Audit endpoints
The list of available endpoints for querying audit indexes is available under /api/audit
.
You can also use the command line interface (CLI) and the tail command in particular to query logs.
Query
The endpoint base address template is:
GET /api/audit/<index name>/query{/entityId}{?from,to,fullText,skip,take,sort,order}
The querying endpoints support the following parameters:
Name |
Type |
Sample value |
Description |
---|---|---|---|
|
Long |
9962 |
ID of the audited entity (optional) |
|
DateTime |
2018-07-01T08:00Z |
Start DateTime |
|
DateTime |
2018-07-02T08:00Z |
End DateTime |
|
String |
Asset |
Full-text search phrase |
|
Int |
0 |
Paging: starts from given item index |
|
Int |
10 |
Paging: shows given number of items |
|
String |
timeStamp |
Elasticsearch field to sort from |
|
String |
desc |
Sort order: asc or desc |
{
"items": [
... documents ...
],
"total_items": 15,
"returned_items": 10,
"next": {
"href": "<link to next page>",
"title": ...
},
"previous": {
"href": "<link to previous page>",
"title": ...
},
"self": {
"href": "<link to current page>",
"title": ...
}
}
Some endpoints have an additional set of parameters. The corresponding sections specify the differences.
The asterisk (*
) indicates that the URL expands into a list of key-value pairs, not a key with a list of values. For example, Uri.expand("{?userIds*}", {userIds:[1,2]})
expands into ?userIds=1&userIds=2
not ?userIds=1,2
.
Scroll
When in need of fetching more items than Elasticsearch (ES) querying allows, you need to use the scroll API. It allows paging only in one direction and works similarly to the entities scroll endpoint.
The endpoint base address template is:
GET /api/audit/<index name>/scroll{/entityId}{?scrollTime,scrollId,from,to,fullText,skip,take,sort,order}
Each scroll endpoint accepts the same set of parameters as its corresponding query endpoint.
The scroll endpoints support the following parameters:
Name |
Type |
Sample value |
Description |
---|---|---|---|
|
String |
DXF1..U1QQ== |
Scroll ID assigned by ES. This parameter is automatically appended to the |
|
TimeSpan |
Raw |
Determines how long the created scroll stays alive in ES. When not provided, the value is taken from the |
Generate
To place a download order for the entire log or its subset, use generation endpoints.
The endpoint base address template is:
POST /api/audit/<index name>/generate
The generation endpoints support the following parameters:
Name |
Type |
Sample value |
Description |
---|---|---|---|
|
String |
Raw |
One of the following values: raw, business, scripting, action, or trigger |
|
String |
csv |
One of the following values: csv, json |
|
DateTime |
2018-07-01T08:00Z |
Start DateTime |
|
DateTime |
2018-07-02T08:00Z |
End DateTime |
|
Dict |
{ "user_id": ["6"] } |
A set of filters applied to the selected audit index |
Response headers:
Location: <url to download order>
Raw query
A raw query has two endpoints, /api/audit/raw/
and /api/audit/raw/operational/
.
Business query
The business query fetches the business audit index.
The endpoint base address template is:
GET /api/audit/business/query{/entityId}{?logType*,raw,from,to,fullText,skip,take,sort,order}
The business query endpoints support the following parameters:
Name |
Type |
Sample value |
Description |
---|---|---|---|
|
String |
useraudit |
Filters by the provided type |
|
String |
user.login.success |
Event type. Possible values: Created, Updated, Deleted, Enabled, Disabled, or Executed. |
|
String |
SampleUser |
User who created the business entity |
|
String |
SampleUser |
User who last modified the business entity |
|
String |
SampleUser |
User making the query |
|
String |
Definition of the business entity | |
|
String |
Raw Elasticsearch query (deprecated: parameter left for compatibility) |
Use the public link endpoint to query for publiclink.requested
events.
