Cloud Administration Retrieve Authentication Audit Logs API
The Cloud Administration Retrieve Authentication Audit Logs API enables Help Desk administrators to retrieve authentication audit logs for a specific user for the 100 most recent events sorted in descending order by event time. The API filters by event code and specified date range. Pagination is not supported.
For information about managing access to this API, see Accessing the Cloud Administration APIs.
Authentication
Clients calling this API must authenticate themselves by including a JSON Web Token in a request. For instructions on using this token, see Authentication for the Cloud Administration REST APIs.
Software Developer Kit
You can download the API Software Developer Kit (SDK) from Cloud Administration REST API Download.
Request Requirements
Use the following information to retrieve authentication audit logs for a specific user. The <userId> parameter is a unique user identifier that is sent in the response to the User Details API.
| Method | Request URL | Response Content Type | Response Codes |
|---|---|---|---|
| GET |
/AdminInterface/restapi/v1/users/ <userId>/authlogs/ | application/json | 200, 400, 403, 404, 429, 500 |
Resource Identifiers
The following table describes resource identifiers for the Retrieve Authentication Audit Logs API.
Note: The request query parameter values may contain reserve characters that need to be URL encoded. Otherwise, the server may send a 400 Bad Request error. For example, the ISO 8601 Date and Time format may contain the + character if the specific time zone has an offset from UTC, such as+05:30. The + character needs to be encoded as %2B.
| Property | Description | Type |
|---|---|---|
| <userId> | Identifies the user. | String |
| eventCode | (Optional) User event code. Limits results to events with the specified eventCode value. For more information, see Monitor User Events in the Cloud Administration Console. | Integer |
| startTimeAfter | (Optional) Limits results to events that occurred after the specified date. Must be before endTimeOnOrBefore if that is also specified. | ISO 8601 Date Time See https://www.w3.org/TR/NOTE-datetime for information on ISO 8601 format. |
| endTimeOnOrBefore | (Optional) Limits results to events that occurred before or on the specified date. Must be after startTimeAfter if that is also specified. | ISO 8601 Date Time See https://www.w3.org/TR/NOTE-datetime for information on ISO 8601 format.. |
Example Request Data
The following example displays a request.
GET http://localhost:8886/AdminInterface/restapi/v1/users/a780e57f-98e7-4303-9ce4-34afed539928/authlogs?
startTimeAfter=2018-11-08T22:44:00.000Z&endTimeOnOrBefore=2018-11-10T22:44:00.000Z&eventCode=902
Authorization: Bearer <JWT token>
Example Response Data
The following example displays a response when the request succeeds.
[
{
"eventId": "9a6772f1-d80c-4b6f-8841-c0f32521a534",
"eventLogDate": "2018-11-09T15:54:44.000Z",
"eventType": "user",
"eventLevel": "error",
"eventCategory": "Authentication",
"customerName": "mycompanyname",
"user": "mabbott",
"sourceIPAddress": "191.237.22.167",
"eventCode": "902",
"eventDescription": "Portal logon failed - Authentication failed.",
"application": "Portal",
"method": "password",
"deviceName": "null",
"authenticationDetails": null,
"assuranceLevel": null
}
]
Response Property Descriptions
The following table shows API response data.
| Property | Description | Type |
|---|---|---|
| eventId | The user event log. | String |
| eventLogDate | Date/time of user event log, in Universal Time Coordinated (UTC) time. Example: 2018-05-13T16:29:59.000Z See https://www.w3.org/TR/NOTE-datetime for information on ISO 8601 format. | ISO 8601 Date Time |
| eventType | Set to user. | String |
| eventLevel | Event log level values are:
| String |
| eventCategory | Authentication or Device Management. | String |
| customerName | Specified in the Cloud Administration Console on the Company Settings page. | String |
| user | User identifier. | String |
| sourceIPAddress | IP address of the user who generated the event. | IP Address |
| eventCode | User event code. For more information, see User Event Monitor Messages for Cloud Access Service (02 - 345). | Integer |
| eventDescription | User event description. | String |
| application | Application authenticated. | String |
| method | Authentication method. | Integer |
| deviceName | Authentication device name. | String |
| authenticationDetails | Authentication details. | String |
| assuranceLevel | Authentication assurance level. | String |
Response Codes
The API returns the following response codes.
| Code | Description |
|---|---|
| 200 | Authentication logs are successfully found. |
| 400 | Operation is not performed. One of the following messages is returned:
|
| 403 | Not authorized to perform the request. |
| 404 | User ID is not found. |
| 429 | Too many requests. |
| 500 | Internal error occurred when processing the request. |
Related Articles
Cloud Administration Synchronize User API Number of Views Appliance Logs Number of Views Identity Router Audit Log Messages Number of Views Cloud Administration User Details API Number of Views How to enable or disable Audit Logging in RSA Identity Governance and Lifecycle Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.9 Release Notes (January 2026) An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide
