Audit Logs Management

Export audit logs to a CSV file

Exporting audit logs to a CSV file requires multiple API calls:

Initiate the processing of audit logs to be exported:
GET api/v2/logs/audit_logs_export

Return the status of the initiation of the export process:
GET api/v2/logs/audit_logs_export_status

Initiate the download of the CSV file:
GET api/v2/logs/audit_logs_csv

Initiate the processing of audit logs to be exported

This call initiates audit log processing.

Required Role

See Authentication for complete details on ensuring that the credentials you use for basic authentication belong to a user with the necessary role for this API call.

 

Required Role

Category: Logs and Events Management

Role Description: View logs and events

HTTP method

GET

Request URI

api/v2/logs/audit_logs_export

Request parameters

Parameter

Description

Sample Value

adminDeviceSpaceId

Required

Parameter Type: Query

Data Type: Number

Device space ID of the administrator.

1

userActionIds

Parameter Type: Request body

Data Type: Integer[ ]

Comma separated values of user action type Ids, The User action type Ids are fetched from the /api/v2/admins/{source}/actions call.

If this is empty, then all the user action types will be considered for the search.

 

status

Parameter Type: Request body

Data Type: String[ ]

Comma separated values of Audit Log status to filter. If this is empty, then returned Audit Logs may contain all kinds of statuses.

Success, Failed, Initiated

subject

Parameter Type: Request body

Data Type: String

Place holder for a device uuid to filter logs for a particular device.

 

actionStart

Parameter Type: Request body

Data Type: Number

Start time after which the audit logs are required.

 

actionEnd

Parameter Type: Request body

Data Type: Number

This can be used along with actionStart to form a date range during which the Audit logs are required.

 

sortField

Parameter Type: Query

Data Type: String

Min: 1 character

Max: 320 characters

Name of the field to use for sorting.

 

sortOrder

Parameter Type: Query

Data Type: String

Default: ASC

Indicates the order in which entries are returned. Values can be "ASC" or "DESC".

ASC

Response fields

Field

Description

exportStatusMsg

Audit logs processing initiated/failure message.

isRunning

Boolean value that indicates whether the audit logs processing is initiated/running or not.

Sample Request

curl -sS -k -u <userName>:<password> -G https://[Ivanti EPMM]/api/v2/logs/audit_logs_export --data-urlencode 'sortField=requestedAt' --data-urlencode 'sortOrder=ASC'

Sample Responses

Success:

{

"exportStatusMsg":"Initiated processing of Audit Logs to be exported...",

"isRunning":true

}

If the process is already initiated:

{

"exportStatusMsg":"Audit Logs Export is in progress. It might be issued by another admin. Please try after some time.",

"isRunning":false

}

Failure:

{

"exportStatusMsg":"Failed to initiate audit logs export",

"isRunning":false

}

Return the status of the initiation of the export process

This call gets the status of the audit log export process.

Required Role

See Authentication for complete details on ensuring that the credentials you use for basic authentication belong to a user with the necessary role for this API call.

 

Required Role

Category: Logs and Events Management

Role Description: View logs and events

HTTP method

GET

Request URI

api/v2/logs/audit_logs_export_status

Request parameters

Parameter

Description

Sample Value

adminDeviceSpaceId

Required

Parameter Type: Query

Data Type: Number

Device space ID of the administrator.

1

Response fields

Field

Description

exportStatusMsg

Audit Logs processing status/progress message.

"success" - If the processing is completed successfully.

"fail" - If the processing failed due to server error.

isRunning

Boolean value that indicates whether the audit logs processing is progressing or not.

isExportStatusAvailable

Is the export progress status available.

Sample Request

curl -sS -k -u <userName>:<password> -G https://[Ivanti EPMM]/api/v2/logs/audit_logs_export_status

Sample Responses

While the processing of audit log entries to be exported is progressing:

{

"exportStatusMsg":"Processed 10,000 of 80,000 audit log entries...",

"isRunning":true,

"initiatedAt":"01-22-2005-1106412118809",

"isExportStatusAvailable":true

}

When the processing of audit log entries to be exported is completed successfully:

{

"exportStatusMsg":"success",

"isRunning":false,

"isExportStatusAvailable":true

}

Failure:

{

"exportStatusMsg":"fail",

"isRunning":false,

"isExportStatusAvailable":true

}

Download the CSV file

This call downloads the CSV file.

Required Role

See Authentication for complete details on ensuring that the credentials you use for basic authentication belong to a user with the necessary role for this API call.

 

Required Role

Category: Logs and Events Management

Role Description: View logs and events

HTTP method

POST

Request URI

api/v2/logs/audit_logs_csv

Request parameters

Parameter

Description

Sample Value

adminDeviceSpaceId

Required

Parameter Type: Query

Data Type: Number

Device space ID of the administrator.

