fusionauth logo
search-interface-symbol
Downloads
Quickstarts
API Docs
SDK
search-interface-symbol
talk to an expert
Log In
talk to an expert
Navigate to...
  • Welcome
  • Getting Started
    • Getting Started
    • 5-minute Setup Guide
      • Overview
      • Docker
      • Fast Path
      • Sandbox
    • Setup Wizard & First Login
    • Register a User and Login
    • Self-service Registration
    • Start and Stop FusionAuth
    • Core Concepts
      • Overview
      • Users
      • Roles
      • Groups
      • Registrations
      • Applications
      • Tenants
      • Identity Providers
      • Authentication/Authorization
      • Integration Points
    • Example Apps
      • Overview
      • Dart
      • Go
      • Java
      • JavaScript
      • .NET Core
      • PHP
      • Python
      • Ruby
    • Tutorials
      • Overview
      • Express.js
      • Java Spring
      • Python Django
      • Python Flask
      • React
      • Ruby on Rails
      • Ruby on Rails API
  • Installation Guide
    • Overview
    • System Requirements
    • Server Layout
    • Cloud
    • Cluster
    • Docker
    • Fast Path
    • Kubernetes
      • Overview
      • Deployment Guide
      • Minikube Setup
      • Amazon EKS Setup
      • Google GKE Setup
      • Microsoft AKS Setup
    • Kickstart™
    • Homebrew
    • Marketplaces
    • Packages
    • Database
    • FusionAuth App
    • FusionAuth Search
    • Common Configuration
  • Migration Guide
    • Overview
    • General
    • Auth0
    • Keycloak
    • Amazon Cognito
    • Firebase
    • Microsoft Azure AD B2C
    • Tutorial
  • Admin Guide
    • Overview
    • Account Portal
    • Config Management
    • Editions and Features
    • Key Rotation
    • Licensing
    • Monitoring
    • Prometheus Setup
    • Proxy Setup
    • Reference
      • Overview
      • Configuration
      • CORS
      • Data Types
      • Hosted Login Pages Cookies
      • Known Limitations
      • Password Hashes
    • Releases
    • Roadmap
    • Search And FusionAuth
    • Securing
    • Switch Search Engines
    • Technical Support
    • Troubleshooting
    • Upgrading
    • WebAuthn
  • Login Methods
    • Identity Providers
      • Overview
      • Apple
      • Epic Games
      • External JWT
        • Overview
        • Example
      • Facebook
      • Google
      • HYPR
      • LinkedIn
      • Nintendo
      • OpenID Connect
        • Overview
        • Amazon Cognito
        • Azure AD
        • Discord
        • Github
        • Okta
      • Sony PlayStation Network
      • Steam
      • Twitch
      • Twitter
      • SAML v2
        • Overview
        • ADFS
        • Azure AD
        • Okta
      • SAML v2 IdP Initiated
        • Overview
        • Okta
      • Xbox
    • OIDC & OAuth 2.0
      • Overview
      • Endpoints
      • Tokens
      • OAuth Modes
      • URL Validation
      • Integrations
        • CockroachDB
    • Passwordless
      • Overview
      • Magic Links
      • WebAuthn & Passkeys
    • SAML v2 IdP
      • Overview
      • Google
      • PagerDuty
      • SendGrid
      • Tableau Cloud
      • Zendesk
  • Developer Guide
    • Overview
    • API Gateways
      • Overview
      • Amazon API Gateway
      • Kong Gateway
      • ngrok Cloud Edge
    • Client Libraries & SDKs
      • Overview
      • Dart
      • Go
      • Java
      • JavaScript
      • .NET Core
      • Node
      • OpenAPI
      • PHP
      • Python
      • React
      • Ruby
      • Typescript
    • Events & Webhooks
      • Overview
      • Writing a Webhook
      • Securing Webhooks
      • Events
        • Overview
        • Audit Log Create
        • Event Log Create
        • JWT Public Key Update
        • JWT Refresh
        • JWT Refresh Token Revoke
        • Kickstart Success
        • Group Create
        • Group Create Complete
        • Group Delete
        • Group Delete Complete
        • Group Update
        • Group Update Complete
        • Group Member Add
        • Group Member Add Complete
        • Group Member Remove
        • Group Member Remove Complete
        • Group Member Update
        • Group Member Update Complete
        • User Action
        • User Bulk Create
        • User Create
        • User Create Complete
        • User Deactivate
        • User Delete
        • User Delete Complete
        • User Email Update
        • User Email Verified
        • User IdP Link
        • User IdP Unlink
        • User Login Failed
        • User Login Id Dup. Create
        • User Login Id Dup. Update
        • User Login New Device
