Audit Logs Management
Export audit logs to a CSV file
Exporting audit logs to a CSV file requires multiple API calls:
•Initiate the processing of audit logs to be exported:
GET api/v2/logs/audit_logs_export
•Return the status of the initiation of the export process:
GET api/v2/logs/audit_logs_export_status
•Initiate the download of the CSV file:
GET api/v2/logs/audit_logs_csv
Initiate the processing of audit logs to be exported
This call initiates audit log processing.
Required Role
See Authentication for complete details on ensuring that the credentials you use for basic authentication belong to a user with the necessary role for this API call.
|
Required Role |
|
Category: Logs and Events Management Role Description: View logs and events |
HTTP method
GET
Request URI
api/v2/logs/audit_logs_export
Request parameters
|
Parameter |
Description |
Sample Value |
|
adminDeviceSpaceId |
Required Parameter Type: Query Data Type: Number Device space ID of the administrator. |
1 |
|
userActionIds |
Parameter Type: Request body Data Type: Integer[ ] Comma separated values of user action type Ids, The User action type Ids are fetched from the /api/v2/admins/{source}/actions call. If this is empty, then all the user action types will be considered for the search. |
|
|
status |
Parameter Type: Request body Data Type: String[ ] Comma separated values of Audit Log status to filter. If this is empty, then returned Audit Logs may contain all kinds of statuses. |
Success, Failed, Initiated |
|
subject |
Parameter Type: Request body Data Type: String Place holder for a device uuid to filter logs for a particular device. |
|
|
actionStart |
Parameter Type: Request body Data Type: Number Start time after which the audit logs are required. |
|
|
actionEnd |
Parameter Type: Request body Data Type: Number This can be used along with actionStart to form a date range during which the Audit logs are required. |
|
|
sortField |
Parameter Type: Query Data Type: String Min: 1 character Max: 320 characters Name of the field to use for sorting. |
|
|
sortOrder |
Parameter Type: Query Data Type: String Default: ASC Indicates the order in which entries are returned. Values can be "ASC" or "DESC". |
ASC |
Response fields
|
Field |
Description |
|
exportStatusMsg |
Audit logs processing initiated/failure message. |
|
isRunning |
Boolean value that indicates whether the audit logs processing is initiated/running or not. |
Sample Request
curl -sS -k -u <userName>:<password> -G https://[Ivanti EPMM]/api/v2/logs/audit_logs_export --data-urlencode 'sortField=requestedAt' --data-urlencode 'sortOrder=ASC'
Sample Responses
Success:
{
"exportStatusMsg":"Initiated processing of Audit Logs to be exported...",
"isRunning":true
}
If the process is already initiated:
{
"exportStatusMsg":"Audit Logs Export is in progress. It might be issued by another admin. Please try after some time.",
"isRunning":false
}
Failure:
{
"exportStatusMsg":"Failed to initiate audit logs export",
"isRunning":false
}
Return the status of the initiation of the export process
This call gets the status of the audit log export process.
Required Role
See Authentication for complete details on ensuring that the credentials you use for basic authentication belong to a user with the necessary role for this API call.
|
Required Role |
|
Category: Logs and Events Management Role Description: View logs and events |
HTTP method
GET
Request URI
api/v2/logs/audit_logs_export_status
Request parameters
|
Parameter |
Description |
Sample Value |
|
adminDeviceSpaceId |
Required Parameter Type: Query Data Type: Number Device space ID of the administrator. |
1 |
Response fields
|
Field |
Description |
|
exportStatusMsg |
Audit Logs processing status/progress message. "success" - If the processing is completed successfully. "fail" - If the processing failed due to server error. |
|
isRunning |
Boolean value that indicates whether the audit logs processing is progressing or not. |
|
isExportStatusAvailable |
Is the export progress status available. |
Sample Request
curl -sS -k -u <userName>:<password> -G https://[Ivanti EPMM]/api/v2/logs/audit_logs_export_status
Sample Responses
While the processing of audit log entries to be exported is progressing:
{
"exportStatusMsg":"Processed 10,000 of 80,000 audit log entries...",
"isRunning":true,
"initiatedAt":"01-22-2005-1106412118809",
"isExportStatusAvailable":true
}
When the processing of audit log entries to be exported is completed successfully:
{
"exportStatusMsg":"success",
"isRunning":false,
"isExportStatusAvailable":true
}
Failure:
{
"exportStatusMsg":"fail",
"isRunning":false,
"isExportStatusAvailable":true
}
Download the CSV file
This call downloads the CSV file.
