GET Audit

The GET /Audit method returns a list of all audit entries. Query parameters enable filtering using defined criteria, control over pagination by specifying the page number and return limit, and customization of sorting based on specified fields and order. This method returns HTTP 200 OK on a success with audit log details.

Tip:  The following permissions (see Security Roles and Claims) are required to use this feature:

/auditing/read/

Table 268: GET Audit Input Parameters

Name In Description
QueryString Query

A string containing a query to limit the results (e.g. field1 -eq value1 AND field2 -gt value2). The default is to return all records. Fields available for querying through the API for the most part match those that appear in the Keyfactor Command Management Portal search dropdowns for the same feature. For querying guidelines, refer to: Using the Audit Log Search Feature. The query fields supported for this endpoint are:

Tip:  To do a query by category, use the subcategory string (see Category in the response data). For example:
category -contains "Agent"
PageReturned Query An integer that specifies how many multiples of the returnLimit to skip and offset by before returning results, to enable paging. The default is 1.
ReturnLimit Query An integer that specifies how many results to return per page. The default is 50. Very large values can result in long processing time.
SortField Query

A string containing the property by which the results should be sorted. Fields available for sorting through the API include:

  • Category

  • ImmutableIdentifier

  • Level

  • Operation

  • Timestamp

Available sort fields are affected by the query provided in QueryString. The default sort field is Id.

SortAscending Query An integer that sets the sort order on the returned results. A value of 0 sorts results in ascending order while a value of 1 sorts results in descending order. The default is ascending.

Table 269: GET Audit Response Data

Name

Description

Id The ID of the specified audit log entry.
TimeStamp The timestamp (UTC) on the audit log entry indicating when the action performed occurred.
Message XML data on the audit event. Also known as the XMLMessage in some interfaces.
Signature The signature on the audit entry.
Category

An integer identifying the category of the audit entry. ClosedShow audit categories.

Value

Subcategory Name

Description

2001

Certificate

Certificate

2001

Auditing Certificate Scheduled Replacement

Auditing Certificate Scheduled Replacement

2001

Auditing Certificate Request

Certificate Request

2002

ApiApplication

API Application

2003

Template

Template

2004

CertificateQuery

Certificate Collection/Query

2005

ExpirationAlert

Expiration Alert

2005

Expiration Alert Definition Context Model

Expiration Alert

2006

PendingAlert

Pending Alert

2006

Pending Alert Definition Context Model

Pending Alert

2007

ApplicationSetting

Application Setting

2008

IssuedAlert

Issued Alert

2008

Issued Alert Definition Context Model

Issued Alert

2009

DeniedAlert

Denied Alert

2009

Denied Alert Definition Context Model

Denied Alert

2010

ADIdentityModel

Security Identity

2011

SecurityRole

Security Role

2012

AuthorizationFailure

Authorization Failure

2013

CertificateSigningRequest

CSR

2014

ServerGroup

SSH Server Group

2015

Server

SSH Server

2016 DiscoveredKey Rogue Key for Logon
2016 Key SSH Key

2017

ServiceAccount

SSH Service Account

2018

Logon

SSH Logon

2019

SshUser

SSH User

2020

Key Rotation Alert Definition Context Model

SSH Key Rotation Alert

2021 CertificateStore Certificate Store
2022 JobType Orchestrator Job Type
2023 AgentSchedule Orchestrator Job
2024 Bulk Agent Schedule Bulk Orchestrator Job
2025 Certificate Store Container Store Container
2026 Agent Orchestrator
2027 Revocation Monitoring Monitoring
2028 License License
2029 WorkflowDefinition Workflow Definition
2030 WorkflowInstance Workflow Instance
2031 WorkflowInstanceSignal Workflow Instance Signal
2032 IdentityProvider Identity Provider
2033 RoleClaimDefinition Claim Definition
2034 PermissionSet Permission Set
2035 EnrollmentPatterns Enrollment Pattern
Tip:  To do a query by category, use the subcategory string. For example, the following query would return audit records for categories 2023, 2024, and 2026 since they all contain “Agent" in the subcategory:
category -contains "Agent"
Operation

An integer identifying the operation of the audit entry. ClosedShow audit operations.

Level

An integer indicating the alert level of the audit log entry. ClosedShow audit levels.

User The user who performed the audit event in DOMAIN\username format.
EntityType The category of the object being audited (e.g. Template, Certificate).
AuditIdentifier An identifier of the object being audited (e.g. the template name for a template, the CN for a certificate). It is important to note that this is a value that is typically used for easy identification of an object, but is not necessarily unique, and is subject to change.
ImmutableIdentifier The fixed ID of the auditable event in the Keyfactor database.
Tip:  See the Keyfactor API Reference and Utility which provides a utility through which the Keyfactor APIClosed An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. endpoints can be called and results returned. It is intended to be used primarily for validation, testing and workflowClosed A workflow is a series of steps necessary to complete a process. In Keyfactor Command, it refers to the workflow builder, which allows you to automate event-driven tasks such as when a certificate is requested, revoked or found in a certificate store. development. It also serves secondarily as documentation for the API. The link to the Keyfactor API Reference and Utility is in the dropdown from the help icon () at the top of the Management Portal page next to the Log Out button.