        • User Login Success
        • User Login Suspicious
        • User Password Breach
        • User Password Reset Send
        • User Password Reset Start
        • User Password Reset Success
        • User Password Update
        • User Reactivate
        • User Reg. Create
        • User Reg. Create Complete
        • User Reg. Delete
        • User Reg. Delete Complete
        • User Registration Update
        • User Reg. Update Complete
        • User Reg. Verified
        • User 2FA Method Add
        • User 2FA Method Remove
        • User Update
        • User Update Complete
    • Guides
      • Overview
      • Application Specific Email Templates
      • Authentication Tokens
      • Exposing A Local Instance
      • JSON Web Tokens
      • Key Master
      • Localization and Internationalization
      • Multi-Factor Authentication
      • Multi-Tenant
      • Passwordless
      • Registration-based Email Verification
      • Searching With Elasticsearch
      • Securing Your APIs
      • Silent Mode
      • Single Sign-on
      • Two Factor (pre 1.26)
    • Integrations
      • Overview
      • CleanSpeak
      • Kafka
      • Twilio
    • Plugins
      • Overview
      • Writing a Plugin
      • Custom Password Hashing
    • User Control & Gating
      • Overview
      • Gate Unverified Users
      • Gate Unverified Registrations
      • User Account Lockout
  • Customization
    • Email & Templates
      • Overview
      • Configure Email
      • Email Templates
      • Email Variables
      • Message Templates
    • Lambdas
      • Overview
      • Apple Reconcile
      • Client Cred. JWT Populate
      • Epic Games Reconcile
      • External JWT Reconcile
      • Facebook Reconcile
      • Google Reconcile
      • HYPR Reconcile
      • JWT Populate
      • LDAP Connector Reconcile
      • LinkedIn Reconcile
      • Nintendo Reconcile
      • OpenID Connect Reconcile
      • SAML v2 Populate
      • SAML v2 Reconcile
      • SCIM Group Req. Converter
      • SCIM Group Resp. Convtr.
      • SCIM User Req. Converter
      • SCIM User Resp. Converter
      • Self-Service Registration
      • Sony PSN Reconcile
      • Steam Reconcile
      • Twitch Reconcile
      • Twitter Reconcile
      • Xbox Reconcile
    • Messengers
      • Overview
      • Generic Messenger
      • Twilio Messenger
    • Themes
      • Overview
      • Examples
      • Helpers
      • Localization
      • Template Variables
      • Kickstart Custom Theme
  • Premium Features
    • Overview
    • Advanced Registration Forms
    • Advanced Threat Detection
    • Application Specific Themes
    • Breached Password Detection
    • Connectors
      • Overview
      • Generic Connector
      • LDAP Connector
      • FusionAuth Connector
    • Entity Management
    • SCIM
      • Overview
      • Azure AD Client
      • Okta Client
      • SCIM-SDK
    • Self Service Account Mgmt
      • Overview
      • Updating User Data & Password
      • Add Two-Factor Authenticator
      • Add Two-Factor Email
      • Add Two-Factor SMS
      • Add WebAuthn Passkey
      • Customizing
      • Bootstrapping Login
      • Troubleshooting
    • WebAuthn
  • APIs
    • Overview
    • Authentication
    • Errors
    • API Explorer
    • Actioning Users
    • API Keys
    • Applications
    • Audit Logs
    • Connectors
      • Overview
      • Generic
      • LDAP
    • Consents
    • Emails
    • Entity Management
      • Overview
      • Entities
      • Entity Types
      • Grants
    • Event Logs
    • Families
    • Forms
    • Form Fields
    • Groups
    • Hosted Backend
    • Identity Providers
      • Overview
      • Links
      • Apple
      • External JWT
      • Epic Games
      • Facebook
      • Google
      • HYPR
      • LinkedIn
      • Nintendo
      • OpenID Connect
      • SAML v2
      • SAML v2 IdP Initiated
      • Sony PlayStation Network
      • Steam
      • Twitch
      • Twitter
      • Xbox
    • Integrations
    • IP Access Control Lists
    • JWT
    • Keys
    • Lambdas
    • Login
    • Message Templates
    • Messengers
      • Overview
      • Generic
      • Twilio
    • Multi-Factor/Two Factor
    • Passwordless
    • Reactor
    • Registrations
    • Reports
    • SCIM
      • Overview
      • SCIM User
      • SCIM Group
      • SCIM EnterpriseUser
      • SCIM Service Provider Config.
    • System
    • Tenants
    • Themes
    • Users
    • User Actions
    • User Action Reasons
    • User Comments
    • WebAuthn
    • Webhooks
  • Release Notes

