For troubleshooting or audit purposes it can be useful to see a history of user authentications and other events, such as device registrations.
Usually, you can
Monitor User Events in the Cloud Administration Console. However, only a limited number of the most recent events are displayed there. To see events that go back further in time, there are APIs that can be used instead:
The
Cloud Administration APIs are REST-based web service interfaces that software developers can use to create clients that perform administrative operations, such as retrieval of audit event logs.
The Cloud Administration APIs come with a Command Line Utility (CLU) tool that allows you to retrieve event logs without needing to do any programming.
This article explains how to use the CLU tool to retrieve User Event audit logs. Article
Download RSA SecurID Access Cloud Administration audit logs using Cloud Administration REST API CLU explains how to use the same tool to retrieve Administration Event audit logs.
Here are the basic steps to download the
last 24 hours of User Event actions for all users, using the API package's CLU:
- Download the RSA SecurID Access Administration REST API to any Windows or Linux machine that has connectivity to your RSA SecurID Access Cloud environment and unzip it.
- From the Cloud Administration Console Add an API key and download it to the machine where you unzipped the Administration REST API.
- From the top-level directory of the unzipped API package run the CLU shown below (note that the example syntax is on Windows):
.\bin\rsa-securidaccess-rest-client-sdk.bat -f <path to API key file> -o exportAllUserEventLog -u https://<CAC URL>/AdminInterface/restapi/v1Where
<path to API key file> is the downloaded API key file. If there are spaces in the path, it must be surrounded in double quotes.
and
<CAC URL> should be substituted with the URL used to log into your Cloud Administration Console:
- Americas customers use one of the following URLs:
- access.securid.com, or
- na2.access.securid.com, or
- na3.access.securid.com, or
- na4.access.securid.com
- EMEA customers use one of the following URLs:
- access-eu.securid.com, or
- eu2.access-eu.securid.com
- APJ customers use: access-anz.securid.com.
The file exportAllUserEventLog.csv will be written to the current working directory.
Specifying Time Period
By default, the command reports on the last 24-hour period. Alternatively, a specific time period of interest can be specified with the additional command line switches -s (start time period) and/or -e (end time period).
Date and time must be specified in ISO 8601 Date Time format:
yyyy-mm-ddThh:mm:ss.tttShh:mm where
ttt is milliseconds and
Shh:mm is the UTC offset where
S must be
- (dash or minus sign) for a negative offset or
%2B (percent-encoded plus sign) for a positive offset. All components of the date and time must be specified.
Negative UTC offset Example
.\bin\rsa-securidaccess-rest-client-sdk.bat -f 5c221bc1-a69e-4a78-8d2f-c0646ba4d91d.key -o exportAllUserEventLog -u https://na2.access.securid.com/AdminInterface/restapi/v1 -s 2021-07-01T11:22:12.828-08:00 -e 2021-07-30T11:22:12.828-08:00
Positive UTC Offset Example
.\bin\rsa-securidaccess-rest-client-sdk.bat -f "c:\temp\RSA API\5c221bc1-a69e-4a78-8d2f-c0646ba4d91d.key" -o exportAllUserEventLog -u https://access-anz.securid.com/AdminInterface/restapi/v1 -s 2021-09-30T09:15:00.000%2B10:00 -e 2021-10-31T23:59:59.999%2B10:00Simply run the rsa-securidaccess-rest-client.sdk CLU with no switches to see all of the available command options.