Required Role
See Authentication for complete details on ensuring that the credentials you use for basic authentication belong to a user with the necessary role for this API call.
|
Required Role |
|
Category: Logs and Events Management Role Description: View logs and events |
HTTP method
POST
Request URI
api/v2/logs/audit_logs_csv
Request parameters
|
Parameter |
Description |
Sample Value |
|
adminDeviceSpaceId |
Required Parameter Type: Query Data Type: Number Device space ID of the administrator. |
1 |
|
-o |
Required Parameter Type: Query Data Type: String The name of the file to download. |
auditlog.zip |
Response fields
|
Field |
Description |
|
Content-Disposition →attachment;filename=<filename> |
|
|
Content-Type →application/octetstream;charset=UTF-8 |
|
Sample Request
curl -v -u <user>:<pass> -XPOST https://[Ivanti EPMM]/api/v2/logs/audit_logs_csv -o auditlog.zip
Sample Response
Content-Disposition →attachment; filename=AuditLogs-emm-cope.hubtotal.net-11-16-2018-1542372740221.zip
Content-Type →application/octet-stream;charset=UTF-8
Search/Retrieve audit logs
This call provides access to a search function over the entire set of audit logs.
Required Role
See Authentication for complete details on ensuring that the credentials you use for basic authentication belong to a user with the necessary role for this API call.
|
Required Role |
|
Category: Logs and Events Management Role Description: View logs and events |
HTTP method
GET
Request URI
api/v2/logs/audit_logs
Request parameters
|
Parameter |
Description |
Sample Value |
|
adminDeviceSpaceId |
Required Parameter Type: Query Data Type: Number Device space ID of the administrator. |
1 |
|
userActionIds |
Parameter Type: Request body Data Type: Integer[ ] Comma separated values of user action type Ids, The User action type Ids are fetched from /api/v2/admins/{source}/actions . If this is empty then all the user action types will be considered for the search. |
|
|
status |
Parameter Type: Request body Data Type: String[ ] Comma separated values of Audit Log status to filter. If this is empty then returned Audit Logs may contain all kinds of statuses. |
Success, Failed, Initiated |
|
subject |
Parameter Type: Request body Data Type: String Place holder for a device uuid to filter logs for a particular device. |
|
|
actionStart |
Parameter Type: Request body Data Type: Number Start time after which the audit logs are required. |
|
|
actionEnd |
Parameter Type: Request body Data Type: Number This can be used along with actionStart to form a date range during which the Audit logs are required. |
|
|
limit |
Parameter Type: Request body Data Type: Number Min: 0 Max: 200 Default: 200 Indicates the maximum number of entries to return. Must be at least 0 and no more than 200. |
|
|
offset |
Parameter Type: Request body Data Type: Number Min: 0 Max: 10,000,000 Default: 0 Indicates the index of the first entry to return. |
|
|
sortField |
Parameter Type: Query Data Type: String Min: 1 character Max: 320 characters Name of the field to use for sorting. |
|
|
sortOrder |
Parameter Type: Query Data Type: String Default: ASC Indicates the order in which entries are returned. Values can be "ASC" or "DESC". |
ASC |
Response fields
|
Field |
Description |
|
searchTimeMillis |
The time in milliseconds that it took to execute the search. |
|
currentServerTimeMilliseconds |
The current server time in milliseconds since epoch. |
|
totalCount |
The total number of entries that the query matched. |
|
hasMore |
Indicates that there are more entries available. |
|
resultCount |
The number of entries that are being returned. |
|
results |
An array of entry objects. Each object includes just the fields requested. |
Sample request and response
Request
curl -sS -k -u <userName>:<password> -G https://[Ivanti EPMM]/api/v2/logs/audit_logs --data-urlencode 'adminDeviceSpaceId=1' --data-urlencode 'fields=common.id' --data-urlencode 'offset=1' --data-urlencode 'limit=2'
Response
{
"searchTimeMillis":4,
"currentServerTimeMilliseconds":1423631757695,
"totalCount":4,
"resultCount":2,
"hasMore":true,
"results":[
{
"spacePath":null,
"reason":"Configuration Team Wildcard Distribution 80AD946C-0E35-4283-9DE8-0DF48E481144 added",
"updateRequestId":null,
"actor":null,
"requesterName":"miadmin",
"actionAt":1423559886308,
"loggedAt":1423559886308,
"version":1,
"parentId":null,
"subjectName":"Provisioning Profile - Team Wildcard Distribution 80AD946C-0E35-4283-9DE8-0DF48E481144 : 1",
"userInRole":null,
"spaceName":null,
"objectId":null,
"subjectType":"Application Setting",
"subjectOwnerName":null,
"status":"Success",
"objectName":null,
"actionType":"ADD_APPSETTING",
"completedAt":1423559886308,
"cookie":null,
"message":null,
"subjectId":null,
"device":null,
"requestedAt":1423559886308,
"configuration":{
"configType":"Provisioning Profile",
"name":"Team Wildcard Distribution 80AD946C-0E35-4283-9DE8-0DF48E481144",
"version":"1",
"configId":8
},
"objectType":null,
"logType":"userAction"
},
{
"spacePath":null,
"reason":"User miadmin is added.",
"updateRequestId":null,
"actor":{
"miUserId":9001,
"principal":"miadmin",
"email":null
},
"requesterName":"misystem",
"actionAt":1423466939836,
"loggedAt":1423466939836,
"version":1,
"parentId":null,
"subjectName":"miadmin",
"userInRole":null,
"spaceName":null,
"objectId":null,
"subjectType":"User",
"subjectOwnerName":null,
"status":"Success",
"objectName":null,
"actionType":"ADD_USER",
"completedAt":1423466939836,
"cookie":null,
"message":null,
"subjectId":"9001",
"device":null,
"requestedAt":1423466939836,
"configuration":null,
"objectType":null,
"logType":"userAction"
}
]
}
Get action types facets for audit log categories
This call returns action types facets for audit logs categories.
