Get the audit events for a Poll subscription
Using a script or a client, you can configure a scheduled retrieval of the audit events accumulated for a poll subscription.
About this task
The audit events are kept for seven days and then discarded.
You can assign an Audit & Report Administrator to manage subscriptions for audit events. For more information, see Assign administrative roles or Assign administrators.
These instructions use cURL
to illustrate audit event retrieval.
Steps
-
From the Dashboard, click Reporting → Subscriptions.
-
Select the poll subscription you want and click the expand icon on the right to display the details.
-
Copy the Poll URL by clicking the displayed URL.
This URL contains both your account ID and the poll subscription ID. For example, in this URL:
https://admin-api.pingone.com/v3/reports/5733a0b1-ff99-4e59-95e6-58c14831xxxx/poll-subscriptions/8ae7c229-5198-40ae-bb68-b67bb46exxxx/events
The value that follows "reports/" (in this case, "5733a0b1-ff99-4e59-95e6-58c14831xxxx") is the account ID. The value that follows "poll-subscriptions" is the poll subscription ID (in this case, "8ae7c229-5198-40ae-bb68-b67bb46exxxx").
You will use the account ID and poll-subscription ID displayed to retrieve the audit events.
-
Create the
cURL
command to retrieve the audit events.-
Generate an OAuth token using your API client ID and secret:
curl -X POST -d "grant_type=client_credentials&client_id=<clientid>&client_secret=<secret>" https://admin-api.pingone.com/latest/as/token.oauth2
To obtain your API client ID and secret, go to Dashboard → Reporting → API Clients and expand any existing client to see the Client ID and Client Secret values.
If you don’t have an existing client, you can generate a new one in order to obtain the client ID and secret. For more information, see Creating an Admin-API client.
-
Use the generated token to retrieve events:
curl -H "Authorization: Bearer <OAuth token>" https://admin-api.pingone.com/v3/reports/<accountId>/poll-subscriptions/<id>/events
The
accountID
is the account ID for your PingOne for Enterprise account. Theid
is theid
for the Poll subscription. You can find both in the Poll URL.If you are using an admin user to retrieve events, use HTTP Basic authentication with the admin’s username and password as shown below. However, we recommend using the OAuth client method.
curl -X GET --user <username>:<password> "https://admin-api.pingone.com/v3/reports/<accountId>/poll-subscriptions/<id>/events"
The
username
andpassword
are the credentials for the admin user.
-
-
Run the
cURL
request from the command line.The audit events returned in the response will be similar to the following:
Example:
[ { "source": "ADMINISTRATOR_LOGIN", "id": "06cb28fa-3d9c-11e8-9341-0e6804xxxxxx", "recorded": "2018-11-04T15:21:37.295Z", "action": { "type": "Password" }, "actors": [ { "type": "user", "name": "jdoenut@pingidentity.com", "id": null } ], "resources": [ ], "client": { "id": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36", "ipAddress": "192.168.10.1" }, "result": { "status": "SUCCESS", "message": "Password" } }, { "source": "ADMINISTRATOR_LOGIN", "id": "c25191cd-3f27-11e8-be81-0e3810xxxxxx", "recorded": "2018-13-04T14:34:23.119Z", "action": { "type": "Password" }, "actors": [ { "type": "user", "name": "jdoenut@pingidentity.com", "id": null } ], "resources": [ ], "client": { "id": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36", "ipAddress": "192.168.10.1" }, "result": { "status": "SUCCESS", "message": "Password" } } ]
Parameter Description source
The report type that is the source of this audit event. See PingOne for Enterprise report types for descriptions of the report types.
id
The UUID of the audit event.
recorded
The date that the audit event was recorded.
The date format for audit events is: YYYY-DD-MM’T’HH:mm:ss.SSS’Z.
action
The action associated with the audit event. The action is described by:
- type
-
The type of action performed or submitted.
actors
Identifies the actor associated with the audit event. The actor is described by:
- type
-
The type of actor.
- name
-
The identifier used to uniquely name the actor.
- id
-
The ID associated with the actor. This may be null.
resources
The resources (if any) accessed by the actor for the audit event.
client
Identifies the client used by the actor during the audit event. The client is described by:
- id
-
The information used to identify the client.
- ipAddress
-
The IP address assigned to the client.
result
Identifies the result of the action associated with the audit event. The result is described by:
- status
-
The resulting status of the action associated with the audit event.
- message
-
A message associated with the result status for the audit event.