1

-o

Required

Parameter Type: Query

Data Type: String

The name of the file to download.

auditlog.zip

Response fields

Field

Description

Content-Disposition →attachment;filename=<filename>

 

Content-Type →application/octetstream;charset=UTF-8

 

Sample Request

curl -v -u <user>:<pass> -XPOST https://[Ivanti EPMM]/api/v2/logs/audit_logs_csv -o auditlog.zip

Sample Response

Content-Disposition →attachment; filename=AuditLogs-emm-cope.hubtotal.net-11-16-2018-1542372740221.zip

Content-Type →application/octet-stream;charset=UTF-8

Search/Retrieve audit logs

This call provides access to a search function over the entire set of audit logs.

Required Role

See Authentication for complete details on ensuring that the credentials you use for basic authentication belong to a user with the necessary role for this API call.

 

Required Role

Category: Logs and Events Management

Role Description: View logs and events

HTTP method

GET

Request URI

api/v2/logs/audit_logs

Request parameters

 

Parameter

Description

Sample Value

adminDeviceSpaceId

Required

Parameter Type: Query

Data Type: Number

Device space ID of the administrator.

1

userActionIds

Parameter Type: Request body

Data Type: Integer[ ]

Comma separated values of user action type Ids, The User action type Ids are fetched from /api/v2/admins/{source}/actions .

If this is empty then all the user action types will be considered for the search.

 

status

Parameter Type: Request body

Data Type: String[ ]

Comma separated values of Audit Log status to filter.

If this is empty then returned Audit Logs may contain all kinds of statuses.

Success, Failed, Initiated

subject

Parameter Type: Request body

Data Type: String

Place holder for a device uuid to filter logs for a particular device.

 

actionStart

Parameter Type: Request body

Data Type: Number

Start time after which the audit logs are required.

 

actionEnd

Parameter Type: Request body

Data Type: Number

This can be used along with actionStart to form a date range during which the Audit logs are required.

 

limit

Parameter Type: Request body

Data Type: Number

Min: 0

Max: 200

Default: 200

Indicates the maximum number of entries to return. Must be at least 0 and no more than 200.

 

offset

Parameter Type: Request body

Data Type: Number

Min: 0

Max: 10,000,000

Default: 0

Indicates the index of the first entry to return.

 

sortField

Parameter Type: Query

Data Type: String

Min: 1 character

Max: 320 characters

Name of the field to use for sorting.

 

sortOrder

Parameter Type: Query

Data Type: String

Default: ASC

Indicates the order in which entries are returned. Values can be "ASC" or "DESC".

ASC

Response fields

Field

Description

searchTimeMillis

The time in milliseconds that it took to execute the search.

currentServerTimeMilliseconds

The current server time in milliseconds since epoch.

totalCount

The total number of entries that the query matched.

hasMore

Indicates that there are more entries available.

resultCount

The number of entries that are being returned.

results

An array of entry objects. Each object includes just the fields requested.

Sample request and response

Request

curl -sS -k -u <userName>:<password> -G https://[Ivanti EPMM]/api/v2/logs/audit_logs --data-urlencode 'adminDeviceSpaceId=1' --data-urlencode 'fields=common.id' --data-urlencode 'offset=1' --data-urlencode 'limit=2'

Response

{  

   "searchTimeMillis":4,

   "currentServerTimeMilliseconds":1423631757695,

   "totalCount":4,

   "resultCount":2,

   "hasMore":true,

   "results":[  

      {  

         "spacePath":null,

         "reason":"Configuration Team Wildcard Distribution 80AD946C-0E35-4283-9DE8-0DF48E481144 added",

         "updateRequestId":null,

         "actor":null,

         "requesterName":"miadmin",

         "actionAt":1423559886308,

         "loggedAt":1423559886308,

         "version":1,

         "parentId":null,

         "subjectName":"Provisioning Profile - Team Wildcard Distribution 80AD946C-0E35-4283-9DE8-0DF48E481144 : 1",

         "userInRole":null,

         "spaceName":null,

         "objectId":null,

         "subjectType":"Application Setting",

         "subjectOwnerName":null,

         "status":"Success",

         "objectName":null,

         "actionType":"ADD_APPSETTING",

         "completedAt":1423559886308,

         "cookie":null,

         "message":null,

         "subjectId":null,

         "device":null,

         "requestedAt":1423559886308,

         "configuration":{  

            "configType":"Provisioning Profile",

            "name":"Team Wildcard Distribution 80AD946C-0E35-4283-9DE8-0DF48E481144",

            "version":"1",

            "configId":8

         },

         "objectType":null,

         "logType":"userAction"

      },

      {  

         "spacePath":null,

         "reason":"User miadmin is added.",

         "updateRequestId":null,

         "actor":{  

            "miUserId":9001,

            "principal":"miadmin",

            "email":null

         },

         "requesterName":"misystem",

         "actionAt":1423466939836,

         "loggedAt":1423466939836,

         "version":1,

         "parentId":null,

         "subjectName":"miadmin",

         "userInRole":null,

         "spaceName":null,

         "objectId":null,

         "subjectType":"User",

         "subjectOwnerName":null,

         "status":"Success",

         "objectName":null,

         "actionType":"ADD_USER",

         "completedAt":1423466939836,

         "cookie":null,

         "message":null,

         "subjectId":"9001",

         "device":null,

         "requestedAt":1423466939836,

         "configuration":null,

         "objectType":null,

         "logType":"userAction"

      }

   ]

}

Get action types facets for audit log categories

This call returns action types facets for audit logs categories.