GET /api/audit/business/query?logType*==useraudit
{
"items": [
{
"event_type": "user.login.success",
"created_by": "SampleUser",
"modified_by": "SampleUser",
"created_on": "2018-11-29T13:36:11.7964771Z",
"modified_on": "2021-04-19T09:45:25.1231815Z",
"username": "SampleUser",
"log_type": "useraudit",
"browser_information": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.72 Safari/537.36",
"geoip": {
"continent_name": "Europe",
"region_iso_code": "BE-VBR",
"city_name": "Halle",
"country_iso_code": "BE",
"region_name": "Flemish Brabant Province",
"location": {
"lon": 4.2345,
"lat": 50.7338
}
}
},
...]
}
Public link endpoint
This endpoint specifically targets public link events and has the following parameters:
Name |
Type |
Sample value |
Description |
---|---|---|---|
auditType |
String |
business |
Specifies the category or type of audit event. |
eventType |
String |
publiclink.requested |
Describes the specific action or event that triggered the audit log entry. |
createdBy |
String |
Administrator |
Identifies the user or system entity that created the audit log entry. |
modifiedBy |
String |
Administrator |
Indicates the user or system entity that last modified the audit log entry. |
definition |
String |
M.Asset |
Specifies the schema or type of entity being audited. |
logType |
String |
reportingeventslog |
Indicates the category or nature of the log entry. |
Publiclink.requested
events have been discontinued, and are no longer available.
GET /api/audit/publiclink/query?skip=0&take=25&sort=%40timestamp&order=desc
{
"items": [
{
"data": {
...
},
"event_type": "PublicLinkRequested",
"id": "e24925fd-ee5c-4189-979f-1c3ec7bc4196",
"audit_type": "PublicLink",
"target_definition": "M.Asset",
"target_id": 31830,
"timestamp": "2024-06-06T19:30:01.4328976Z",
"user_id": 6
},
{
"event_type": "publiclink.requested",
"created_by": "Administrator",
"modified_by": "Administrator",
"created_on": "2024-06-06T15:58:42.9697073Z",
"modified_on": "2024-06-06T19:00:06.0832893Z",
"log_type": "reportingeventslog",
"ip_address": "172.31.0.1",
"properties": {
...
},
"ancestors": {
...
},
"id": "692d9fd2-f045-4188-9fbb-055c8e32ff9e",
"audit_type": "PublicLink",
"target_definition": "M.Asset",
"target_id": 31830,
"timestamp": "2024-06-06T19:29:09.3470278Z",
"user_id": 6
},
...
],
"total_items": 55,
"returned_items": 25,
"next": {
"href": "https://localhost:8180/api/audit/publiclink/query?skip=2&take=2&sort=@timestamp&order=Desc",
"title": "The next page in this collection"
},
"self": {
"href": "https://localhost:8180/api/audit/publiclink/query?skip=0&take=2&sort=@timestamp&order=Desc",
"title": "This collection"
}
}
Business generate
The business generate endpoints support the following parameters:
Name |
Type |
Sample value |
Description |
---|---|---|---|
|
String |
useraudit |
Overrides the filter property to set the provided log type as a filter. |
Scripting query
The scripting query fetched the scripting audit index.
