Cloud Administration Event Log API
The Cloud Administration Event Log API is a REST-based web services interface that allows administration audit log events to be retrieved from Cloud Access Service (CAS). You can use this REST API to download to a Cloud Administration Event Log API client sofware. For example, you can import the audit log events into your security information and event management (SIEM) solution, such as NetWitness, you can write your own custom Administration Event Log API client software, or use the Java or Python utilities or curl commands in the Admin Rest API package on the RSA Downloads page (RSA Community login is required).
Events are retrieved in chronological order in batches, and do not contain duplicates. They can be filtered by date range. All admin events are retained in CAS for 90 days and then purged, so events from the last 90 days are available for download using this API.
For information on audit log messages that describe Helpdesk Administrator and Super Administrator activities, see Administration Log Messages for Cloud Access Service (80001 - 81402).
For information on downloading audit log messages that describe user activities, see Cloud Administration User Event Log API.
For information about managing access to this API, see Accessing the Cloud Administration APIs.
Authentication
Admin Event Log API requests require an HTTP Authorization header with a bearer token to authenticate to CAS. The bearer token must be created as described in Authentication for the Cloud Administration APIs.
Software Developer Kit
You can download the API Software Developer Kit (SDK) as the RSA SecurID Access Administration REST API. It is available from the RSA ID Plus Downloads page (RSA Community login is required).
Request Requirements
Use the following method, request URL, body response, response body type, and response codes to retrieve administration events from CAS and deliver them to your API client.
| Method | Request URL | Response Body | Response Body Type | Response Codes |
|---|---|---|---|---|
| GET | /AdminInterface/restapi/v1/adminlog/exportlogs | Metadata plus array of Admin log events | application/json | 200, 400, 403, 429 |
Request Parameters
The Administration Log Event API allows the following optional parameters.
Note: The request query parameter values may contain reserve characters that need to be URL encoded. Otherwise, the server may send a 400 Bad Request error. For example, the ISO 8601 Date and Time format may contain the + character if the specific time zone has an offset from UTC, such as+05:30. The + character needs to be encoded as %2B.
| Name | Description | Type | Default Value | Example |
|---|---|---|---|---|
| startTimeAfter | Start time of log events. | ISO 8601 Date Time | Current time - 1 day | 2018-05-01T11:22:12.828-05:30 |
| endTimeOnOrBefore | End time of log events. | ISO 8601 Date Time | Current time | 2018-05-09T21:06:33.125-05:30 |
| pageNumber | The pageNumber parameter will be validated when it exceeds the application's maximum limit of 10,737,417. If this limit is crossed, the system returns an HTTP 400 response. | Integer | 0 | 5 |
| pageSize | Number of records to return in a page (or batch). Value between 1-100. Any value specified outside of this range will be treated as 100. | Integer | 100 | 50 |
Request Examples
The following example displays a REST API request with no parameters.
GET /AdminInterface/restapi/v1/adminlog/exportlogs
Accept: application/json
Authorization: Bearer <bearer token>
The following example shows a REST API request with a specified start time.
GET /AdminInterface/restapi/v1/adminlog/exportlogs?startTimeAfter=2018-05-01T11:22:12.828-05:30
Accept: application/json
Authorization: Bearer <bearer token>
Responses
The following table shows response metadata.
| Parameter | Description | Type |
|---|---|---|
| totalPages | Total number of pages (or batches) of results. | Integer |
| totalElements | Total number of results | Integer |
| pageSize | Number of results returned in a page (or batch) | Integer |
| currentpage | Page number associated with the results returned in the response. Pages are numbered from 0 to (totalPages - 1). | Integer |
The following example shows sample response metadata with 684 total results and a default page size of 100.
{
"totalPages": 7,
"totalElements": 684,
"pageSize": 100,
"currentPage":0,
"elements": [
{
......
