# Search Audit Logs
{% hint style="warning" %}
This endpoint has been deprecated and replaced by [Export UAM records](https://documentation.immuta.com/2024.3/detect-your-activity/audit/how-to-guides/enable-uam).
{% endhint %}
This page describes the `audit` endpoint API. The audit API allows users to programmatically search for audit records in Immuta.
{% hint style="info" %}
Additional fields may be included in some responses you receive; however, these attributes are for internal purposes and are therefore undocumented.
{% endhint %}
## Workflow
1. [Search all audit records](#search-for-audit-records).
2. [Retrieve a specific audit record](#retrieve-a-specific-audit-record).
3. [Search for recent activities using the API key](#query-for-activity-by-api-key).
4. [Search for queries for a specific data source](#search-for-query-list-by-data-source).
## Search for audit records
`GET` `/audit`
Search for audit records.
#### Query parameters
| Attribute | Description | Required |
| ------------ | --------------------------------------------------------------------------------------------------------------------------------- | -------- |
| dataSourceId | `array[integer]` The data source ID. | No |
| projectId | `array[integer]` The project ID. | No |
| profileId | `array[integer]` The user profile ID. | No |
| recordType | `array[integer]` The type of audit event being captured. This also corresponds to the additional information in the record field. | No |
| outcome | `Array[integer]` | No |
| minDate | `timestamp` The minimum date. | No |
| maxDate | `timestamp` The maximum date. | No |
| blobId | `string` The blob ID. | No |
| offset | `integer` Used in combination with `size` to fetch pages. | No |
| size | `integer` Pages results by default; `size` is the number of results to return per page. **Default `50`** | No |
| sortField | `string` Sorts results by field. **Default `dateTime`** | No |
| sortOrder | `string` Sorts results by order, which must be `asc` or `desc`. **Default `desc`** | No |
#### Response parameters
| Attribute | Description |
| --------- | --------------------------------------------------------- |
| hits | `metadata` Details regarding the returned list of audits. |
### Request example
The following request searches for all audit records.
```shell
curl \
--request GET \
--header "Content-Type: application/json" \
--header "Authorization: Bearer dea464c07bd07300095caa8" \
https://your-immuta-url.com/audit?size=2&sortField=dateTime&sortOrder=desc
```
### Response example
```json
{
"hits": [
{
"dateTime": "1632756753272",
"dataSourceName": null,
"projectName": null,
"recordType": "auditQuery",
"blobId": null,
"userId": "first.last@immuta.com",
"profileId": 2,
"purposeIds": null,
"success": true,
"failureReason": null,
"id": "480d9d3f-4128-445d-8eec-3cccb34f9935",
"fingerprintVersionName": null,
"email": "first.last@immuta.com"
},
{
"dateTime": "1632755783628",
"dataSourceName": null,
"projectName": null,
"recordType": "authenticate",
"blobId": null,
"userId": "first.last@immuta.com",
"profileId": 2,
"purposeIds": null,
"success": true,
"failureReason": null,
"id": "d143719b-6af9-4af3-aa99-8055be40e877",
"fingerprintVersionName": null,
"email": "first.last@immuta.com"
}
],
}
```
## Retrieve a specific audit record
`GET` `/audit/{recordId}`
Retrieve a specific audit record.
#### Query parameters
| Attribute | Description | Required |
| --------- | ----------------------------- | -------- |
| recordId | `string` The audit record ID. | **Yes** |
#### Response parameters
| Attribute | Description |
| --------- | ------------------------------------------------------- |
| hits | `metadata` Details regarding the returned audit record. |
### Request example
The following request retrieves a specific audit record.
```shell
curl \
--request GET \
--header "Content-Type: application/json" \
--header "Authorization: Bearer dea464c07bd07300095caa8" \
https://your-immuta-url.com/audit/480d9d3f-4128-445d-8eec-3cccb34f9935
```
### Response Example
```json
{
"id": "480d9d3f-4128-445d-8eec-3cccb34f9935",
"dateTime": "1632756753272",
"month": 1460,
"profileId": 2,
"userId": "first.last@immuta.com",
"dataSourceId": null,
"dataSourceName": null,
"projectId": null,
"projectName": null,
"purposeIds": null,
"policyId": null,
"policyName": null,
"fingerprintVersionId": null,
"fingerprintVersionName": null,
"count": 1,
"recordType": "auditQuery",
"success": true,
"failureReason": null,
"failureDetails": null,
"subscriptionState": null,
"accessedId": null,
"accessedIdType": null,
"accessedIamId": null,
"accessedUserId": null,
"groupAccessType": null,
"groupIamId": null,
"accessedGroupId": null,
"component": "audit",
"accessType": null,
"blobId": null,
"queryId": null,
"extra": {
"params": {
"size": 50,
"sortField": "dateTime",
"sortOrder": "desc",
"offset": 0
}
},
"dataSourceSchemaName": null,
"dataSourceTableName": null,
"featureKey": null,
"sqlUser": null,
"action": null,
"blobSize": null,
"hardDelete": null,
"keyAction": null,
"keyId": null,
"keyIamId": null,
"keyUserId": null,
"createdAt": "2021-09-27T15:32:33.274Z",
"updatedAt": "2021-09-27T15:32:33.274Z"
}
```
## Query for activity by API key
`GET` `/audit/apikey/activity`
Queries for the recent activity using the API key.
