user event occurs. | IP Address in String | Optional |
| tenantId | Identifies the customer's deployment. | UUID in String | Yes |
| customerName | subdomain assigned to the customer. | String | Optional |
| userId | User identifier. | String | Optional |
| sourceIPAddress | IP Address of the user who generated user events. | IP Address | Optional |
| eventCode | User event code. | String | Yes |
| eventDescription | User event description. | String | Yes |
| application | Authenticated application. | String | Yes |
| method | Authentication method. | String | Optional |
| deviceName | Authentication device name. | String | Optional |
| deviceId | Authentication device identifier. | String | Optional |
| policyId | Access policy identifier. | String | Optional |
| policyName | Access policy name. | String | Optional |
| authenticationDetails | Authentication details. | String | Optional |
| assuranceLevel | Assurance level used in the access policy. | String | Optional |
| verboseFlag | Indicates if verbose details are included | Boolean | Yes |
| userActivityId | Identifies the user's actions within My Page session. | String | Optional |
| transactionId | Identifies the user's MFA transactions. | String | Optional |
Related Articles
Authentication Methods for Cloud Access Service Users Number of Views Cloud Access Service Rollout to Users Number of Views Managing Cloud Authentication Service Connection Number of Views Manage Users for Cloud Access Service Number of Views Embedded Identity Router in RSA Authentication Manager Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x
