Using pubsub API calls to collect audit events
- 19 Aug 2024
- 4 Minutes to read
- Print
- DarkLight
Using pubsub API calls to collect audit events
- Updated on 19 Aug 2024
- 4 Minutes to read
- Print
- DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback
Required information
You will need four pieces of information to utilize the APIs
The host for your cluster (us001, us002, etc)
Your tenant ID
An API key
The number of messages you'd like to retrieve in each set
API call format
Authenticate
The authentication call will need a header identifying the content.{'Content-type': 'application/json'}
The data to be sent will be a JSON containing the API key (a 32 character alpha numeric string).{'apiKey': '123Abc45ExampleKeyFormat678stuvw'}
The URL to send the POST request will contain the following information
The host for your cluster (example https://pubsub.us003.ia.us003-rapididentity.com/)
Your tenant ID (example ia07766af2bd2f4efb824806ec1ef6d4b8)
Example:
https://pubsub.us003.ia.us003-rapididentity.com/v1/tenants/ia07766af2bd2f4efb824806ec1ef6d4b8/authenticateA successful authentication will return a JSON containing an ID Token to be used in the Poll call and a statusCode of 200.
{
"data": {
"AuthenticationResult": {
"AccessToken": "xxxxxxxxxxxxxxxxxxxxx",
"ExpiresIn": 3600,
"IdToken": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"NewDeviceMetadata": null,
"RefreshToken": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"TokenType": "Bearer"
},
"ChallengeName": null,
"ChallengeParameters": {},
"Session": null
},....
}Poll
The poll call will need a header identifying the content and the ID Token as Authorization.{'Content-type': 'application/json', 'Authorization': 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'}
The data to be sent will be a JSON containing the maximum number of messages you want returned on this call.{'maxMessages': 50}
The URL to send the POST request will contain the following information
The host for your cluster (example https://pubsub.us003.ia.us003-rapididentity.com/)
Your tenant ID (example ia07766af2bd2f4efb824806ec1ef6d4b8)
Example:
https://pubsub.us003.ia.us003-rapididentity.com/v1/tenants/ia07766af2bd2f4efb824806ec1ef6d4b8/projects/builtin/subscriptions/audit:pullA successful poll will return a JSON containing audit events from the message queue and a statusCode of 200. If there are no messages currently in the queue, data.receivedMessages will be null.
{
receivedMessages: [
{
actionId: 'net.idauto.audit.common.core.action.configSaved',
'ext.User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36',
'ext.enabled': 'true',
'ext.expiration': '2024-08-14T22:05:00.000Z',
'ext.version': '22',
hostIp: '172.17.94.70',
id: '39571b80-d3e4-4eb6-81df-41c8abf41a52',
moduleId: 'net.idauto.audit.common.module.core',
perpDN: 'idautoID=08b5f0ec-d56a-4712-ada5-c86074ab11db,ou=Accounts,dc=meta',
perpId: '08b5f0ec-d56a-4712-ada5-c86074ab11db',
perpIp: '172.17.95.143',
perpIpForwarded: '10.10.10.10',
productId: 'net.idauto.audit.common.product.core',
successful: 'true',
target: 'net.idauto.config.IdautoTenantLoginConfig',
targetSystem: 'CONFIG_DB',
tenantId: 'ia07766af2bd2f4efb824806ec1ef6d4b8',
timestamp: '2024-08-01T22:05:16.015Z'
},
{
actionId: 'net.idauto.audit.common.core.action.configSaved',
'ext.User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36',
'ext.enabled': 'false',
'ext.version': '23',
hostIp: '172.17.94.70',
id: '22315d78-8174-4f4a-839a-d58e4de8befe',
moduleId: 'net.idauto.audit.common.module.core',
perpDN: 'idautoID=08b5f0ec-d56a-4712-ada5-c86074ab11db,ou=Accounts,dc=meta',
perpId: '08b5f0ec-d56a-4712-ada5-c86074ab11db',
perpIp: '172.17.81.223',
perpIpForwarded: '10.10.10.10',
productId: 'net.idauto.audit.common.product.core',
successful: 'true',
target: 'net.idauto.config.IdautoTenantLoginConfig',
targetSystem: 'CONFIG_DB',
tenantId: 'ia07766af2bd2f4efb824806ec1ef6d4b8',