Required Role
See Authentication for complete details on ensuring that the credentials you use for basic authentication belong to a user with the necessary role for this API call.
|
Required Role |
|
Category: Logs and Events Management Role Description: View logs and events |
HTTP method
GET
Request URI
api/v2/logs/audit_log_actions/count
Request parameters
|
Parameter |
Description |
Sample Value |
|
adminDeviceSpaceId |
Required Parameter Type: Query Data Type: Number Device space ID of the administrator. |
1 |
|
requestType |
Required Parameter Type: Request body Data Type: String Default: actionType Indicates the request type for the facets API. |
actionType |
|
userActionIds |
Parameter Type: Request body Data Type: Integer[ ] Comma separated values of user action type Ids, The User action type Ids are fetched from the /api/v2/admins/{source}/actions call. If this is empty, then all the user action types will be considered for the search. |
|
|
status |
Parameter Type: Request body Data Type: String[ ] Comma separated values of Audit Log status to filter. If this is empty, then returned Audit Logs may contain all kinds of statuses. |
Success, Failed, Initiated |
|
subject |
Parameter Type: Request body Data Type: String Place holder for a device uuid to filter logs for a particular device. |
|
|
actionStart |
Parameter Type: Request body Data Type: Number Start time after which the audit logs are required. |
|
|
actionEnd |
Parameter Type: Request body Data Type: Number This can be used along with actionStart to form a date range during which the Audit logs are required. |
|
|
sortField |
Parameter Type: Query Data Type: String Min: 1 character Max: 320 characters Name of the field to use for sorting. |
|
|
sortOrder |
Parameter Type: Query Data Type: String Default: ASC Indicates the order in which entries are returned. Values can be "ASC" or "DESC". |
ASC |
Response fields
|
Field |
Description |
|
requestType |
Type of Request |
|
totalCount |
The total number of entries that the query matched. |
|
rows |
Rows of entries with following :
|
|
resultCount |
The number of entries that are being returned. |
|
results |
An array of entry objects. Each object includes just the fields requested. |
Sample request and response
Request
curl -sS -k -u <userName>:<password> -G https://[Ivanti EPMM]/api/v2/logs/audit_log_actions/count --data-urlencode 'query=' --data-urlencode 'requestType=actionType' --data-urlencode 'sortOrder=ASC' --data-urlencode 'sortField=requestedAt'
Response
{
"results": {
"requestType": "actionType",
"rows": [
{
"name": "add_app_catalog",
"count": 12,
"query": ""
},
{
"name": "add_appsetting",
"count": 1,
"query": ""
},
{
"name": "add_label",
"count": 6,
"query": ""
},
{
"name": "add_ldap",
"count": 1,
"query": ""
},
{
"name": "add_user",
"count": 38,
"query": ""
},
{
"name": "admin_portal_sign_in",
"count": 134,
"query": ""
},
{
"name": "admin_portal_sign_out",
"count": 8,
"query": ""
},
{
"name": "allow_app_tunnel",
"count": 2,
"query": ""
},
{
"name": "apply_label_to_devices",
"count": 86,
"query": ""
},
{
"name": "assign_device_space_admin",
"count": 1,
"query": ""
},
{
"name": "change_language",
"count": 1,
"query": ""
},
{
"name": "change_ownership",
"count": 1,
"query": ""
},
{
"name": "delete_label",
"count": 1,
"query": ""
},
{
"name": "delete_user_account",
"count": 12,
"query": ""
},
{
"name": "locate",
"count": 20,
"query": ""
},
{
"name": "lock",
"count": 1,
"query": ""
},
{
"name": "modify_appsetting",
"count": 3,
"query": ""
},
{
"name": "push_profile",
"count": 12,
"query": ""
},
{
"name": "register_device",
"count": 9,
"query": ""
},
{
"name": "remove_label_from_devices",
"count": 1,
"query": ""
},
{
"name": "retire",
"count": 2,
"query": ""
},
{
"name": "send_message",
"count": 21,
"query": ""
},
{
"name": "system_config_change",
"count": 6,
"query": ""
},
{
"name": "update_device_space",
"count": 10,
"query": ""
},
{
"name": "wakeup_device",
"count": 1,
"query": ""
}
]
},
"totalCount": 25,
"resultCount": 25
}