This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Announcements
SecurID® Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.
- RSA Community
- :
- Products
- :
- SecurID
- :
- Knowledge Base
- :
- Download RSA SecurID Access Cloud User Event audit logs using Cloud Administration REST API CLU
-
Options
- Subscribe to RSS Feed
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Download RSA SecurID Access Cloud User Event audit logs using Cloud Administration REST API CLU
Article Number
000063619
Applies To
RSA Product Set: RSA SecurID
RSA Product/Service Type: Cloud Authentication Service
RSA Version/Condition: all
RSA Product/Service Type: Cloud Authentication Service
RSA Version/Condition: all
Issue
For troubleshooting or audit purposes it can be useful to see a history of user authentications and other events, such as device registrations.
Usually, you can Monitor User Events in the Cloud Administration Console. However, only a limited number of the most recent events are displayed there. To see events that go back further in time, there are APIs that can be used instead: The Cloud Administration APIs are REST-based web service interfaces. The above two APIs can be used by third-party SIEM tools that support a REST API to fetch user audit events.
The Cloud Administration APIs come with a Command Line Utility (CLU) tool that is useful for adhoc retrieval of event logs without a third-party tool.
This article explains how to use the CLU tool to retrieve User Event audit logs. Article Download RSA SecurID Access Cloud Administration audit logs using Cloud Administration REST API CLU explains how to use the same tool to retrieve Administration Event audit logs.
Usually, you can Monitor User Events in the Cloud Administration Console. However, only a limited number of the most recent events are displayed there. To see events that go back further in time, there are APIs that can be used instead: The Cloud Administration APIs are REST-based web service interfaces. The above two APIs can be used by third-party SIEM tools that support a REST API to fetch user audit events.
The Cloud Administration APIs come with a Command Line Utility (CLU) tool that is useful for adhoc retrieval of event logs without a third-party tool.
This article explains how to use the CLU tool to retrieve User Event audit logs. Article Download RSA SecurID Access Cloud Administration audit logs using Cloud Administration REST API CLU explains how to use the same tool to retrieve Administration Event audit logs.
Resolution
Here are the basic steps to download User Event actions (audit records) for all users, using the API package's command line utility (CLU). Events are downloaded from the last 24 hours. To download events from other times, see section Specifying Time Period below.
<path to API key file> is the downloaded API key file. If there are spaces in the path, the path must be surrounded in double quotes (see examples in section Specifying Time Period below).
<CAC FQDN> should be substituted with the fully-qualified domain name of your Cloud Administration Console:
Date and time must be specified in ISO 8601 Date Time format: yyyy-mm-ddThh:mm:ss.tttShh:mm where ttt is milliseconds and Shh:mm is the UTC offset where S must be - (dash or minus sign) for a negative offset or + (plus sign) for a positive offset. All components of the date and time must be specified, including seconds, milliseconds and UTC offset.
This example uses UTC -0800.
This example uses UTC +1000.
This example uses UTC.
- Download the RSA SecurID Access Administration REST API to any Windows or Linux machine that has Java installed and network connectivity to your Cloud Administration Console.
- Unzip the downloaded package file to a convenient directory location.
- From the Cloud Administration Console Add an API key and download it to the machine where you unzipped the Administration REST API.
- From the top-level directory of the unzipped API package run the CLU shown below (note that the example syntax is on Windows):
.\bin\rsa-securidaccess-rest-client-sdk.bat -f <path to API key file> -o exportAllUserEventLog -u https://<CAC FQDN>/AdminInterface/restapi/v1<path to API key file> is the downloaded API key file. If there are spaces in the path, the path must be surrounded in double quotes (see examples in section Specifying Time Period below).
<CAC FQDN> should be substituted with the fully-qualified domain name of your Cloud Administration Console:
- Americas customers use <company subdomain>.access.securid.com
- EMEA customers use <company subdomain>.access-eu.securid.com.
- APJ customers use: <company subdomain>.access-anz.securid.com.
- India customers use: <company subdomain>.access-in.securid.com.
Specifying Time Period
By default, the command reports on the last 24-hour period. Alternatively, a specific time period of interest can be specified with the additional command line switches -s (start time period) and/or -e (end time period).Date and time must be specified in ISO 8601 Date Time format: yyyy-mm-ddThh:mm:ss.tttShh:mm where ttt is milliseconds and Shh:mm is the UTC offset where S must be - (dash or minus sign) for a negative offset or + (plus sign) for a positive offset. All components of the date and time must be specified, including seconds, milliseconds and UTC offset.
Negative UTC offset Example
This example uses UTC -0800.
.\bin\rsa-securidaccess-rest-client-sdk.bat -f 5c221bc1-a69e-4a78-8d2f-c0646ba4d91d.key -o exportAllUserEventLog -u https://mysubdomain.access.securid.com/AdminInterface/restapi/v1 -s 2021-07-01T11:22:12.828-08:00 -e 2021-07-30T11:22:12.828-08:00
Positive UTC Offset Example
This example uses UTC +1000.
.\bin\rsa-securidaccess-rest-client-sdk.bat -f "c:\temp\RSA API\5c221bc1-a69e-4a78-8d2f-c0646ba4d91d.key" -o exportAllUserEventLog -u https://mysubdomain.access-anz.securid.com/AdminInterface/restapi/v1 -s 2021-09-30T09:15:00.000+10:00 -e 2021-10-31T23:59:59.999+10:00
UTC Example
This example uses UTC.
.\bin\rsa-securidaccess-rest-client-sdk.bat -f "c:\temp\RSA API\ea9e8e60-cde6-425c-8161-af967a157927.key" -o exportAllUserEventLog -u https://mysubdomain.access-eu.securid.com/AdminInterface/restapi/v1 -s 2021-09-30T09:15:00.000Z -e 2021-10-31T23:59:59.999ZNotes
- The rsa-securidaccess-rest-client.sdk CLU requires Java to be installed on the computer where it will be run.
- JAVA_HOME must be set (JAVA_HOME is an environment variable that indicates where in the file system the JDK or JRE is installed, e.g. C:\Program Files (x86)\Java\jre1.8.0_333).
- These instructions assume the Windows PATH environment variable has been updated to include the Java bin directory/folder, e.g. on Windows, that would be %JAVA_HOME%\bin.
- Run the rsa-securidaccess-rest-client.sdk CLU with no switches to see all of the available command options:
.\bin\rsa-securidaccess-rest-client-sdk.bat- Some versions of the rsa-securidaccess-rest-client.sdk CLU, up to and including v2.7.1, do not support Positive UTC time offsets for the -s and -e options. Upgrade to v2.7.2 or later to fix the issue. Or, as a workaround, specify times in UTC (see "UTC Example" above).
Tags (43)
- All Versions
- Any Version
- CAS
- Cloud Auth Service
- Cloud Authentication Service
- Configuration
- Configure Reports
- Customer Support Article
- Every Version
- Helpful Hints
- How To
- Informational
- Instructions
- KB Article
- Knowledge Article
- Knowledge Base
- Log File
- Log Files
- Logging
- Logs
- Process Steps
- Report
- Reporting
- Reporting Help
- Reports
- RSA SecurID
- RSA SecurID Access
- RSA SecurID Suite
- SaaS
- SecurID
- SecurID Access
- SecurID Access Cloud
- SecurID Cloud
- SecurID Suite
- Setup
- Setup Reports
- Software as a Service
- Tip & Tricks
- Tips and Tricks
- Tutorial
- Version Agnostic
- Walk Through
- Walkthrough
No ratings
