--- title: Get the audit events for a Poll subscription description: Using a script or a client, you can configure a scheduled retrieval of the audit events accumulated for a poll subscription. component: pingoneforenterprise page_id: pingoneforenterprise:pingone_for_enterprise:p14e_get_audit_events_poll_subscription canonical_url: https://docs.pingidentity.com/pingoneforenterprise/pingone_for_enterprise/p14e_get_audit_events_poll_subscription.html revdate: April 29, 2024 section_ids: about-this-task: About this task steps: Steps example: Example: --- # Get the audit events for a Poll subscription Using a script or a client, you can configure a scheduled retrieval of the audit events accumulated for a poll subscription. ## About this task The audit events are kept for seven days and then discarded. You can assign an Audit & Report Administrator to manage subscriptions for audit events. For more information, see [Assign administrative roles](p14e_assign_administrative_roles.html) or [Assign administrators](../pingone_sso_for_saas_apps/p14saas_assign_administrators.html). These instructions use `cURL` to illustrate audit event retrieval. ## Steps 1. From the Dashboard, click **Reporting > Subscriptions**. 2. Select the poll subscription you want and click the expand icon on the right to display the details. 3. Copy the **Poll URL** by clicking the displayed URL. This URL contains both your account ID and the poll subscription ID. For example, in this URL: ``` https://admin-api.pingone.com/v3/reports/5733a0b1-ff99-4e59-95e6-58c14831xxxx/poll-subscriptions/8ae7c229-5198-40ae-bb68-b67bb46exxxx/events ``` The value that follows "reports/" (in this case, "5733a0b1-ff99-4e59-95e6-58c14831xxxx") is the account ID. The value that follows "poll-subscriptions" is the poll subscription ID (in this case, "8ae7c229-5198-40ae-bb68-b67bb46exxxx"). You will use the account ID and poll-subscription ID displayed to retrieve the audit events. 1. Create the `cURL` command to retrieve the audit events. 1. Generate an OAuth token using your API client ID and secret: ```shell curl -X POST -d "grant_type=client_credentials&client_id=&client_secret=" https://admin-api.pingone.com/latest/as/token.oauth2 ``` | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | To obtain your API client ID and secret, go to **Dashboard > Reporting > API Clients** and expand any existing client to see the **Client ID** and **Client Secret** values.If you don't have an existing client, you can generate a new one in order to obtain the client ID and secret. For more information, see [Creating an Admin-API client](p14e_creating_admin_api_client.html). | 2. Use the generated token to retrieve events: ``` curl -H "Authorization: Bearer [.varname]____" https://admin-api.pingone.com/v3/reports/[.varname]____/poll-subscriptions/[.varname]____/events ``` The `accountID` is the account ID for your PingOne for Enterprise account. The `id` is the `id` for the Poll subscription. You can find both in the **Poll URL**. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you are using an admin user to retrieve events, use HTTP Basic authentication with the admin's username and password as shown below. However, we recommend using the OAuth client method.```shell curl -X GET --user : "https://admin-api.pingone.com/v3/reports//poll-subscriptions//events" ```The `username` and `password` are the credentials for the admin user. | 1. Run the `cURL` request from the command line. The audit events returned in the response will be similar to the following: ### Example: ``` [ { "source": "ADMINISTRATOR_LOGIN", "id": "06cb28fa-3d9c-11e8-9341-0e6804xxxxxx", "recorded": "2018-11-04T15:21:37.295Z", "action": { "type": "Password" }, "actors": [ { "type": "user", "name": "jdoenut@pingidentity.com", "id": null } ], "resources": [ ], "client": { "id": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36", "ipAddress": "192.168.10.1" }, "result": { "status": "SUCCESS", "message": "Password" } }, { "source": "ADMINISTRATOR_LOGIN", "id": "c25191cd-3f27-11e8-be81-0e3810xxxxxx", "recorded": "2018-13-04T14:34:23.119Z", "action": { "type": "Password" }, "actors": [ { "type": "user", "name": "jdoenut@pingidentity.com", "id": null } ], "resources": [ ], "client": { "id": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36", "ipAddress": "192.168.10.1" }, "result": { "status": "SUCCESS", "message": "Password" } } ] ``` | Parameter | Description | | ----------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `source` | The report type that's the source of this audit event. See [PingOne for Enterprise report types](p14e_report_types.html) for descriptions of the report types. | | `id` | The UUID of the audit event. | | `recorded` | The date that the audit event was recorded.The date format for audit events is: YYYY-DD-MM'T'HH:mm:ss.SSS'Z. | | `action` | The action associated with the audit event. The action is described by:- type The type of action performed or submitted. | | `actors` | Identifies the actor associated with the audit event. The actor is described by:- type The type of actor. - name The identifier used to uniquely name the actor. - id The ID associated with the actor. This may be null. | | `resources` | The resources (if any) accessed by the actor for the audit event. | | `client` | Identifies the client used by the actor during the audit event. The client is described by:- id The information used to identify the client. - ipAddress The IP address assigned to the client. | | `result` | Identifies the result of the action associated with the audit event. The result is described by:- status The resulting status of the action associated with the audit event. - message A message associated with the result status for the audit event. |