Audit

Search your Audit Logs events over HTTP.

POST https://api.datadoghq.eu/api/v2/audit/events/searchhttps://api.ddog-gov.com/api/v2/audit/events/searchhttps://api.datadoghq.com/api/v2/audit/events/searchhttps://api.us3.datadoghq.com/api/v2/audit/events/searchhttps://api.us5.datadoghq.com/api/v2/audit/events/search

Overview

List endpoint returns Audit Logs events that match an Audit search query. Results are paginated.

Use this endpoint to build complex Audit Logs events filtering and search.

Request

Body Data

Expand All

Field

Type

Description

filter

object

Search and filter query settings.

from

string

Minimum time for the requested events. Supports date, math, and regular timestamps (in milliseconds).

query

string

Search query following the Audit Logs search syntax.

to

string

Maximum time for the requested events. Supports date, math, and regular timestamps (in milliseconds).

options

object

Global query options that are used during the query. Note: Specify either timezone or time offset, not both. Otherwise, the query fails.

time_offset

int64

Time offset (in seconds) to apply to the query.

timezone

string

Timezone code. Can be specified as an offset, for example: "UTC+03:00".

page

object

Paging attributes for listing events.

cursor

string

List following results with a cursor provided in the previous query.

limit

int32

Maximum number of events in the response.

sort

enum

Sort parameters when querying events. Allowed enum values: timestamp,-timestamp

{
  "filter": {
    "from": "now-15m",
    "query": "@type:session AND @session.type:user",
    "to": "now"
  },
  "options": {
    "time_offset": 0,
    "timezone": "GMT"
  },
  "page": {
    "limit": 25
  },
  "sort": "timestamp"
}

Response

OK

Response object with all events matching the request and pagination information.

Expand All

Field

Type

Description

data

[object]

Array of events matching the request.

attributes

object

JSON object containing all event attributes and their associated values.

attributes

object

JSON object of attributes from Audit Logs events.

service

string

Name of the application or service generating Audit Logs events. This name is used to correlate Audit Logs to APM, so make sure you specify the same value when you use both products.

tags

[string]

Array of tags associated with your event.

timestamp

date-time

Timestamp of your event.

id

string

Unique ID of the event.

type

enum

Type of the event. Allowed enum values: audit

links

object

Links attributes.

next

string

Link for the next set of results. Note that the request can also be made using the POST endpoint.

meta

object

The metadata associated with a request.

elapsed

int64

Time elapsed in milliseconds.

page

object

Paging attributes.

after

string

The cursor to use to get the next results, if any. To make the next request, use the same parameters with the addition of page[cursor].

request_id

string

The identifier of the request.

status

enum

The status of the response. Allowed enum values: done,timeout

warnings

[object]

A list of warnings (non-fatal errors) encountered. Partial results may return if warnings are present in the response.

code

string

Unique code for this type of warning.

detail

string

Detailed explanation of this specific warning.

title

string

Short human-readable summary of the warning.

{
  "data": [
    {
      "attributes": {
        "attributes": {
          "customAttribute": 123,
          "duration": 2345
        },
        "service": "web-app",
        "tags": [
          "team:A"
        ],
        "timestamp": "2019-01-02T09:42:36.320Z"
      },
      "id": "AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA",
      "type": "audit"
    }
  ],
  "links": {
    "next": "https://app.datadoghq.com/api/v2/audit/event?filter[query]=foo\u0026page[cursor]=eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ=="
  },
  "meta": {
    "elapsed": 132,
    "page": {
      "after": "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ=="
    },
    "request_id": "MWlFUjVaWGZTTTZPYzM0VXp1OXU2d3xLSVpEMjZKQ0VKUTI0dEYtM3RSOFVR",
    "status": "done",
    "warnings": [
      {
        "code": "unknown_index",
        "detail": "indexes: foo, bar",
        "title": "One or several indexes are missing or invalid, results hold data from the other indexes"
      }
    ]
  }
}

Bad Request

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Authorized

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example


# Curl command
curl -X POST "https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/audit/events/search" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{}
EOF
"""
Search Audit Logs events returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.audit_api import AuditApi
from datadog_api_client.v2.model.audit_logs_query_filter import AuditLogsQueryFilter
from datadog_api_client.v2.model.audit_logs_query_options import AuditLogsQueryOptions
from datadog_api_client.v2.model.audit_logs_query_page_options import AuditLogsQueryPageOptions
from datadog_api_client.v2.model.audit_logs_search_events_request import AuditLogsSearchEventsRequest
from datadog_api_client.v2.model.audit_logs_sort import AuditLogsSort

body = AuditLogsSearchEventsRequest(
    filter=AuditLogsQueryFilter(
        _from="now-15m",
        query="@type:session AND @session.type:user",
        to="now",
    ),
    options=AuditLogsQueryOptions(
        time_offset=0,
        timezone="GMT",
    ),
    page=AuditLogsQueryPageOptions(
        limit=25,
    ),
    sort=AuditLogsSort("timestamp"),
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = AuditApi(api_client)
    response = api_instance.search_audit_logs(body=body)

