GET Audit

The GET /Audit method returns a list of all audit entries. This method returns HTTP 200 OK on a success with audit log details.

Tip:  The following permissions (see Security Overview) are required to use this feature:

Auditing: Read

Table 182: GET Audit Input Parameters

Name In Description
queryString Query

A string containing a query to limit the results (e.g. field1 -eq value1 AND field2 -gt value2). The default is to return all records. Fields available for querying through the APIClosed A set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. for the most part match those that appear in the Keyfactor Command Management Portal search dropdowns for the same feature. For querying guidelines, refer to the Keyfactor Command Reference GuideUsing the Audit Log Search Feature. The query fields supported for this endpointClosed An endpoint is a URL that enables the API to gain access to resources on a server. are:

Tip:  To do a query by category, use the subcategory string (see Category in the response data). For example:
category -contains "Agent"
pageReturned Query An integer that specifies how many multiples of the returnLimit to skip and offset by before returning results, to enable paging. The default is 1.
returnLimit Query An integer that specifies how many results to return per page. The default is 50.
sortField Query A string containing the property by which the results should be sorted. Fields available for sorting through the API for the most part match those that appear as sortable columns in the Keyfactor Command Management Portal. The default sort field is Id.
sortAscending Query An integer that sets the sort order on the returned results. A value of 0 sorts results in ascending order while a value of 1 sorts results in descending order. The default is ascending.

Table 183: GET Audit Response Data

Name Description
Id The ID of the specified audit log entry.
TimeStamp The timestamp (UTC) on the audit log entry indicating when the action performed occurred.
Message XML data on the audit event.
Signature The signature on the audit entry.
Category

An integer identifying the category of the audit entry. ClosedShow audit categories.

Value

 Subcategory Name

Description

2001

 Certificate

Certificate

2001

 AuditingCertificateScheduledReplacement

Auditing Certificate Scheduled Replacement

2001

 AuditingCertificateRequest

Certificate Request

2002

 ApiApplication

API Application

2003

 TemplateClosed A certificate template defines the policies and rules that a CA uses when a request for a certificate is received.

Template

2004

 CertificateQuery

Certificate CollectionClosed The certificate search function allows you to query the Keyfactor Command database for certificates from any available source based on any criteria of the certificates and save the results as a collection that will be availble in other places in the Management Portal (e.g. expiration alerts and certain reports)./Query

2005

 ExpirationAlert

Expiration Alert

2005

 ExpirationAlertDefinitionContextModel

Expiration Alert

2006

 PendingAlert

Pending Alert

2006

 PendingAlertDefinitionContextModel

Pending Alert

2007

 ApplicationSetting

Application Setting

2008

 IssuedAlert

Issued Alert

2008

 IssuedAlertDefinitionContextModel

Issued Alert

2009

 DeniedAlert

Denied Alert

2009

 DeniedAlertDefinitionContextModel

Denied Alert

2010

 ADIdentityModel

Security Identity

2011

 SecurityRole

Security Role

2012

 AuthorizationFailure

Authorization Failure

2013

 CertificateSigningRequest

CSRClosed A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA.

2014

 ServerGroup

SSHClosed The SSH (secure shell) protocol provides for secure connections between computers. It provides several options for authentication, including public key, and protects the communications with strong encryption. Server Group

2015

 Server

SSH Server
2016 DiscoveredKey Rogue KeyClosed A rogue key, in the context of Keyfactor Command, is an SSH public key that appears in an authorized_keys file on a server managed by the SSH orchestrator without authorization. for Logon
2016 Key SSH Key

2017

 ServiceAccount

SSH Service Account

2018

 Logon

SSH Logon

2019

 SshUser

SSH User

2020

 KeyRotationAlertDefinitionContextModel

SSH Key Rotation Alert
2021 CertificateStore Certificate Store
2022 JobType OrchestratorClosed Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. Job Type
2023 AgentSchedule Orchestrator Job
2024 BulkAgentSchedule Bulk Orchestrator Job
2025 CertificateStoreContainer Store Container
2026 Agent Orchestrator
2027 RevocationMonitoring Monitoring
2028 License License
2029 WorkflowDefinition WorkflowClosed A workflow is a series of steps necessary to complete a process. In the context of Keyfactor Command, it refers to the workflow builder, which allows you automate event-driven tasks when a certificate is requested or revoked. Definition
2030 WorkflowInstance Workflow Instance
2031 WorkflowInstanceSignal Workflow Instance Signal
Tip:  To do a query by category, use the subcategory string. For example, the following query would return audit records for categories 2023, 2024, and 2026 since they all contain "Agent" in the subcategory:
category -contains "Agent"
Operations

An integer identifying the operation of the audit entry. ClosedShow audit operations.
Level

The alert level of the audit log entry. ClosedShow audit levels.
User The user who performed the audit event in DOMAIN\username format.
EntityType The category of the object being audited (e.g. Template, Certificate).
AuditIdentifier An identifier of the object being audited (e.g. the template name for a template, the CNClosed A common name (CN) is the component of a distinguished name (DN) that represents the primary name of the object. The value varies depending on the type of object. For a user object, this would be the user's name (e.g. CN=John Smith). For SSL certificates, the CN is typically the fully qualified domain name (FQDN) of the host where the SSL certificate will reside (e.g. servername.keyexample.com or www.keyexample.com). for a certificate). It is important to note that this is a value that is typically used for easy identification of an object, but is not necessarily unique, and is subject to change.
ImmutableIdentifier The fixed ID of the auditable event in the Keyfactor database.