PingOne for Enterprise

Get the audit events for a Poll subscription

Using a script or a client, you can configure a scheduled retrieval of the audit events accumulated for a poll subscription.

About this task

The audit events are kept for seven days and then discarded.

You can assign an Audit & Report Administrator to manage subscriptions for audit events. For more information, see Assign administrative roles or Assign administrators.

These instructions use cURL to illustrate audit event retrieval.

Steps

  1. From the Dashboard, click Reporting → Subscriptions.

  2. Select the poll subscription you want and click the expand icon on the right to display the details.

  3. Copy the Poll URL by clicking the displayed URL.

    This URL contains both your account ID and the poll subscription ID. For example, in this URL:

    https://admin-api.pingone.com/v3/reports/5733a0b1-ff99-4e59-95e6-58c14831xxxx/poll-subscriptions/8ae7c229-5198-40ae-bb68-b67bb46exxxx/events

    The value that follows "reports/" (in this case, "5733a0b1-ff99-4e59-95e6-58c14831xxxx") is the account ID. The value that follows "poll-subscriptions" is the poll subscription ID (in this case, "8ae7c229-5198-40ae-bb68-b67bb46exxxx").

    You will use the account ID and poll-subscription ID displayed to retrieve the audit events.

  4. Create the cURL command to retrieve the audit events.

    1. Generate an OAuth token using your API client ID and secret:

      curl -X POST -d "grant_type=client_credentials&client_id=<clientid>&client_secret=<secret>" https://admin-api.pingone.com/latest/as/token.oauth2

      To obtain your API client ID and secret, go to Dashboard → Reporting → API Clients and expand any existing client to see the Client ID and Client Secret values.

      If you don’t have an existing client, you can generate a new one in order to obtain the client ID and secret. For more information, see Creating an Admin-API client.

    2. Use the generated token to retrieve events:

      curl -H "Authorization: Bearer  <OAuth token>" https://admin-api.pingone.com/v3/reports/<accountId>/poll-subscriptions/<id>/events

      The accountID is the account ID for your PingOne for Enterprise account. The id is the id for the Poll subscription. You can find both in the Poll URL.

      If you are using an admin user to retrieve events, use HTTP Basic authentication with the admin’s username and password as shown below. However, we recommend using the OAuth client method.

      curl -X GET --user  <username>:<password>  "https://admin-api.pingone.com/v3/reports/<accountId>/poll-subscriptions/<id>/events"

      The username and password are the credentials for the admin user.

  5. Run the cURL request from the command line.

    The audit events returned in the response will be similar to the following:

    Example:

    [
      {
        "source": "ADMINISTRATOR_LOGIN",
        "id": "06cb28fa-3d9c-11e8-9341-0e6804xxxxxx",
        "recorded": "2018-11-04T15:21:37.295Z",
        "action": {
          "type": "Password"
        },
        "actors": [
          {
            "type": "user",
            "name": "jdoenut@pingidentity.com",
            "id": null
          }
        ],
        "resources": [ ],
        "client": {
          "id": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36",
          "ipAddress": "192.168.10.1"
        },
        "result": {
          "status": "SUCCESS",
          "message": "Password"
        }
      },
      {
        "source": "ADMINISTRATOR_LOGIN",
        "id": "c25191cd-3f27-11e8-be81-0e3810xxxxxx",
        "recorded": "2018-13-04T14:34:23.119Z",
        "action": {
          "type": "Password"
        },
        "actors": [
          {
            "type": "user",
            "name": "jdoenut@pingidentity.com",
            "id": null
          }
        ],
        "resources": [ ],
        "client": {
          "id": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36",
          "ipAddress": "192.168.10.1"
        },
        "result": {
          "status": "SUCCESS",
          "message": "Password"
        }
      }
    ]
    Parameter Description

    source

    The report type that is the source of this audit event. See PingOne for Enterprise report types for descriptions of the report types.

    id

    The UUID of the audit event.

    recorded

    The date that the audit event was recorded.

    The date format for audit events is: YYYY-DD-MM’T’HH:mm:ss.SSS’Z.

    action

    The action associated with the audit event. The action is described by:

    type

    The type of action performed or submitted.

    actors

    Identifies the actor associated with the audit event. The actor is described by:

    type

    The type of actor.

    name

    The identifier used to uniquely name the actor.

    id

    The ID associated with the actor. This may be null.

    resources

    The resources (if any) accessed by the actor for the audit event.

    client

    Identifies the client used by the actor during the audit event. The client is described by:

    id

    The information used to identify the client.

    ipAddress

    The IP address assigned to the client.

    result

    Identifies the result of the action associated with the audit event. The result is described by:

    status

    The resulting status of the action associated with the audit event.

    message

    A message associated with the result status for the audit event.