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" python3 "example.py"
# Search Audit Logs events returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::AuditAPI.new

body = DatadogAPIClient::V2::AuditLogsSearchEventsRequest.new({
  filter: DatadogAPIClient::V2::AuditLogsQueryFilter.new({
    from: "now-15m",
    query: "@type:session AND @session.type:user",
    to: "now",
  }),
  options: DatadogAPIClient::V2::AuditLogsQueryOptions.new({
    time_offset: 0,
    timezone: "GMT",
  }),
  page: DatadogAPIClient::V2::AuditLogsQueryPageOptions.new({
    limit: 25,
  }),
  sort: DatadogAPIClient::V2::AuditLogsSort::TIMESTAMP_ASCENDING,
})
opts = {
  body: body,
}
p api_instance.search_audit_logs(opts)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" rb "example.rb"
/**
 * Search Audit Logs events returns "OK" response
 */

import { v2 } from "@datadog/datadog-api-client";

const configuration = v2.createConfiguration();
const apiInstance = new v2.AuditApi(configuration);

const params: v2.AuditApiSearchAuditLogsRequest = {
  body: {
    filter: {
      from: "now-15m",
      query: "@type:session AND @session.type:user",
      to: "now",
    },
    options: {
      timeOffset: 0,
      timezone: "GMT",
    },
    page: {
      limit: 25,
    },
    sort: "timestamp",
  },
};

apiInstance
  .searchAuditLogs(params)
  .then((data: v2.AuditLogsEventsResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" tsc "example.ts"
// Search Audit Logs events returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	datadog "github.com/DataDog/datadog-api-client-go/api/v2/datadog"
)

func main() {
	body := datadog.AuditLogsSearchEventsRequest{
		Filter: &datadog.AuditLogsQueryFilter{
			From:  datadog.PtrString("now-15m"),
			Query: datadog.PtrString("@type:session AND @session.type:user"),
			To:    datadog.PtrString("now"),
		},
		Options: &datadog.AuditLogsQueryOptions{
			TimeOffset: datadog.PtrInt64(0),
			Timezone:   datadog.PtrString("GMT"),
		},
		Page: &datadog.AuditLogsQueryPageOptions{
			Limit: datadog.PtrInt32(25),
		},
		Sort: datadog.AUDITLOGSSORT_TIMESTAMP_ASCENDING.Ptr(),
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	resp, r, err := apiClient.AuditApi.SearchAuditLogs(ctx, *datadog.NewSearchAuditLogsOptionalParameters().WithBody(body))

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `AuditApi.SearchAuditLogs`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `AuditApi.SearchAuditLogs`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" go run "main.go"
// Search Audit Logs events returns "OK" response

import com.datadog.api.v2.client.ApiClient;
import com.datadog.api.v2.client.ApiException;
import com.datadog.api.v2.client.Configuration;
import com.datadog.api.v2.client.api.AuditApi;
import com.datadog.api.v2.client.api.AuditApi.SearchAuditLogsOptionalParameters;
import com.datadog.api.v2.client.model.AuditLogsEventsResponse;
import com.datadog.api.v2.client.model.AuditLogsQueryFilter;
import com.datadog.api.v2.client.model.AuditLogsQueryOptions;
import com.datadog.api.v2.client.model.AuditLogsQueryPageOptions;
import com.datadog.api.v2.client.model.AuditLogsSearchEventsRequest;
import com.datadog.api.v2.client.model.AuditLogsSort;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = Configuration.getDefaultApiClient();
    AuditApi apiInstance = new AuditApi(defaultClient);

    AuditLogsSearchEventsRequest body =
        new AuditLogsSearchEventsRequest()
            .filter(
                new AuditLogsQueryFilter()
                    .from("now-15m")
                    .query("@type:session AND @session.type:user")
                    .to("now"))
            .options(new AuditLogsQueryOptions().timeOffset(0L).timezone("GMT"))
            .page(new AuditLogsQueryPageOptions().limit(25))
            .sort(AuditLogsSort.TIMESTAMP_ASCENDING);

    try {
      AuditLogsEventsResponse result =
          apiInstance.searchAuditLogs(new SearchAuditLogsOptionalParameters().body(body));
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println("Exception when calling AuditApi#searchAuditLogs");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" java "Example.java"

GET https://api.datadoghq.eu/api/v2/audit/eventshttps://api.ddog-gov.com/api/v2/audit/eventshttps://api.datadoghq.com/api/v2/audit/eventshttps://api.us3.datadoghq.com/api/v2/audit/eventshttps://api.us5.datadoghq.com/api/v2/audit/events

Overview

List endpoint returns events that match a Audit Logs search query. Results are paginated.

