Export User Activity Log
Click to view navigation pane


Export User Activity Log

GET POST/api/2.0/fo/activity_log/?action=list

Export the user activity log for a subscription to CSV format.

Input ParametersInput Parameters

Parameter

Required/Optional

Data Type

Description

action=list

 Required String 

Specify action to export user activity log.

user_action={value}

 Optional String 

You can filter the output based on the actions. For example, login (for user login), launch (for scan launched), finished (for scan finished).

The other actions available are as follows.

The other actions available and their descriptionsThe other actions available and their descriptions

Action Description
options Select an option for example, load balancer detection off, HTTP process to run in parallel and so on.
set Set configuration, for example, to set title, password, user configuration, and so on.
cancel Cancel process such as cancel a scan or run a cancel report case.
add_fqdn Activity related to adding the FQDN.
send Send configuration like sending any information and so on.
crashed Process crashed  such as report process on the platform is crashed and so on.
disable Disable any existing encryption for example, disabling an PDF encryption.
migrate Status of migration for example AGMS migration status.
reboot Reboot process like scanner rebooting.
purge Purge process such as purging an asset.
logout Action for logout of any process.
replace Replace action for example, replacing one scanner appliance with the other.
restore Restore process for example when you want to ignore or restore the specified vulnerabilities and so on.
cleanup Set the cleanup process, for example, when you set up asset tracking and data merging to clean up.
update Update action, such as updating account settings, updating default ranges, and so on. 
delay Delay in any action for example, delay in the report launch or any schedule scan.
launch Launch any process such as scan launch, scheduled report, and so on.
request Request action for example make any API request and so on.
log Store the status in the log for example, storing the template setting in the log when you generate report.
del_fqdn Deleting the FQDN.
enable Enable the encryption for example, enablingan PDF encryption.
change Change in the configuration such as change password and so on. 
created Create anything new for example, create new account, create new partner, and so on. 
transfer Transfer process for example when you want to transfer the subscription from one partner to another. and so on
bind Binding process such as binding of scanners.
success Process completion for example when account is activated or password is reset and so on.
kill When the admin stops the user session
redirect For any redirection such as redirecting to the portal.
deleted Deleting action such as deleting user or any process.
upload Upload any file or data.
s-count When you execute extra asset tool.
delete Any delete action such as delete asset group, unix/windows/oracle authetication ip address deleted and so on.
provision Configuration of any device for example any virtual scanner appliance with a name, id and code.
paused Pause in any process for example pause scan, and so on.
tnc Accept any terms and conditions.
errors Any error for example, error in the report or failed to encrypt
remove Remove any information, records or data such as any assets, asset group and so on.
entity Related to AGMS
updated Update action for example update the partner or administrator.
scandata Request to get any data such as request for scan data tool to collect the scan XML. 
add Perform any add action for example, add IPs to asset groups, authentication records, and so on. 
create Perform any create action such as create an authentication records, new search list and so on.
try Try to perform some action such as retry the skipped network targets.
download Download any information such as download report, virtual scanner image and so on.
resume Resume any process such as to restart the scan post pause.
activate Activate any device for example when you activate the scanner appliance.
declined Decline any process.
search Any search action such as searching additional asset.
error Any type of error for example, error when executing scan, report and so on.
save Save any actions such as policy rule and so on. 
edit  Any edit action such as edit any subscriptions, tickets and so on.  
pause Pause any process for example when you pause the scan.
reset Change in configuration such as reset scan, password.
loading Wait for any action to load for example, execute any scan and the scan is loading.
ignore Ignore the information, data for example ignoring the vulnerabilities when the report is generated.
decline Decline any action..
accept Accept any configuration.
enabled Enable any setting.

The actions which are included in the output depend on the user who runs the API. Managers see all actions taken by all users. Unit Managers see actions taken by users in their business unit. Scanners and Readers see their own actions only.

action_details={value}

 Optional String 

Filter on further information about the user actions. For example, for the action “error”, you can filter by the error details “No connection from scanner appliance”.

username={value}

 Optional String 

The name of the user who performed the action. Usernames are included in the output only if the user running the API is a Manager or a Unit Manager.

A Unit Manager can see usernames only for users in the Unit Manager’s hierarchy.

since_datetime={value}

 Optional Integer 

Specify the date to include the activity log starting from that point in time. Date must be in the YYYY-MM-DD[THH:MM:SSZ] format (UTC/GMT), like “2021-12-01” or “2021-12-01T23:12:00Z”, and must be less than or equal to today’s date.

until_datetime={value}

 Optional Integer 

Specify the date to include the activity log until a specific point in time. Date must be in the YYYY-MM-DD[THH:MM:SSZ] format (UTC/GMT), like “2021-12-01” or “2021-12-01T23:12:00Z”, must be more than or equal to since_datetime, and less than or equal to today’s date.

user_role={value}

 Optional Boolean 

A Manager or Unit Manager can choose to export logs for certain user roles instead of all user roles. Specify this parameter to export logs for users with certain user roles. Multiple roles are comma separated.

User roles you can specify: Manager, Unit Manager, Auditor, Scanner, Reader, KnowledgeBase Only, Remediation User, Contact

What logs are exported by default? For a Manager logs are exported for all users (all user roles) by default. For a Unit Manager logs are exported only for users (all user roles) in the Unit Manager’s hierarchy (i.e. business unit).

output_format=CSV

 Optional File

CSV (default)

truncation_limit={value}

 Optional Integer 

Limit the number of log records to include in the CSV output.

Sample - Export User Activity LogSample - Export User Activity Log

API Request

curl -u "username:password" - "X-Requested-With:curl" "https://<qualys_base_url>/api/2.0/fo/activity_log/?action=list"

CSV Output

"Date","Action","Module","Details","User Name","User Role","User IP"
"2017-02-03T04:35:38Z","login","auth","user_logged in","saand_rn","Manager","10.113.195.136"
"2017-02-02T13:58:16Z","login","auth","user_logged in","saand_rn","Manager","10.113.195.136"
"2017-02-02T13:48:07Z","request","auth","API: /api/2.0/fo/activity_log/index.php","saand_rn","Manager","10.113.195.136"
"2017-02-02T13:31:19Z","request","auth","API: /api/2.0/fo/activity_log/index.php","saand_rn","Manager","10.113.195.136"
"2017-02-02T13:28:38Z","request","auth","API: /api/2.0/fo/activity_log/index.php","saand_rn","Manager","10.113.195.136"
"2017-02-02T13:28:17Z","request","auth","API: /api/2.0/fo/activity_log/index.php","saand_rn","Manager","10.113.195.136"
"2017-02-02T13:27:27Z","request","auth","API: /api/2.0/fo/activity_log/index.php","saand_rn","Manager","10.113.195.136"
"2017-02-02T13:26:41Z","request","auth","API: /api/2.0/fo/activity_log/index.php","saand_rn","Manager","10.113.195.136"
"2017-02-02T12:52:43Z","set","host_attribute","comment=[vvv] for 11.11.11.4","saand_rn","Manager","10.113.14.208"
"2017-02-02T12:52:43Z","add","option","11.11.11.4 added to both VM-PC license","saand_rn","Manager","10.113.14.208"
"2017-02-02T12:50:32Z","create","network","New Network: 'abc'","saand_rn","Manager","10.113.14.208"