Export security audit log reports

Learn about exporting Security Audit Log details with the Sync.

Use the Security Audit Log - Sync to filter audit log details and export them to a report in CSV and JSON formats.

You need to have a role with the appropriate access permissions (rights and privileges) to run this API:

ROLE_ADMIN_CUSTOMER: Provides EXECUTE privileges for the Auth.Audit.Export.Privilege resource.

For more information, see topic ROLE_ADMIN_CUSTOMER Access permissions.

Request

POST /audit/export

This topic describes the properties in this API endpoint and provides examples of requests and responses. For more information on the syntax of this API, see Security audit log in the Reltio Developer Portal. For more specific usage scenarios for this API, see the sub topics in this section.

Table 1. Parameters
Parameter	Type	Required	Description
Header
Authorization	string	Yes	The bearer token URL returned by the Authentication in this format: `https://auth.reltio.com/oauth/token`. For information on obtaining an authorization token to run Reltio REST APIs using the Security OAuth 2.0 security method, see topic Authentication API.
Content-type	string	Yes	The format to use to transmit data: application/json Reltio APIs transmit data in the JavaScript Object Notation (JSON) standard text-based format.
Body
payload	array	Yes	A task definition in JSON format: `%customerId;` (Optional) Defaults to the same customer ID as the user. Specifies the customer for the export. For example: if you are a partner and have the proper permissions for your customer, you should use this parameter to get your customer logs instead of yours. `%startTimestamp;` Use either start or startTimestamp. The Unix timestamp (in seconds) marking the start of the report period. `%start;` Use either start or startTimestamp. The ISO format start time for the report period. `%endTimestamp;` Use either end or endTimestamp. The Unix timestamp (in seconds) marking the end of the report period. `%end;` Use either end or endTimestamp. The ISO format end time for the report period. `%ip;` (Optional) Wildcard filter for IP addresses. Supports '%' (any multiple characters) and '_' (any single character). `%usernames;` (Optional) Filters events by username. `%events;` (Required) List of event types to include in the report: LOGIN LOGIN_FAILED LOGIN_SSO LOGOUT USER_CREATED USER_MODIFIED USER_DELETED USER_LOCKED USER_UNLOCKED ROLE_CREATED ROLE_MODIFIED ROLE_DELETED GROUP_CREATED GROUP_MODIFIED GROUP_DELETED `%eventTargetObjects;` (Optional) Filters by event object target name. Note: Currently payload supports USER, ROLE, and GROUP event types. You can only provide one set of event type at a time. `%format;` (Optional) Defaults to CSV. Format of the output report.

Response

The API endpoint returns a report in the specified format (JSON or CSV) .

Table 2. Status code
Status Code	Message	Description
200	Success	The audit report was returned.
400	Bad Request	The request body is not correctly formatted or required fields are missing.
401	Unauthorized	The token is missing, invalid, or does not have the necessary privileges.
429	Too Many requests	The user has exceeded the number of allowable synchronous requests.

Table 3. Response body
Data returned	Type	Description
Audit report	CSV or JSON file	Columns in report: `%timestamp;` (ISO format) `%ipAddress;` Origin IP address `%userName;` (Optional) Filters events by username. `%eventName;` LOGIN, LOGIN_FAILED, LOGIN_SSO (if the authorization_code is the grant type) `%eventObject;` Optional; by default not applied. `%eventDetail;` for LOGIN - grant type for LOGIN_FAILED for LOGIN_SSO for LOGOUT for USER_CREATED - JSON user definition for USER_MODIFIED - JSON user definition for USER_DELETED for USER_LOCKED - Reason for USER_UNLOCKED - Reason for ROLE_CREATED - JSON role definition for ROLE_MODIFIED - JSON role definition for ROLE_DELETED for GROUP_CREATED - JSON group definition for GROUP_MODIFIED - JSON group definition for GROUP_DELETED

Examples

This example shows how to request an audit log in CSV format for all events for user1 between midnight and 7:40PM on 03-Sep-2023.

Table 4. Request examples
This example shows how to request an audit log in CSV format for all events for user1 between midnight and 7:40PM on 03-Sep-2023.	{ "customerId": "Reltio", "startTimestamp": 1693738800, "start": "2023-09-03T12:00:00Z", "endTimestamp": 1693766400, "end": "2023-09-03T19:40:00Z", "ip": "13.15.12.52", "usernames": [ "user1@reltio.com", "user2@reltio.com" ], "events": [ "LOGIN", "LOGIN_SSO", "LOGOUT", "USER_CREATED", "USER_MODIFIED", "USER_DELETED", "USER_LOCKED", "USER_UNLOCKED", "ROLE_CREATED", "ROLE_MODIFIED", "ROLE_DELETED", "GROUP_CREATED", "GROUP_MODIFIED", "GROUP_DELETED" ], "eventTargetObjects": [ "user1" ], "format": "CSV" }
This example shows how to request specific audit log details for the filters shown.	[ { "timestamp": "2023-09-27T11:17:13.995740Z", "ipAddress": [ "10.0.0.1" ], "userName": "userB", "eventName": "GROUP_CREATED", "eventDetail": [ { "groupId": "testGp", "groupName": "testGp", "description": "testGp", "roles": { "ROLE_ADMIN_READONLY": [] } } ] }, { "timestamp": "2023-09-27T11:17:13.995740Z", "ipAddress": [ "10.0.0.1" ], "userName": "userB", "eventName": "GROUP_DELETED", "eventObject": "testGp" }, { "timestamp": "2023-09-27T11:17:13.995740Z", "ipAddress": [ "10.0.0.1" ], "userName": "userB", "eventName": "GROUP_MODIFIED", "eventObject": "testGp", "eventDetail": [ { "groupId": "testGp", "groupName": "testGp", "description": "A Group testGp", "roles": { "ROLE_WORKFLOW_ADMIN": [ "EQ0L0f" ], "ROLE_WORKFLOW": [ "EQ0L0f" ] } } ] } ]