#### Query parameters
| Attribute | Description | Required |
| --------- | ----------------------------- | -------- |
| recordId | `string` The audit record ID. | **Yes** |
#### Response parameters
| Attribute | Description |
| --------- | ----------------------------------------- |
| value | `metadata` regarding the recent activity. |
### Request example
The following request queries for the recent activity using the API key.
```shell
curl \
--request GET \
--header "Content-Type: application/json" \
--header "Authorization: Bearer dea464c07bd07300095caa8" \
https://your-immuta-url.com/audit/apikey/activity?keyid=650&count=1
```
### Response example
```json
{
"id": "480d9d3f-4128-445d-8eec-3cccb34f9935",
"dateTime": "1632756753272",
"month": 1460,
"profileId": 2,
"userId": "first.last@immuta.com",
"dataSourceId": null,
"dataSourceName": null,
"projectId": null,
"projectName": null,
"purposeIds": null,
"policyId": null,
"policyName": null,
"fingerprintVersionId": null,
"fingerprintVersionName": null,
"count": 1,
"recordType": "auditQuery",
"success": true,
"failureReason": null,
"failureDetails": null,
"subscriptionState": null,
"accessedId": null,
"accessedIdType": null,
"accessedIamId": null,
"accessedUserId": null,
"groupAccessType": null,
"groupIamId": null,
"accessedGroupId": null,
"component": "audit",
"accessType": null,
"blobId": null,
"queryId": null,
"extra": {
"params": {
"size": 50,
"sortField": "dateTime",
"sortOrder": "desc",
"offset": 0
}
},
"dataSourceSchemaName": null,
"dataSourceTableName": null,
"featureKey": null,
"sqlUser": null,
"action": null,
"blobSize": null,
"hardDelete": null,
"keyAction": null,
"keyId": null,
"keyIamId": null,
"keyUserId": null,
"createdAt": "2021-09-27T15:32:33.274Z",
"updatedAt": "2021-09-27T15:32:33.274Z"
}
```
## Search for query list by data source
`GET` `/audit/queries/dataSource/{dataSourceId}/mine`
Returns the list of the current user's distinct queries for the specified data source.
#### Query parameters
| Attribute | Description | Required |
| ------------ | -------------------------------------------------------------------------------------------------------- | -------- |
| dataSourceId | `array[integer]` The data source ID. | **Yes** |
| offset | `integer` Used in combination with `size` to fetch pages. | No |
| size | `integer` Pages results by default; `size` is the number of results to return per page. **Default `50`** | No |
| sortField | `string` Sorts results by field. **Default `dateTime`** | No |
| sortOrder | `string` Sorts results by order, which must be `asc` or `desc`. **Default `desc`** | No |
#### Response parameters
| Attribute | Description |
| --------- | ----------------------------------------------------------- |
| auditId | `array[integer]` The audit ID. |
| lastRun | `integer` The date and time the query was last run in Unix. |
| timesRun | `integer` The number of times the audit has been run. |
| name | `string` The name of the query. |
### Request example
The following request returns the list of the current user's distinct queries.
```shell
curl \
--request GET \
--header "Content-Type: application/json" \
--header "Authorization: Bearer dea464c07bd07300095caa8" \
https://your-immuta-url.com/audit/queries/dataSource/23/mine?size=10&sortField=lastrun&sortOrder=desc
```
### Response example
```json
{
"hits": [
{
"auditId": "ff264e8e-2ccc-468f-9129-bb0995c9cdf5",
"lastrun": "1631627763345",
"timesrun": "5",
"name": "Name"
},
{
"auditId": "f722042f-f0f3-4c83-bd33-7672892d918f",
"lastrun": "1631200121550",
"timesrun": "3",
"name": null
}
],
"count": 2
}
```