Audit logs API - GET audit log

Fetches the audit log of your Dynatrace environment.

The full list can be lengthy, so you can narrow it down by specifying filter parameters, like tags. See the Parameters section for more details.

You can limit the output by using the pagination:

  1. Specify the number of results per page in the pageSize query parameter.
  2. Then use the cursor from the nextPageKey field of the previous response in the nextPageKey query parameter to obtain subsequent pages.

This request is an Early Adopter release and may be changed in non-compatible way.

GET
  • Managed https://{your-domain}/e/{your-environment-id}/api/v2/auditlogs
  • SaaS https://{your-environment-id}.live.dynatrace.com/api/v2/auditlogs

Parameters

Parameter Type Description In Required
nextPageKey string

The cursor for the next page of results. You can find it in the nextPageKey field of the previous response.

The first page is always returned if you don't specify the nextPageKey query parameter.

When the nextPageKey is set to obtain subsequent pages, you must omit all other query parameters.

query optional
pageSize integer

The desired amount of log entries for which data is delivered in a single response payload.

The maximal allowed page size is 5000.

If not set, 1000 is used.

query optional
filter string

Filters the audit log. You can use the following criteria:

  • user. The EQUALS operator is used.
  • eventType. The EQUALS operator is used.
  • category. The EQUALS operator is used.
  • entityId. The CONTAINS operator is used.

For every criterion you can specify several comma-separated values, for example eventType(CREATE,UPDATE). In this case, the OR logic applies.

You can specify several comma-separated criteria, for example eventType(CREATE,UPDATE),category(CONFIG). If several criteria are specified, the AND logic applies.

You can specify the value of a criterion as a quoted or an unquoted string.

For the quoted string the following special characters must be escaped with a tilde (~) inside quotes:

  • Tilde ~
  • Quote " For example entityId("myEntity (15559409040709225)").

For the unquoted string, the following special characters and keywords must be escaped with a tilde (~)

  • Opening bracket (
  • Closing bracket )
  • Comma ,
  • Tilde ~
query optional
from string

The start of the requested timeframe.

You can use one of the following formats:

  • Timestamp in UTC milliseconds
  • Human-readable format of 2019-12-21T05:57:01.123+01:00. If no time zone is specified, UTC is used. You can use a space character instead of the T. Seconds and fractions of a second are optional.
  • Relative timeframe, back from now. The format is now-NU/A, where N is the amount of time, U is the unit of time, and A is an alignment. For example, now-1y/w is one year back, aligned by a week. The alignment rounds to the past. Supported time units for the relative timeframe are:
  • m: minutes
  • h: hours
  • d: days
  • w: weeks
  • M: months
  • y: years

If not set, the relative timeframe of two weeks is used (now-2w).

query optional
to string

The end of the requested timeframe.

You can use one of the following formats:

  • Timestamp in UTC milliseconds
  • Human-readable format of 2019-12-21T05:57:01.123+01:00. If no time zone is specified, UTC is used. You can use a space character instead of the T. Seconds and fractions of a second are optional.
  • Relative timeframe, back from now. The format is now-NU/A, where N is the amount of time, U is the unit of time, and A is an alignment. For example, now-1y/w is one year back, aligned by a week. The alignment rounds to the past. Supported time units for the relative timeframe are:
  • m: minutes
  • h: hours
  • d: days
  • w: weeks
  • M: months
  • y: years

If not set, the current timestamp is used.

query optional
sort string

The sorting of audit log entries:

  • timestamp: Oldest first.
  • -timestamp: Newest first.

If not set, the newest first sorting is applied.

query optional

Response format

The AuditLog object

The audit log of your environment.

Element Type Description
totalCount integer

The total number of log entities in the result.

nextPageKey string

The cursor for the next page of results. Without it, you'll get the first page again.

auditLogs AuditLogEntry[]

A list of audit log entries ordered by the creation timestamp.

The AuditLogEntry object

An entry of the audit log.

Element Type Description
logId string

The ID of the log entry.

eventType string

The type of the recorded operation.

category string

The category of the recorded operation.

entityId string

The ID of an entity from the category.

For example, it can be config ID for the CONFIG category or token ID for the TOKEN category.

environmentId string

The ID of the Dynatrace environment where the recorded operation occurred.

user string

The ID of the user who performed the recorded operation.

userType string

The type of the authentication of the user.

userOrigin string

The origin and the IP address of the user.

timestamp integer

The timestamp of the record creation, in UTC milliseconds.

success boolean

The recorded operation is successful (true) or failed (false).

message string

The logged message.

patch object

The patch of the recorded operation as the JSON representation.

The format is an enhanced RFC 6902. The patch also carries the previous value in the oldValue field.

Example

In this example, the request fetches all logins (filter=eventType(LOGIN)) from the audit log of the mySampleEnv environment for the last week (from=now-1w).

The API token is passed in the Authorization header.

The response is truncated to the first three entries.

Curl

curl -X GET \
  'https://mySampleEnv.live.dynatrace.com/api/v2/auditlogs?filter=eventType%28LOGIN%29&from=now-1w' \  
  -H 'Authorization: Api-Token abcdefjhij1234567890'

Request URL

https://mySampleEnv.live.dynatrace.com/api/v2/auditlogs?filter=eventType%28LOGIN%29&from=now-1w

Response body

{
  "totalCount": 5820,
  "nextPageKey": "vu8y3hPZ3q0AAAAAAi_neQJ8qUAAAAFu0T-ECgAAAW71TAgKAAAD6AAQZXZlbnRUeXBlKExPR0lOKQC-7zLeE9nerQ",
  "auditLogs": [
    {
      "logId": "157607341600050000",
      "eventType": "LOGIN",
      "category": "WEB_UI",
      "entityId": "240.204.62.255",
      "environmentId": "yasmuoujsw",
      "user": "Dynatrace support user #877988415",
      "userType": "USER_NAME",
      "userOrigin": "Forwarded: 240.204.62.255",
      "timestamp": 1576073415531,
      "success": true
    },
    {
      "logId": "157607338800050000",
      "eventType": "LOGIN",
      "category": "WEB_UI",
      "entityId": "55.199.177.119",
      "environmentId": "yasmuoujsw",
      "user": "Dynatrace support user #490812376",
      "userType": "USER_NAME",
      "userOrigin": "Forwarded: 55.199.177.119",
      "timestamp": 1576073388150,
      "success": true
    },
    {
      "logId": "157607338300060000",
      "eventType": "LOGIN",
      "category": "WEB_UI",
      "entityId": "75.16.11.184",
      "environmentId": "umsaywsjuo",
      "user": "Dynatrace support user #765684830",
      "userType": "USER_NAME",
      "userOrigin": "Forwarded: 75.16.11.184",
      "timestamp": 1576073381543,
      "success": true
    }
  ]
}

Response code

200