The endpoint base address template is:
GET /api/audit/scripting/query{/entityId}{?scriptType,scriptName,scriptContentId,scriptContentIdentifier,errorMessage,executionSource,id,eventType,severity,targetId,targetIdentifier,userId,from,to,fullText,skip,take,sort,order}
The scripting query endpoints support the following parameters:
Name |
Type |
Sample value |
Description |
---|---|---|---|
|
String |
UserPreRegistration |
Type of script. Possible values: UserPreRegistration, UserPostRegistration, UserSignIn, MetadataProcessing, or ActionScript. |
|
String |
fooScript |
Script name |
|
Long |
1234 |
Id of the script content entity |
|
String |
zfSGGTUNhkKVdY9U-z49iQ |
Identifier of the script content entity |
|
String |
Failed |
Fragment of the error message |
|
String |
Automatic |
Scripting execution source. Possible values: Automatic, Trigger, WebApi, Command, ExternalAction, or MassEdit. |
|
Guid |
0ccd58cf-c83f-42ba-907f-44d8950a20fd |
Audit message id |
|
String |
Created |
Event type. Possible values: Created, Updated, Deleted, Enabled, Disabled, or Executed. |
|
String |
Warning |
audit entry severity. Possible values: Debug, Warning, Info, Error, or Fatal. |
|
Long |
1234 |
Id of the audited entity |
|
String |
zfSGGTUNhkKVdY9U-z49iQ |
Identifier of the audited entity |
|
Long |
1234 |
Id of the user who triggered the audit entry creation |
GET /api/audit/scripting/query?scriptType==UserPreRegistration
{
"items": [
{
"script_type": "ActionScript",
"script_name": "CMP - Create public links for linked assets",
"script_content_id": 30459,
"script_content_identifier": "gqQwt42TR0-H053IJPX5KQ",
"execution_time": 2343,
"execution_source": "Trigger",
"context_data": {
"data": {},
"execution_event": null,
"execution_phase": null,
"execution_source": "Trigger",
"execution_type": "OutOfProcess",
"result": {},
"target": "Asset",
"target_id": 31523,
"target_type": null
}
},
...]
}
}
Action query
The action query fetches the action audit index.
The endpoint base address template is:
GET /api/audit/action/query{/entityId}{?actionType,actionPhase,executionType,executionSource,executionTime,messageId,retryCount,success,id,eventType,severity,targetId,targetIdentifier,userId,from,to,fullText,skip,take,sort,order}
The action query endpoints support the following parameters:
Name |
Type |
Sample value |
Description |
---|---|---|---|
|
String |
ApiCall |
Type of action. Possible values: ApiCall, ActionScript, AzureEventHub, ReportingChannel, PrintEntityGeneration, StartBpmAutomation, StartSmAutomation, AzureServiceBus, or MAzureServiceBus. |
|
string |
Pre |
Phase the action is executed in. Possible values: Post, Pre, Security, Validation, Audit. |
|
string |
InProcess |
Type of execution. Possible values: OutOfProcess or InProcess. |
|
string |
Trigger |
Source of execution. Possible values: Unknown, Trigger, ExternalAction, Command, WebApi, MassEdit, or BPM. |
|
Long |
234 |
The elapsed execution time in milliseconds |
|
Long |
1234 |
Message id |
|
Int |
3 |
Number of retries |
|
Bool |
true |
Whether the action was successful |
|
Guid |
0ccd58cf-c83f-42ba-907f-44d8950a20fd |
Audit message id |
|
string |
Created |
Event type. Possible values: Created, Updated, Deleted, Enabled, Disabled, or Executed. |
|
string |
Warning |
Audit entry severity. Possible values: Debug, Warning, Info, Error, or Fatal. |
|
Long |
1234 |
Id of the audited entity |
|
string |
zfSGGTUNhkKVdY9U-z49iQ |
Identifier of the audited entity |
|
Long |
1234 |
Id of the user who triggered the audit entry creation |
GET /api/audit/action/query?actiontype==ApiCall
{
"items": [
{
"action_type": "StartSmAutomation",
"action_phase": "Post",
"execution_type": "InProcess",
"execution_source": "Trigger",
"execution_time": 8,
"target_name": "CMP - Content approval action",
"retry_count": 0,
"success": true,
"entity_id": 33232,
"id": "42e0ca85-87d1-437b-9df8-3decbadd1bf8",
"audit_type": "Action",
"event_type": "Executed",
"severity": "Info",
"target_id": 9878,
"target_identifier": "M.Action.CMP.Content.Approval",
"timestamp": "2021-04-19T10:42:09.8503118Z",
"user_id": 6
},
...]
}