}
]
}
The following table shows API response data.
| Parameter | Description | Type |
|---|---|---|
| eventId | Identifies the event. | String |
| eventLogDate | Date and time of the log event, in UTC timezone. Example: 2025-08-05T06:32:08.544Z UTC | ISO 8601 Date Time |
| eventType | Always set to Administration. | String |
| serverURL | The Administration Server URL. The value will always be the same for a CAS account. Example: https://<tenantName>.<baseAccessDNSname>.securid.com/AdminInterface/ | String |
| serverIPAddress | IP address of CAS. | IP Address |
| application | Always set to RSA SecurID Access | String |
| customerId | RSA's unique numeric identifier for the CAS account that returned the Admin events | Integer |
| customerName | Company name, as specified in Company Settings. | String |
| sourceIPAddress | IP address used by the Administrator when they performed the operation. | IP Address |
| adminUserName | Email address used by the administrator who performed the operation. | String |
| adminUserRole | Role of the administrator who performed the operation. Values are Super Administrator, Help Desk Administrator, and Support Administrator. | String |
| activityKey | Activity key of the administration operation. See Administration Log Messages. | String |
| activityCode | Unique activity code of the administration operation. See Administration Log Messages. | Integer |
| result | Result of the administration operation. (SUCCESS or FAILURE) | String |
| reasonKey | Reason for failure. | String |
| message | Describes the administration operation. | String |
| requiresPublish | Administration operation requires a publish. Values are true or false. | Boolean |
targetObject1Id targetObject1Name targetObject1Type targetObject2Id targetObject2Name targetObject2Type | Identifies the target object of the administrative activity. Examples of administrative activity are ADD_POLICY and DELETE_POLICY. Some events such as Signing and Publishing do does not have a target object. | String |
Example Response
{
"totalPages": 1,
"totalElements": 2,
"pageSize": 100,
"currentPage":0,
"elements": [
{
"eventId": 767,
"eventLogDate": "2018-05-13T16:29:59.000 UTC",
"eventType": "Administration",
"serverURL": "https://mycompany.access..securid.com/AdminInterface/",
"serverIPAddress": "191.237.22.167",
"application": "SecurID Access",
"customerId": 3,
"customerName": "mycompanyname",
"sourceIPAddress": "1.2.3.4",
"adminUserName": "admin@mycompany.com",
"adminUserRole": "Super Administrator",
"activityKey": "SIGNIN_SUCCESS",
"activityCode": 80001,
"result": "SUCCESS",
"reasonKey": "",
"message": "admin@mycompany.com successfully signed in",
"requiresPublish": false
"targetObject1Id": null,
"targetObject1Name": null,
"targetObject1Type": null,
"targetObject2Id": null,
"targetObject2Name": null,
"targetObject2Type": null
},
{
"eventId": 768,
"eventLogDate": "2018-05-13T16:32:09.000 UTC",
"eventType": "Administration",
"serverURL": "https://mycompany.access..securid.com/AdminInterface/",
"serverIPAddress": "191.237.22.167", ,
"application": "SecurID Access",
"customerId": 3,
"customerName": "mycompanyname",
"sourceIPAddress": "1.2.3.4",
"adminUserName": "admin@mycompany.com",
"adminUserRole: "Super Administrator",
"activityKey": "ADD_ADMIN_API_KEY",
"activityCode": 80400,
"result": "SUCCESS",
"reasonKey": "",
"message": "admin@mycompany.com added an
Admin API Key 139f6495-e447-4a26-a765-5c01b6152d5",
"requiresPublish": false,
"targetObject1Id": 18,
"targetObject1Name": "139f6495-e447-4a26-a765-5c01b6b152d5",
"targetObject1Type": "ADMIN_API_KEY",
"targetObject2Id": null,
"targetObject2Name": null,
"targetObject2Type": null
}
]
}
Refer to the following table for baseAccessDNSName.
| Deployment | baseAccessDNSName |
|---|---|
| US | access |
| GOV | access |
| ANZ | access-anz |
| EMEA | access-eu |
| India | access-in |
| Japan | access-jp |
| Canada | access-ca |
| Singapore | access-sg |
Related Articles
Change the display pictures of the software token profiles on RSA Authentication Manager 8.x Security and Self-Service con… Number of Views Manage OAuth API Clients Number of Views Zimbra integration with RSA Via Access Number of Views In the General Settings associations page clicking reset creates System Internal Error Number of Views Cloud Administration Generate and Download Report APIs Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Release Notes for RSA Authentication Manager 8.8 RSA announces End of Life EOL dates for RSA MyAccessLive Service RSA Authentication Manager 8.9 Administrator's Guide
