Help Center
News
Help Center
News
Popular
Architecture and High-level Information
Scans
Agents
How to Use Dashboards
How to Use Data Asset Inventory
How to Install\Uninstall and Set Up Spirion Sensitive Data Platform
How to Use Logs
How to View Endpoint LogsHow to Use Audit LogsHow to Use Agent LogsWhere to Find PostgreSQL LogsAdvanced Log and Log Location Information for Power UsersWhat are common errors shown in the Agent Log and how do I fix them?Can I Export Agent Log Data for External Analysis?Can I export Audit Log data for External Analysis?How do I export Audit Log data via the Web API?Can I customize which events appear in the Audit Log?Can I schedule automated exports of Audit Log data?Is there a sample script for API-based audit log export?Guide to Analyzing Logs and Generating Graphs in Time IntervalsIs There a Sample Script for Exporting Agent Log Data?What are Best Practices for Managing Large Log Exports?Is There an Example of Filtering Logs by Severity?What are best practices for storing and securing exported log data?What Tools Integrate Well with Spirion for Log Integrity VerificationIs There a Sample Script for Hash Verification?
PowerBI
How to Manage Users and Roles
Reports
Settings and Resources
Additional Resources
Release Notes
Reporting API
Customer Support Articles

How do I export Audit Log data via the Web API?

To export Audit Log data via the Spirion Web API, you typically use the platform's RESTful endpoints designed for reporting and system oversight.

By using the platform's RESTful endpoints, this enables you to programmatically retrieve administrative events for ingestion into a SIEM (like Splunk) or a data warehouse.

1. Prerequisites

Before you can make API calls, ensure the following are configured in your Spirion Console:

  • Enable Web API: Go to Console Administration > Web Application Settings and ensure "Enable Web API" is checked.
  • Authentication: You will need a valid API Key or Bearer Token. This is usually generated within the Users & Roles or API Settings section of the console.
  • Permissions: The user account associated with the API key must have the "View Audit Log" permission assigned to its role.

2. The API Endpoint

While specific URLs can vary based on your tenant and version, the standard endpoint for retrieving audit events follows this pattern:

GET https://[your-tenant].spirion.com/api/v1/auditlogs

3. Common Query Parameters

To make your export efficient and avoid overwhelming your system, use query parameters to filter the data:

  • startDate / endDate: Filter events within a specific time range (e.g., ?startDate=2023-10-01T00:00:00Z).
  • limit: Control the number of records returned per request (e.g., ?limit=1000).
  • offset: Used for pagination to retrieve the next set of records.
  • userId: Filter actions taken by a specific administrator.
  • actionType: Filter for specific events like Login, CreatePolicy, or DeleteTarget.

4. Example Request (cURL)

curl -X GET "https://your-tenant.spirion.com/api/v1/auditlogs?limit=500" \
     -H "Authorization: Bearer [YOUR_API_TOKEN]" \
     -H "Content-Type: application/json"

5. Handling the Response

The API returns a JSON object containing an array of audit events.

Each audit event typically includes the following:

  • id: Unique identifier for the audit entry.
  • timestamp: When the action occurred (UTC).
  • user: The name or ID of the person/service that performed the action.
  • action: The type of action (e.g., "Update").
  • objectType: The system component affected (e.g., "Playbook").
  • details: A description of what specifically changed.

Recommendations for Automation

  • Use Pagination: If you have a large environment, don't try to pull all logs in one call. Use the limit and offset parameters to loop through the data in chunks.
  • Implement "Last Seen" Logic: To avoid duplicate data in your SIEM, store the timestamp of the last record you successfully exported. In your next API call, set the startDate to that timestamp.
  • Secure Your Token: Treat your API Bearer Token as a highly privileged credential. Do not hardcode it in scripts; use a secure vault or environment variables.
  • Monitor API Health: Check the Audit Log itself (ironically) to see if your API integration is successfully logging in or if it is generating "Unauthorized" errors.

Summary

Exporting Audit Log data via the Web API is the most robust way to ensure your Spirion administrative activity is integrated into your broader security and compliance ecosystem. By using the GET /auditlogs endpoint with proper filtering and pagination, you can maintain a continuous, automated audit trail.

Was this article helpful?

Powered by Product Fruits