GET Audit

The GET /Audit method returns a list of all audit entries. Query parameters enable filtering using defined criteria, control over pagination by specifying the page number and return limit, and customization of sorting based on specified fields and order. This method returns HTTP 200 OK on a success with audit log details.

Tip: The following permissions (see Security Roles and Claims) are required to use this feature:

/auditing/read/

Table 285: GET Audit Input Parameters

Name	In	Description
QueryString	Query	A string containing a query to limit the results (e.g., field1 -eq value1 AND field2 -gt value2). The default is to return all records. Fields available for querying through the API for the most part match those that appear in the Keyfactor Command Management Portal search dropdowns for the same feature. For querying guidelines, refer to: Using the Audit Log Search Feature. The query fields supported for this endpoint are: Name (EntityIdentifier) Category (EntityType) (see Table 286: GET Audit Response Data for codes) ImmutableIdentifier Level (see Table 286: GET Audit Response Data for codes) Operation (see Table 286: GET Audit Response Data for codes) PropertyChanged Timestamp ActingUser Tip: To do a query by category, use the subcategory string (see Category in the response data). For example: category -contains "Agent"
PageReturned	Query	An integer that specifies how many multiples of the returnLimit to skip and offset by before returning results, to enable paging. The default is 1.
ReturnLimit	Query	An integer that specifies how many results to return per page. The default is 50. Very large values can result in long processing time.
SortField	Query	A string containing the property by which the results should be sorted. Fields available for sorting through the API include: Category ImmutableIdentifier Level Operation Timestamp Available sort fields are affected by the query provided in QueryString. The default sort field is Id.
SortAscending	Query	An integer that sets the sort order on the returned results. A value of 0 sorts results in ascending order while a value of 1 sorts results in descending order. The default is ascending.

Table 286: GET Audit Response Data

Name

Description

The ID of the specified audit log entry.

TimeStamp

The timestamp (UTC) on the audit log entry indicating when the action performed occurred.

Message

XML data on the audit event. Also known as the XMLMessage in some interfaces.

Signature

The signature on the audit entry.

Category

An integer identifying the category of the audit entry. Show audit categories.