Required Role

See Authentication for complete details on ensuring that the credentials you use for basic authentication belong to a user with the necessary role for this API call.

 

Required Role

Category: Logs and Events Management

Role Description: View logs and events

HTTP method

GET

Request URI

api/v2/logs/audit_log_actions/count

Request parameters

 

Parameter

Description

Sample Value

adminDeviceSpaceId

Required

Parameter Type: Query

Data Type: Number

Device space ID of the administrator.

1

requestType

Required

Parameter Type: Request body

Data Type: String

Default: actionType

Indicates the request type for the facets API.

actionType

userActionIds

Parameter Type: Request body

Data Type: Integer[ ]

Comma separated values of user action type Ids, The User action type Ids are fetched from the /api/v2/admins/{source}/actions call.

If this is empty, then all the user action types will be considered for the search.

 

status

Parameter Type: Request body

Data Type: String[ ]

Comma separated values of Audit Log status to filter. If this is empty, then returned Audit Logs may contain all kinds of statuses.

Success, Failed, Initiated

subject

Parameter Type: Request body

Data Type: String

Place holder for a device uuid to filter logs for a particular device.

 

actionStart

Parameter Type: Request body

Data Type: Number

Start time after which the audit logs are required.

 

actionEnd

Parameter Type: Request body

Data Type: Number

This can be used along with actionStart to form a date range during which the Audit logs are required.

 

sortField

Parameter Type: Query

Data Type: String

Min: 1 character

Max: 320 characters

Name of the field to use for sorting.

 

sortOrder

Parameter Type: Query

Data Type: String

Default: ASC

Indicates the order in which entries are returned. Values can be "ASC" or "DESC".

ASC

Response fields

Field

Description

requestType

Type of Request

totalCount

The total number of entries that the query matched.

rows

Rows of entries with following :

{

name: "Action Name,

count:"Action Count",

query: "Query specified"

}

resultCount

The number of entries that are being returned.

results

An array of entry objects. Each object includes just the fields requested.

Sample request and response

Request

curl -sS -k -u <userName>:<password> -G https://[Ivanti EPMM]/api/v2/logs/audit_log_actions/count --data-urlencode 'query='  --data-urlencode  'requestType=actionType' --data-urlencode 'sortOrder=ASC' --data-urlencode 'sortField=requestedAt'

Response

{

   "results": {

      "requestType": "actionType",

      "rows": [

         {

            "name": "add_app_catalog",

            "count": 12,

            "query": ""

         },

         {

            "name": "add_appsetting",

            "count": 1,

            "query": ""

         },

         {

            "name": "add_label",

            "count": 6,

            "query": ""

         },

         {

            "name": "add_ldap",

            "count": 1,

            "query": ""

         },

         {

            "name": "add_user",

            "count": 38,

            "query": ""

         },

         {

            "name": "admin_portal_sign_in",

            "count": 134,

            "query": ""

         },

         {

            "name": "admin_portal_sign_out",

            "count": 8,

            "query": ""

         },

         {

            "name": "allow_app_tunnel",

            "count": 2,

            "query": ""

         },

         {

            "name": "apply_label_to_devices",

            "count": 86,

            "query": ""

         },

         {

            "name": "assign_device_space_admin",

            "count": 1,

            "query": ""

         },

         {

            "name": "change_language",

            "count": 1,

            "query": ""

         },

         {

            "name": "change_ownership",

            "count": 1,

            "query": ""

         },

         {

            "name": "delete_label",

            "count": 1,

            "query": ""

         },

         {

            "name": "delete_user_account",

            "count": 12,

            "query": ""

         },

         {

            "name": "locate",

            "count": 20,

            "query": ""

         },

         {

            "name": "lock",

            "count": 1,

            "query": ""

         },

         {

            "name": "modify_appsetting",

            "count": 3,

            "query": ""

         },

         {

            "name": "push_profile",

            "count": 12,

            "query": ""

         },

         {

            "name": "register_device",

            "count": 9,

            "query": ""

         },

         {

            "name": "remove_label_from_devices",

            "count": 1,

            "query": ""

         },

         {

            "name": "retire",

            "count": 2,

            "query": ""

         },

         {

            "name": "send_message",

            "count": 21,

            "query": ""

         },

         {

            "name": "system_config_change",

            "count": 6,

            "query": ""

         },

         {

            "name": "update_device_space",

            "count": 10,

            "query": ""

         },

         {

            "name": "wakeup_device",

            "count": 1,

            "query": ""

         }

      ]

   },

   "totalCount": 25,

   "resultCount": 25

}