    Audit Logs

    Overview

    This page contains the APIs that are used to manage the Audit Log. Here are the APIs:

    • Add an Entry to the Audit Log

    • Retrieve an Audit Log

    • Search the Audit Log

    • Export Audit Logs

    Add an Entry to the Audit Log

    This API allows you to insert an Audit Log. Generally, Audit Logs are created automatically whenever an admin does something from the FusionAuth UI. However, you can use this API to insert Audit Logs directly if you need.

    Request

    Create an Audit Log

    URI

    POST /api/system/audit-log

    Request Body

    auditLog.data [Object] Optional

    An object that can hold additional details of an audit log.

    auditLog.newValue [String] Optional

    Intended to be utilized during a change to record the new value.

    auditLog.oldValue [String] Optional

    Intended to be utilized during a change to record the old value prior to the change.

    auditLog.reason [String] Optional

    Intended to be utilized during a change to indicate the reason for the modification.

    auditLog.insertUser [String] Required

    The user that took the action that is being written to the Audit Logs. We suggest you use email addresses for this field.

    auditLog.message [String] Required

    The message of the Audit Log.

    Example Request JSON
    
    {
      "auditLog": {
        "data": {
          "externalId": "_applicationA"
        },
        "newValue:": "{\"name\": \"bar\"}",
        "oldValue": "{\"name\": \"foo\"}",
        "reason": "Because I like to change things.",
        "insertUser": "user@fusionauth.io",
        "message": "Example audit log"
      }
    }

    Response

    The response for this API does not contain a body. It only contains a status code.

    Table 1. Response Codes
    Code Description

    200

    The request was successful. The response will contain a JSON body.

    400

    The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present.

    401

    You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication.

    500

    There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty.

    503

    The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body.

    Retrieve an Audit Log

    Request

    Retrieve an Audit Log by Id

    URI

    GET /api/system/audit-log/{logId}

    Request Parameters

    logId [Long] Required

    The unique Id of the Audit Log to retrieve.

    Response

    Table 2. Response Codes
    Code Description

    200

    The request was successful. The response will contain a JSON body.

    400

    The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present.

    401

    You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication.

    404

    The object you requested doesn’t exist. The response will be empty.

    500

    There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty.

    503

    The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body.

    Response Body

    auditLog.data [Object]

    Additional details of an audit log.

    auditLog.newValue [String]

    The new value of a changed object.

    auditLog.oldValue [String]

    The previous value of a changed object.

    auditLog.reason [String]

    The reason why the audit log was created.

    auditLog.id [Long]

    The Audit Log unique Id.

    auditLog.insertInstant [Long]

    The instant when the Audit Log was created.

    auditLog.insertUser [String]

    The user that created the Audit Log.

    auditLog.message [String]

    The message of the Audit Log.

    Example JSON Response
    
    {
      "auditLog": {
        "data": {
          "externalId": "_applicationA"
        },
        "newValue:": "{\"name\": \"bar\"}",
        "oldValue": "{\"name\": \"foo\"}",
        "reason": "Because I like to change things.",
        "id": 3,
        "insertInstant": 1471796483322,
        "insertUser": "user@fusionauth.io",
        "message": "Changed Application"
      }
    }

    Search the Audit Log

    This API allows you to search and paginate through the Audit Logs.

    Request

    Searches the Audit Logs using the given search criteria

    URI

    GET /api/system/audit-log/search?message={message}&start={start}&end={end}&user={user}

    When calling the API using a GET request you will send the search criteria on the URL using request parameters. In order to simplify the example URL above, not every possible parameter is shown, however using the provided pattern you may add any of the documented request parameters to the URL.

    Request Parameters

    end [Long] Optional

    The end instant of the date/time range to search within.

    message [String] Optional

    The string to search in the Audit Log message for. This can contain wildcards using the asterisk character (*). If no wildcards are present, this parameter value will be interpreted as *value*.

    newValue [String] Optional Available since 1.30.0

    The string to search for in the Audit Log field for newValue. Note, that not all audit log entries will contain this field, it is primarily used for Audit Logs for updates to existing objects.

    numberOfResults [Integer] Optional defaults to 25

    The number of results to return from the search.

    oldValue [String] Optional Available since 1.30.0

    The string to search for in the Audit Log field for oldValue. Note, that not all audit log entries will contain this field, it is primarily used for Audit Logs for updates to existing objects.

    orderBy [String] Optional defaults to insertInstant DESC

    The database column to order the search results on plus the order direction.

    The possible values are:

    • insertInstant - the instant when the Audit Log was created

    • insertUser - the user that create the Audit Log

    • message - the message of the Audit Log

    For example, to order the results by the insert instant in a descending order, the value would be provided as insertInstant DESC. The final string is optional can be set to ASC or DESC.

    reason [String] Optional Available since 1.30.0

    The string to search for in the Audit Log field for reason. Note, that not all audit log entries will contain this field.

    start [Long] Optional

    The start instant of the date/time range to search within.

    startRow [Integer] Optional defaults to 0

    The offset row to return results from. If the search has 200 records in it and this is 50, it starts with row 50.

    user [String] Optional

    The string to search in the Audit Log user for. This can contain wildcards using the asterisk character (*). If no wildcards are present, this parameter value will be interpreted as *value*.

    Searches the Audit Logs using the given search criteria

    URI

    POST /api/system/audit-log/search

    When calling the API using a POST request you will send the search criteria in a JSON request body.

    Request Body

    search.end [Long] Optional

    The end instant of the date/time range to search within.

    search.message [String] Optional

    The string to search in the Audit Log message for. This can contain wildcards using the asterisk character (*). If no wildcards are present, this parameter value will be interpreted as *value*.

    search.newValue [String] Optional Available since 1.30.0

    The string to search for in the Audit Log field for newValue. Note, that not all audit log entries will contain this field, it is primarily used for Audit Logs for updates to existing objects.

    search.numberOfResults [Integer] Optional defaults to 25

    The number of results to return from the search.

    search.oldValue [String] Optional Available since 1.30.0

    The string to search for in the Audit Log field for oldValue. Note, that not all audit log entries will contain this field, it is primarily used for Audit Logs for updates to existing objects.

    search.orderBy [String] Optional defaults to insertInstant DESC

    The database column to order the search results on plus the order direction.

    The possible values are:

    • insertInstant - the instant when the Audit Log was created

    • insertUser - the user that create the Audit Log

    • message - the message of the Audit Log

    For example, to order the results by the insert instant in a descending order, the value would be provided as insertInstant DESC. The final string is optional can be set to ASC or DESC.

    search.reason [String] Optional Available since 1.30.0

    The string to search for in the Audit Log field for reason. Note, that not all audit log entries will contain this field.

    search.start [Long] Optional

    The start instant of the date/time range to search within.

    search.startRow [Integer] Optional defaults to 0

    The offset row to return results from. If the search has 200 records in it and this is 50, it starts with row 50.

    search.user [String] Optional

    The string to search in the Audit Log user for. This can contain wildcards using the asterisk character (*). If no wildcards are present, this parameter value will be interpreted as *value*.

    Response

    The response for this API contains the Audit Logs matching the search criteria in paginated format.

    Table 3. Response Codes
    Code Description

    200

    The request was successful. The response will contain a JSON body.

    400

    The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present.

    401

    You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication.

    404

    The object you requested doesn’t exist. The response will be empty.

    500

    There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty.

    503

    The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body.

    Response Body

    auditLogs [Array]

    The list of Audit Logs returned by the search.

    auditLogs[x].data [Object]

    Additional details of an audit log.

    auditLogs[x].data.newValue [String]

    The new value of a changed object.

    auditLogs[x].data.oldValue [String]

    The previous value of a changed object.

    auditLogs[x].data.reason [String]

    The reason why the audit log was created.

    auditLogs[x].id [Long]

    The Audit Log unique Id.

    auditLogs[x].insertInstant [Long]

    The instant when the Audit Log was created.

    auditLogs[x].insertUser [String]

    The user that created the Audit Log.

    auditLogs[x].message [String]

    The message of the Audit Log.

    total [Integer]

    The total number of Audit Logs matching the search criteria. Use this value along with the numberOfResults and startRow in the Search request to perform pagination.

    Example JSON Response
    
    {
      "auditLogs": [
        {
          "id": 1,
          "insertInstant": 1471786483322,
          "insertUser": "user@fusionauth.io",
          "message": "Audit Log 1"
        },
        {
          "id": 2,
          "insertInstant": 1471786489322,
          "insertUser": "user@fusionauth.io",
          "message": "Audit Log 2"
        },
        {
          "data": {
            "externalId": "_applicationA"
          },
          "newValue:": "{\"name\": \"bar\"}",
          "oldValue": "{\"name\": \"foo\"}",
          "reason": "Because I like to change things.",
          "id": 3,
          "insertInstant": 1471796483322,
          "insertUser": "user@fusionauth.io",
          "message": "Changed Application"
        }
      ],
      "total": 100
    }

    Export Audit Logs

    Available Since Version 1.7.0

    This API is used to export the Audit Logs, the response will be a compressed zip archive.

    Request

    Export the Audit Logs matching the criteria

    URI

    GET /api/system/audit-log/export?message={message}&start={start}&end={end}&user={user}

    When calling the API using a GET request you will send the export criteria on the URL using request parameters. In order to simplify the example URL above, not every possible parameter is shown, however using the provided pattern you may add any of the documented request parameters to the URL.

    Request Parameters

    dateTimeSecondsFormat [String] Optional defaults to [see description]

    The format string used to format the date and time columns in the export result.

    When this parameter is omitted a default format of M/d/yyyy hh:mm:ss a z will be used. See the DateTimeFormatter patterns for additional examples.

    end [Long] Optional

    The end instant of the date/time range to search within.

    message [String] Optional

    The string to search in the Audit Log message for. This can contain wildcards using the asterisk character (*). If no wildcards are present, this parameter value will be interpreted as *value*.

    start [Long] Optional

    The start instant of the date/time range to search within.

    user [String] Optional

    The string to search in the Audit Log user for. This can contain wildcards using the asterisk character (*). If no wildcards are present, this parameter value will be interpreted as *value*.

    zoneId [String] Optional defaults to [see description]

    The time zone used to adjust the stored UTC time in the export result.

    For example:

    America/Denver or US/Mountain

     

    When this parameter is omitted the configured default report time zone will be used. See reportTimezone in the System Configuration API.

    Export the Audit Logs matching the criteria

    URI

    POST /api/system/audit-log/export

    When calling the API using a POST request you will send the export criteria in a JSON request body.

    Request Body

    criteria.end [Long] Optional

    The end instant of the date/time range to include in the export.

    criteria.message [String] Optional

    The string to search in the Audit Log message for. This can contain wildcards using the asterisk character (*). If no wildcards are present, this parameter value will be interpreted as *value*.

    criteria.start [Long] Optional

    The start instant of the date/time range to include in the export.

    criteria.user [String] Optional

    The string to search in the Audit Log user for. This can contain wildcards using the asterisk character (*). If no wildcards are present, this parameter value will be interpreted as *value*.

    dateTimeSecondsFormat [String] Optional defaults to [see description]

    The format string used to format the date and time columns in the export result.

    When this parameter is omitted a default format of M/d/yyyy hh:mm:ss a z will be used. See the DateTimeFormatter patterns for additional examples.

    zoneId [String] Optional defaults to [see description]

    The time zone used to adjust the stored UTC time in the export result.

    For example:

    America/Denver or US/Mountain

     

    When this parameter is omitted the configured default report time zone will be used. See reportTimezone in the System Configuration API.

    Response

    The response for this API will contain a compressed zip of the audit logs.

    Table 4. Response Codes
    Code Description

    200

    The request was successful. The response will be a compressed archive byte stream with a Content-Type of application/zip.

    400

    The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present.

    401

    You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication.

    404

    The object you requested doesn’t exist. The response will be empty.

    500

    There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty.

    503

    The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body.

    Feedback

    How helpful was this page?

    See a problem?

    File an issue in our docs repo

    Have a question or comment to share?

    Visit the FusionAuth community forum.

    © 2023 FusionAuth
    How-to
    Blog
    Expert Advice
    Download
    Release Notes
    Subscribe for developer updates