API Audit Logs

API Audit Logs record all API actions done by users through the user interface or API on a specific CloudGuard account. To illustrate, an action is when a user creates a new CloudGuard user, updates the Security Groups, creates a new rule, renames a ruleset, and more. The logs show who did the action, the action's status, and full details of the action.

CloudGuard keeps your audit logs for three years.

To see the API audit logs:

  1. Navigate to Events > Operational > API Audit Logs. The API Audit Log table opens and shows these columns:

  2. In the table, below the Username column, select a log to see its details.

    In addition to the log's username and event time, the log's details show this important information:

    • Body - The response body (which includes the key and value) to the API request.

      Note - Not all requests include a response body.

    • Parameters - The parameters used in the API request.

    • Client IP - The API's client ID.

To filter the API audit logs:

  1. Navigate to Events > Operational > API Audit Logs.

  2. Click the down arrow on the time filter and select a time or a Custom time.

  3. To use GSL, select one of these options:

    • Enter a GSL query or click GSL and then click to open the GSL editor and select Builder or Free Text. For more information about GSL, see Governance Specification Language (GSL).

    • Click Add Filter and select a filter option such as HTTP Method or Event Name.

    Sample GSL search:

    auditapi where http.method='POST'

    Returns: All API requests that used the 'POST' HTTP method.

  4. Click OK.

  5. To run the query, click Run.

To export the logs:

  1. Navigate to Events > Operational > API Audit Logs.

  2. Below the logs table, click .