Value	Category	Description
2001	Certificate (including Certificate Request and Certificate Scheduled Replacement)	Tracks creation and lifecycle events for certificates, including pending certificate requests.
2002	API Application	Logs events for legacy API requests (Classic API). Note: This audit category has been deprecated and is no longer being generated.
2003	Template	Records changes to certificate template configuration.
2004	Certificate Collection (including Certificate Query)	Captures activity related to creation and modification of certificate collections.
2005	Expiration Alert (including Expiration Alert Definition and Expiration Alert Definition Context Model)	Logs creation, modification, and deletion of certificate legacy expiration alerts.
2006	Pending Alert (including Pending Alert Definition and Pending Alert Definition Context Model)	Tracks creation, modification and triggering of legacy alerts for certificates pending approval for issuance.
2007	Application Setting	Records changes to application (configuration) settings.
2008	Issued Alert (including Issued Alert Definition Context Model)	Captures creation, modification, and deletion of legacy alerts generated when certificates are successfully issued.
2009	Denied Alert (including Denied Alert Definition Context Model)	Logs creation, modification, and deletion of legacy alerts generated when certificate requests are denied.
2010	Security Identity (including AD Identity Model)	Tracks creation and modification of user and service identities. Note: This audit category has been deprecated and is no longer being generated.
2011	Security Role	Records creation, modification, or deletion of security roles.
2012	Authorization Failure	Logs failed authorization attempts.
2013	CSR (including Certificate Signing Request)	Captures events related to creation of certificate signing requests.
2014	Server Group	Records creation and management of SSH server groups managed with the Keyfactor Bash Orchestrator.
2015	Server	Tracks registration, configuration, and status changes for Keyfactor Bash Orchestrator servers.
2016	SSH Key (including Key and Discovered Key)	Logs discovery or management of SSH keys, including rogue key detection for logons.
2017	SSH Service Account (including Service Account)	Tracks configuration and updates to SSH service accounts.
2018	SSH Logon (including Logon)	Captures SSH logons managed with the Keyfactor Bash Orchestrator.
2019	SSH User	Logs management of SSH user identities.
2020	Key Rotation Alert (including Key Rotation Alert Definition Context Model)	Tracks creation, modification, and deletion of key rotation alerts.
2021	Certificate Store	Logs creation, modification, and deletion of certificate stores.
2022	Orchestrator Job Type (including Job Type)	Records definition or modification of custom orchestrator job types.
2023	Orchestrator Job (including Agent Schedule)	Captures scheduling details for custom orchestrator jobs.
2024	Bulk Orchestrator Job	Logs creation and execution of bulk custom orchestrator job operations.
2025	Certificate Store Container	Tracks activity for containers associated with certificate stores (see Applications). Note: This audit category has been deprecated and is no longer being generated.
2026	Orchestrator (including Agent)	Records approval and disapproval events for orchestrators.
2027	Monitoring (including Revocation Monitoring)	Captures creation, modification, and deletion of revocation monitoring alerts.
2028	License	Logs license validation, activation, or configuration changes.
2029	Workflow Definition	Records creation and updates to workflow definitions.
2030	Workflow Instance	Tracks execution and status changes for workflow instances.
2031	Workflow Signal (including Workflow Instance Signal)	Logs signal events associated with workflow instances.
2032	Identity Provider	Captures configuration or state changes for identity providers.
2033	Claim Definition (including Role Claim Definition)	Records creation and modification of claim definitions.
2034	Permission Set	Logs updates to permission sets and assigned permissions.
2035	Enrollment Pattern	Tracks creation, modification, or deletion of enrollment patterns.
2036	SMTP (including SMTP Audit)	Captures configuration or authentication updates for SMTP settings.
2037	Application	Records events related to general configuration and management of certificate store applications (formerly known as containers).

Tip: To do a query by category, use the subcategory string. For example, the following query would return audit records for categories 2023, 2024, and 2026 since they all contain “Agent" in the subcategory:

category -contains "Agent"

Operation

An integer identifying the operation of the audit entry. Show audit operations.

Value	Description
1	Created
2	Updated
3	Deleted
4	Approved
5	Denied
6	Revoked
7	Downloaded
8	Deleted Private Key
9	Renewed
10	Encountered
11	Scheduled Replacement
12	Recovered
13	Imported
14	Removed from Hold
15	Scheduled Add
16	Scheduled Removal
17	Download with Private Key
18	Scheduled
19	Reset
20	Disapproved
21	Restarted
22	Sent
23	Failed
24	Completed
25	Rejected
26	Revoked from Revoke All Operation
27	Login
28	Logout

Level

An integer indicating the alert level of the audit log entry. Show audit levels.

Value	Description
0	Information
1	Warning
2	Failure

User

The user who performed the audit event in DOMAIN\username format.

EntityType

The category of the object being audited (e.g., Template, Certificate).

AuditIdentifier

An identifier of the object being audited (e.g., the template name for a template, the CN for a certificate). It is important to note that this is a value that is typically used for easy identification of an object, but is not necessarily unique, and is subject to change.

ImmutableIdentifier

The fixed ID of the auditable event in the Keyfactor database.

Tip: See the Keyfactor API Reference and Utility which provides a utility through which the Keyfactor API

An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. endpoints can be called and results returned. It is intended to be used primarily for validation, testing and workflow

A workflow is a series of steps necessary to complete a process. In Keyfactor Command, it refers to the workflow builder, which allows you to automate event-driven tasks such as when a certificate is requested, revoked or found in a certificate store. development. It also serves secondarily as documentation for the API. The link to the Keyfactor API Reference and Utility is in the dropdown from the help icon (

) at the bottom of the Management Portal side menu.

Was this page helpful? Provide Feedback

Version v25.5

On this page: