Summary

Within Crowd, we have the Audit logs which can be viewed via GUI by using the steps in our Browsing the audit log document, but for several reasons, there might be a need to use Crowd REST API to fetch those logs.

Unfortunately, Crowd does not have a GET method to collect those logs at the moment (we do have a suggestion for that under CWD-5804 - Add ability to GET all audit logs via Crowd DC API instead of POST to search, so make sure to comment and vote on it so it gets better chances to be implemented). Because of that we need to use the POST method for collecting those logs and this KB intends to give some examples on how to do that.

This article explains how to fetch the Crowd Audit logs using POST request. 

Environment

These steps below were tested on Atlassian Crowd 5.1.5 and 5.2.3.

Solution

The examples below are using the curl  terminal tool as it's available in most environments, if you don't have that or use another tool for your REST queries, make sure to adapt those to your environment.

In all examples, make sure to change the variables (marked in between "< >") for the correct value in your environment.

Filter by Author: 

curl -X POST -H 'Content-Type: application/json' -H 'Accept:application/json' -u <username>:<password> -i <crowd-base-url>/rest/admin/1.0/auditlog/query --data '{"authors":[{"name":"<username_to_search>","type":"USER"}]}'

Filter by Action: 

In this example we are filtering the actions "USER_CREATED" and "CONFIGURATION_MODIFIED" specifically, but any other actions can be used.

curl -X POST -H 'Content-Type: application/json' -H 'Accept:application/json' -u <username>:<password> -i <crowd-base-url>/rest/admin/1.0/auditlog/query --data '{"actions":["USER_CREATED","CONFIGURATION_MODIFIED"]}' 

Filter by User:

curl -X POST -H 'Content-Type: application/json' -H 'Accept:application/json' -u <username>:<password> -i <crowd-base-url>/rest/admin/1.0/auditlog/query --data '{"users":[{"name":"<username_to_search>"}]}'

Filter by Group:

curl -X POST -H 'Content-Type: application/json' -H 'Accept:application/json' -u <username>:<password> -i <crowd-base-url>/rest/admin/1.0/auditlog/query --data '{"groups":[{"name":"<groupname_to_search>"}]}'

Filter by Application:

curl -X POST -H 'Content-Type: application/json' -H 'Accept:application/json' -u <username>:<password> -i <crowd-base-url>/rest/admin/1.0/auditlog/query --data '{"applications":[{"name":"<applicationname_to_search>"}]}'

Filter by Directory:

curl -X POST -H 'Content-Type: application/json' -H 'Accept:application/json' -u <username>:<password> -i <crowd-base-url>/rest/admin/1.0/auditlog/query --data '{"directories":[{"name":"<directoryname_to_search>"}]}'

Filter by Source:

 curl -X POST -H 'Content-Type: application/json' -H 'Accept:application/json' -u <username>:<password> -i <crowd-base-url>/rest/admin/1.0/auditlog/query --data '{"sources":["<source1>","<source2"]}'

Filter by multiple outputs at once: 

You can also add some of this filters together in one call. Here's an example of filtering by source and application:

curl -X POST -H 'Content-Type: application/json' -H 'Accept:application/json' -u <username>:<password> -i <crowd-base-url>/rest/admin/1.0/auditlog/query --data '{"sources":["<source1>","<source2"],"applications":[{"name":"<applicationname_to_search>"}]}'

How to grab the correct syntax for each auditlog if they are not on the examples above.

For future reference, you can use your Browser Development Tools to find out what are the available fields for the REST query you need to do.

In other words, follow these steps: 

1. Go to Crowd auditlog page in the UI.
2. Open your browser developer tools (in our case was Google Chrome).
3. Start a capture and try to add the filters you need.
4. On the "Network" tab of the developer tools, look for the query call and into it search for the "payload" field.
5. On that, click on "View Source"

With this you can use that source output to use in your REST API queries.