Use this endpoint to see your latest Audit Logs events.

Arguments

Query Strings

Name

Type

Description

filter[query]

string

Search query following Audit Logs syntax.

filter[from]

string

Minimum timestamp for requested events.

filter[to]

string

Maximum timestamp for requested events.

sort

enum

Order of events in results.
Allowed enum values: timestamp, -timestamp

page[cursor]

string

List following results with a cursor provided in the previous query.

page[limit]

integer

Maximum number of events in the response.

Response

OK

Response object with all events matching the request and pagination information.

Expand All

Field

Type

Description

data

[object]

Array of events matching the request.

attributes

object

JSON object containing all event attributes and their associated values.

attributes

object

JSON object of attributes from Audit Logs events.

service

string

Name of the application or service generating Audit Logs events. This name is used to correlate Audit Logs to APM, so make sure you specify the same value when you use both products.

tags

[string]

Array of tags associated with your event.

timestamp

date-time

Timestamp of your event.

id

string

Unique ID of the event.

type

enum

Type of the event. Allowed enum values: audit

links

object

Links attributes.

next

string

Link for the next set of results. Note that the request can also be made using the POST endpoint.

meta

object

The metadata associated with a request.

elapsed

int64

Time elapsed in milliseconds.

page

object

Paging attributes.

after

string

The cursor to use to get the next results, if any. To make the next request, use the same parameters with the addition of page[cursor].

request_id

string

The identifier of the request.

status

enum

The status of the response. Allowed enum values: done,timeout

warnings

[object]

A list of warnings (non-fatal errors) encountered. Partial results may return if warnings are present in the response.

code

string

Unique code for this type of warning.

detail

string

Detailed explanation of this specific warning.

title

string

Short human-readable summary of the warning.

{
  "data": [
    {
      "attributes": {
        "attributes": {
          "customAttribute": 123,
          "duration": 2345
        },
        "service": "web-app",
        "tags": [
          "team:A"
        ],
        "timestamp": "2019-01-02T09:42:36.320Z"
      },
      "id": "AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA",
      "type": "audit"
    }
  ],
  "links": {
    "next": "https://app.datadoghq.com/api/v2/audit/event?filter[query]=foo\u0026page[cursor]=eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ=="
  },
  "meta": {
    "elapsed": 132,
    "page": {
      "after": "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ=="
    },
    "request_id": "MWlFUjVaWGZTTTZPYzM0VXp1OXU2d3xLSVpEMjZKQ0VKUTI0dEYtM3RSOFVR",
    "status": "done",
    "warnings": [
      {
        "code": "unknown_index",
        "detail": "indexes: foo, bar",
        "title": "One or several indexes are missing or invalid, results hold data from the other indexes"
      }
    ]
  }
}

Bad Request

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Authorized

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example


# Curl command
curl -X GET "https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/audit/events" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
"""
Get a list of Audit Logs events returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.audit_api import AuditApi

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = AuditApi(api_client)
    response = api_instance.list_audit_logs()

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" python3 "example.py"
# Get a list of Audit Logs events returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::AuditAPI.new
p api_instance.list_audit_logs()

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" rb "example.rb"
/**
 * Get a list of Audit Logs events returns "OK" response
 */

import { v2 } from "@datadog/datadog-api-client";

const configuration = v2.createConfiguration();
const apiInstance = new v2.AuditApi(configuration);

apiInstance
  .listAuditLogs()
  .then((data: v2.AuditLogsEventsResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" tsc "example.ts"
// Get a list of Audit Logs events returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	datadog "github.com/DataDog/datadog-api-client-go/api/v2/datadog"
)

func main() {
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	resp, r, err := apiClient.AuditApi.ListAuditLogs(ctx, *datadog.NewListAuditLogsOptionalParameters())

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `AuditApi.ListAuditLogs`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `AuditApi.ListAuditLogs`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" go run "main.go"
// Get a list of Audit Logs events returns "OK" response

import com.datadog.api.v2.client.ApiClient;
import com.datadog.api.v2.client.ApiException;
import com.datadog.api.v2.client.Configuration;
import com.datadog.api.v2.client.api.AuditApi;
import com.datadog.api.v2.client.model.AuditLogsEventsResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = Configuration.getDefaultApiClient();
    AuditApi apiInstance = new AuditApi(defaultClient);

    try {
      AuditLogsEventsResponse result = apiInstance.listAuditLogs();
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println("Exception when calling AuditApi#listAuditLogs");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" java "Example.java"