{
    "customerId": "Reltio",
    "startTimestamp": 1693738800,
    "start": "2023-09-03T12:00:00Z",
    "endTimestamp": 1693766400,
    "end": "2023-09-03T19:40:00Z",
    "ip": "13.15.12.52",
    "usernames": [
        "user1@reltio.com",
        "user2@reltio.com"
    ],
    "events": [
        "LOGIN",
        "LOGIN_SSO",
        "LOGOUT",
        "USER_CREATED",
        "USER_MODIFIED",
        "USER_DELETED",
        "USER_LOCKED",
        "USER_UNLOCKED",
        "ROLE_CREATED",
        "ROLE_MODIFIED",
        "ROLE_DELETED",
        "GROUP_CREATED",
        "GROUP_MODIFIED",
        "GROUP_DELETED"
    ],
    "eventTargetObjects": [
        "user1"
    ],
    "format": "CSV"
}

This example shows how to request specific audit log details for the filters shown.

[
    {
        "timestamp": "2023-09-27T11:17:13.995740Z",
        "ipAddress": [
            "10.0.0.1"
        ],
        "userName": "userB",
        "eventName": "GROUP_CREATED",
        "eventDetail": [
            {
                "groupId": "testGp",
                "groupName": "testGp",
                "description": "testGp",
                "roles": {
                    "ROLE_ADMIN_READONLY": []
                }
            }
        ]
    },
    {
        "timestamp": "2023-09-27T11:17:13.995740Z",
        "ipAddress": [
            "10.0.0.1"
        ],
        "userName": "userB",
        "eventName": "GROUP_DELETED",
        "eventObject": "testGp"
    },
    {
        "timestamp": "2023-09-27T11:17:13.995740Z",
        "ipAddress": [
            "10.0.0.1"
        ],
        "userName": "userB",
        "eventName": "GROUP_MODIFIED",
        "eventObject": "testGp",
        "eventDetail": [
            {
                "groupId": "testGp",
                "groupName": "testGp",
                "description": "A Group testGp",
                "roles": {
                    "ROLE_WORKFLOW_ADMIN": [
                        "EQ0L0f"
                    ],
                    "ROLE_WORKFLOW": [
                        "EQ0L0f"
                    ]
                }
            }
        ]
    }
]

This example shows the response returned for the request example above in CSV format.

Table 5. Response examples
This example shows the response returned for the request example above in CSV format.	`"timestamp","originIP","username","eventName","eventObject","eventDetails" "2023-09-03T12:05:00Z","13.15.12.52","user1@reltio.com","LOGIN","user1","grantType: password" "2023-09-03T12:07:00Z","13.15.12.53","user2@reltio.com","USER_CREATED","user2","userDefinition: {""firstName"": ""Jane"", ""lastName"": ""Doe"", ""email"": ""user2@reltio.com""}"`
This example shows the response returned for the request example above in JSON format.	`[ { "timestamp": "2023-09-27T11:17:15.254907Z", "ipAddress": [ "10.0.0.1" ], "userName": "userB", "eventName": "LOGIN", "eventDetail": [ { "grant_type": "password" } ] }, { "timestamp": "2023-09-27T11:17:13.995740Z", "ipAddress": [ "10.0.0.1" ], "userName": "userB", "eventName": "LOGIN_SSO" }, { "timestamp": "2023-09-27T11:17:13.995740Z", "ipAddress": [ "10.0.0.1" ], "userName": "userB", "eventName": "LOGOUT" } ]`

"timestamp","originIP","username","eventName","eventObject","eventDetails"
"2023-09-03T12:05:00Z","13.15.12.52","user1@reltio.com","LOGIN","user1","grantType: password"
"2023-09-03T12:07:00Z","13.15.12.53","user2@reltio.com","USER_CREATED","user2","userDefinition: {""firstName"": ""Jane"", ""lastName"": ""Doe"", ""email"": ""user2@reltio.com""}"

This example shows the response returned for the request example above in JSON format.

[
    {
        "timestamp": "2023-09-27T11:17:15.254907Z",
        "ipAddress": [
            "10.0.0.1"
        ],
        "userName": "userB",
        "eventName": "LOGIN",
        "eventDetail": [
            {
                "grant_type": "password"
            }
        ]
    },
    {
        "timestamp": "2023-09-27T11:17:13.995740Z",
        "ipAddress": [
            "10.0.0.1"
        ],
        "userName": "userB",
        "eventName": "LOGIN_SSO"
    },
    {
        "timestamp": "2023-09-27T11:17:13.995740Z",
        "ipAddress": [
            "10.0.0.1"
        ],
        "userName": "userB",
        "eventName": "LOGOUT"
    }
]

Accelerate the Value of Data

Export security audit log reports

Request

Response

Examples

Footer