Get Audit Log Entries
Last updated - 23 July, 2025
The Audit Log (formerly called Access Log) resource allows you to programmatically get your Audit log entries.
Note: As with all of our API calls, authentication is required.
Resource URI
/setting/accesslogs
Resource Properties
Each access log entry has the following properties:
Property |
Description |
Type |
id | The Id of the access log entry | String |
username | The username associated with the user that performed the action recorded in the access log entry | String |
happenedOn | The time, in epoch seconds, that the action recorded in the access log entry occurred | Integer |
happenedOnLocal | The date and time that the action recorded in the access log entry occured | String |
ip | The IP address that the action was performed from | String |
sessionId | The Id of the session during which the action was performed | String |
description | The description of the action recorded in the access log entry | String |
Get a list of Access Log Entries
Returns a list of Access Log Entries
HTTP Method:GET
URI: /setting/accesslogs
Request Parameters: By default, 50 access log entries will be returned, sorted by their happenedOn values in decreasing order. You can change which access log entries are returned by including sort, filter, fields, size, and offset parameters. Multiple request parameters will be interpreted with an AND operator. Note that query parameters are not considered part of the resource path, and should not be included the calculation of the LMv1 authentication signature.
Property |
Syntax |
Description |
Example URI |
sort | sort={+ or -}property | Sorts the access log entries in the response by the property specified in either increasing (+) or decreasing (-) order. Access Log entries can be sorted by username, happenedOn, and session Id values. | /setting/accesslogs?sort=+happenedOn |
filter | filter=_all~*keyword*, happenedOn>:value | Filters the response to only include access log entries that include the keyword if specifed, and entries that have a timestamp in the specified happenedOn range if happenedOn values are specified. Note that currently only glob expressions with * on both ends are accepted (you don’t have to use glob), and that only >: (greater than or equal to) and <: (less than or equal to) happenedOn operators are accepted.
Note: If you specify a happenedOn range where the number of entries exceeds 50, the “total” will reflect the total number of entries in the range but only 50 entries will be displayed. |
/setting/accesslogs?filter=_all~sarah |
fields | fields=list of properties separated by commas | Filters the response to only include the following fields for each access log entry | /setting/accesslogs?fields=description,username |
size | size=integer | The number of access log entries to display. The maximum number of entries that can be returned is 1000. | /setting/accesslogs?size=5 |
offset | offset=integer | The number of entries to offset the displayed access log entries by | /setting/accesslogs?offset=2 |
Example 1: Get a list of Access Log Entries
The following request returns a list of the access log entries from the past 24 hours (a max of 50 will be returned)
Request:
curl --user "apiUser:example" -X GET "https://api.logicmonitor.com/santaba/rest/setting/accesslogs"
Response:
{ "status" : 200, "errmsg" : "OK", "data" : { "total" : 9, "items" : [ { "id" : "2415", "username" : "sarah", "happenedOn" : 1436460382, "happenedOnLocal" : "2015-07-09 09:46:22 PDT", "ip" : "174.76.130.100", "sessionId" : "17A45B032911D0A8F701906E922A4B50", "description" : "sarah signs in (adminId=4)." }, { "id" : "2414", "username" : "Victoria", "happenedOn" : 1436395431, "happenedOnLocal" : "2015-07-08 15:43:51 PDT", "ip" : "174.76.130.120", "sessionId" : "3F624A15623BF5DF77456358F8D3289F", "description" : "Victoria signs in (adminId=7)." }, { "id" : "2413", "username" : "sarah", "happenedOn" : 1436375816, "happenedOnLocal" : "2015-07-08 10:16:56 PDT", "ip" : "174.76.130.131", "sessionId" : "C45F143150240B02C5AA34EDCB4AA5B5", "description" : "Add a new collector 115 (hostname=null, desc=)" }, { "id" : "2412", "username" : "sarah", "happenedOn" : 1436375721, "happenedOnLocal" : "2015-07-08 10:15:21 PDT", "ip" : "174.76.100.121", "sessionId" : "C45F143150240B02C5AA34EDCB4AA5B5", "description" : "Delete the collector 97 (hostname=localhost.localdomain, desc=SB-sterry-LinuxVM)" }, { "id" : "2411", "username" : "sarah", "happenedOn" : 1436375544, "happenedOnLocal" : "2015-07-08 10:12:24 PDT", "ip" : "174.76.130.131", "sessionId" : "C45F143150240B02C5AA34EDCB4AA5B5", "description" : "Delete the host 192.168.82.210 from the system" }, { "id" : "2410", "username" : "sarah", "happenedOn" : 1436375530, "happenedOnLocal" : "2015-07-08 10:12:10 PDT", "ip" : "174.76.130.131", "sessionId" : "C45F143150240B02C5AA34EDCB4AA5B5", "description" : "Delete the host 10.36.11.97 from the system" }, { "id" : "2409", "username" : "sarah", "happenedOn" : 1436375401, "happenedOnLocal" : "2015-07-08 10:10:01 PDT", "ip" : "174.76.130.131", "sessionId" : "C45F143150240B02C5AA34EDCB4AA5B5", "description" : "Delete the collector 114 (hostname=null, desc=)" }, { "id" : "2408", "username" : "sarah", "happenedOn" : 1436374244, "happenedOnLocal" : "2015-07-08 09:50:44 PDT", "ip" : "174.76.130.131", "sessionId" : "C45F143150240B02C5AA34EDCB4AA5B5", "description" : "Add a new collector 114 (hostname=null, desc=)" }, { "id" : "2407", "username" : "sarah", "happenedOn" : 1436374208, "happenedOnLocal" : "2015-07-08 09:50:08 PDT", "ip" : "174.76.130.131", "sessionId" : "C45F143150240B02C5AA34EDCB4AA5B5", "description" : "sarah signs in (adminId=4)." } ], "searchId" : null }
Example 2: Get a list of Access Log Entries
The following request returns the username, happenedOn, and description fields for access log entries that contain the word ‘sarah’ and that have a timestamp between the specified happenedOn times. Entries are sorted in increasing order by the happenedOn field.
Request:
curl --user "apiUser:example" -X GET "https://apiUser.logicmonitor.com/santaba/rest/setting/accesslogs?sort=+happenedOn&filter=_all~sarah,happenedOn<:1436204150,happenedOn>:1436203980&fields=username,happenedOn,description"
Response:
{ "status" : 200, "errmsg" : "OK", "data" : { "total" : 3, "items" : [ { "username" : "sarah", "happenedOn" : 1436203987, "description" : "sarah signs in (adminId=4)." }, { "username" : "sarah", "happenedOn" : 1436204111, "description" : "Datasource Collector Active Discovery Task updated. Reason unspecified. AD parameters from path=\"LogicMonitor:type=AutoDiscoveryTask,name=*\" url=\"service:jmx:local\" ports=\"\" to url=\"service:jmx:local\" ports=\"\" path=\"LogicMonitor:type=AutoDiscoveryTask,name=*\" " }, { "username" : "sarah", "happenedOn" : 1436204148, "description" : "sarah signs in (adminId=4)." } ], "searchId" : null }