Get the audit events for a Poll subscription - PingOne for Enterprise

Get the audit events for a Poll subscription - PingOne for Enterprise - PingOne SSO for SaaS Apps

PingOne for Enterprise

bundle

pingoneforenterprise

ft:publication_title

PingOne for Enterprise

Product_Version_ce

PingOne for Enterprise

category

Product

pingone

ContentType_ce

Using a script or a client, you can configure a scheduled retrieval of the audit events accumulated for a poll subscription.

The audit events are kept for seven days and then discarded.

You can assign an Audit & Report Administrator to manage subscriptions for audit events. For more information, see Assign administrative roles or Assign administrators.

These instructions use cURL to illustrate audit event retrieval.

From the Dashboard, click Reporting > Subscriptions.
Select the poll subscription you want and click the expand icon on the right to display the details.
Copy the Poll URL by clicking the displayed URL.
This URL contains both your account ID and the poll subscription ID. For example, in this URL:
```
https://admin-api.pingone.com/v3/reports/5733a0b1-ff99-4e59-95e6-58c14831xxxx/poll-subscriptions/8ae7c229-5198-40ae-bb68-b67bb46exxxx/events
```
The value that follows "reports/" (in this case, "5733a0b1-ff99-4e59-95e6-58c14831xxxx") is the account ID. The value that follows "poll-subscriptions" is the poll subscription ID (in this case, "8ae7c229-5198-40ae-bb68-b67bb46exxxx").

You will use the account ID and poll-subscription ID displayed to retrieve the audit events.
Create the cURL command to retrieve the audit events.
1. Generate an OAuth token using your API client ID and secret:
```
curl -X POST -d "grant_type=client_credentials&client_id=<clientid>&client_secret=<secret>" https://admin-api.pingone.com/latest/as/token.oauth2
```
  Note:
  To obtain your API client ID and secret, go to Dashboard > Reporting > API Clients and expand any existing client to see the Client ID and Client Secret values.
  
  If you don't have an existing client, you can generate a new one in order to obtain the client ID and secret. For more information, see Creating an Admin-API client.
2. Use the generated token to retrieve events:
```
curl -H "Authorization: Bearer <OAuth token>" https://admin-api.pingone.com/v3/reports/<accountId>/poll-subscriptions/<id>/events
```
The accountID is the account ID for your account. The id is the id for the Poll subscription. You can find both in the Poll URL.
Note: If you are using an admin user to retrieve events, use HTTP Basic authentication with the admin's username and password as shown below. However, we recommend using the OAuth client method.
```
curl -X GET --user <username>:<password> "https://admin-api.pingone.com/v3/reports/<accountId>/poll-subscriptions/<id>/events"
```
The username and password are the credentials for the admin user.

Run the cURL request from the command line.

The audit events returned in the response will be similar to the following:

[
  {
    "source": "ADMINISTRATOR_LOGIN",
    "id": "06cb28fa-3d9c-11e8-9341-0e6804xxxxxx",
    "recorded": "2018-11-04T15:21:37.295Z",
    "action": {
      "type": "Password"
    },
    "actors": [
      {
        "type": "user",
        "name": "jdoenut@pingidentity.com",
        "id": null
      }
    ],
    "resources": [ ],
    "client": {
      "id": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36",
      "ipAddress": "192.168.10.1"
    },
    "result": {
      "status": "SUCCESS",
      "message": "Password"
    }
  },
  {
    "source": "ADMINISTRATOR_LOGIN",
    "id": "c25191cd-3f27-11e8-be81-0e3810xxxxxx",
    "recorded": "2018-13-04T14:34:23.119Z",
    "action": {
      "type": "Password"
    },
    "actors": [
      {
        "type": "user",
        "name": "jdoenut@pingidentity.com",
        "id": null
      }
    ],
    "resources": [ ],
    "client": {
      "id": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36",
      "ipAddress": "192.168.10.1"
    },
    "result": {
      "status": "SUCCESS",
      "message": "Password"
    }
  }
]

Parameter	Description
source	The report type that is the source of this audit event. See PingOne for Enterprise report types for descriptions of the report types.
id	The UUID of the audit event.
recorded	The date that the audit event was recorded. The date format for audit events is: YYYY-DD-MM'T'HH:mm:ss.SSS'Z.
action	The action associated with the audit event. The action is described by: type The type of action performed or submitted.
actors	Identifies the actor associated with the audit event. The actor is described by: type The type of actor. name The identifier used to uniquely name the actor. id The ID associated with the actor. This may be null.
resources	The resources (if any) accessed by the actor for the audit event.
client	Identifies the client used by the actor during the audit event. The client is described by: id The information used to identify the client. ipAddress The IP address assigned to the client.
result	Identifies the result of the action associated with the audit event. The result is described by: status The resulting status of the action associated with the audit event. message A message associated with the result status for the audit event.