timestamp: '2024-08-01T22:05:18.696Z'
}
]
}Example code
Connect
myHeaders = {'Content-type': 'application/json'}
myData = {'apiKey': Global.pubSubAPIKey}
result = httpPOST(Global.pubSubURL+"/v1/tenants/"+Global.pubSubTenant+"/authenticate",myHeaders,toJSON(myData))
if (result.statusCode && (result.statusCode == "200")) {
myIDToken = result.data.AuthenticationResult.IdToken
} else {
log("Could not authenticate", "ERROR", "red")
return
}
myHeaders = {"Content-Type":"application/json", "Authorization": myIDToken}
myData = {"maxMessages": 50}
result = httpPOST(Global.pubSubURL+"/v1/tenants/"+Global.pubSubTenant+"/projects/builtin/subscriptions/audit:pull",myHeaders,toJSON(myData))
if (result.statusCode && (result.statusCode == "200")) {
myMessages = result.data.receivedMessages
if (myMessages) {
log("Successfully pulled "+myMessages.length+" messages", "green")
forEach (msg, myMessages) {
log(msg)
}
} else {
log("Queue is empty","green")
}
} else {
log("Unable to pull messages from audit queue", "ERROR", "red")
}Javascript (via node.js)
const fetch = require("node-fetch");
let host='https://pubsub.us003.ia.us003-rapididentity.com/';
let tenant='ia07766af2bd2f4efb824806ec1ef6d4b8';
let myApiKey='123Abc45ExampleKeyFormat678stuvw';
let myMaxMessages=50;
const myDate = new Date();
const poll = async() => {
const res = await fetch(host+"v1/tenants/"+tenant+"/authenticate", {
method: "POST",
body: JSON.stringify({
apiKey: myApiKey,
}),
headers: {
"Content-type": "application/json"
}
})
const response = await res.json();
const idToken = response.AuthenticationResult['IdToken'];
readMessages(idToken);
}
async function readMessages(myIdToken) {
const res = await fetch(host+"v1/tenants/"+tenant+"/projects/builtin/subscriptions/audit:pull", {
method: "POST",
body: JSON.stringify({
maxMessages: myMaxMessages
}),
headers: {
"Content-type": "application/json",
"Authorization": myIdToken,
"Date": myDate.toUTCString()
}
})
const response = await res.json()
console.log(response)
}
poll();Python 3
import requests
host = 'https://pubsub.us003.ia.us003-rapididentity.com/'
tenant = 'ia07766af2bd2f4efb824806ec1ef6d4b8'
myApiKey = '123Abc45ExampleKeyFormat678stuvw'
myMaxMessages = 50
body = {'apiKey': myApiKey}
headers = {'Content-type': 'application/json'}
auth = requests.post(host+'v1/tenants/'+tenant+'/authenticate',json=body,headers=headers)
auth_data = auth.json()
myIdToken = auth_data['AuthenticationResult']['IdToken']
body = {'maxMessages': myMaxMessages}
headers = {'Content-type': 'application/json', 'Authorization': myIdToken}
poll = requests.post(host+"v1/tenants/"+tenant+"/projects/builtin/subscriptions/audit:pull",json=body,headers=headers)
poll_data = poll.json()
print(poll_data['receivedMessages'])Example JSON events
In the following events, please note:
actionId = An internal ID for the action being reported
ext.xxx = Extended audit event information
id = An identifier for a specific audit event
perpDN = The distinguished name of the user performing the action
perpId = The idautoID of the user performing the action
perpIpForwarded = The IP address of the user performing the action
Successful IDP authentication
{
"actionId": "net.idauto.audit.idp.action.authentication",
"ext.User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36",
"ext.json_data": "{\n \"policy\" : {\n \"id\" : \"a0892c93-a6ce-4796-8bf6-47dbce93dddd\",\n \"name\" : \"Default Password Policy\",\n \"version\" : 3\n },\n \"methods\" : [ \"username\", \"password\" ]\n}",
"hostIp": "172.17.84.154",
"id": "d5cc1314-dcc9-4f2e-951f-de93e7223dcf",
"moduleId": "net.idauto.audit.module.idp",
"perpDN": "idautoID=f7e65320-df03-4a8f-ab55-3e2efdbb6166,ou=Accounts,dc=meta",
"perpId": "f7e65320-df03-4a8f-ab55-3e2efdbb6166",
"perpIp": "172.17.81.157",
"perpIpForwarded": "10.9.8.7",
"productId": "net.idauto.audit.product.saml",
"successful": "true",
"target": "tester1@somedomain.net",
"targetId": "f7e65320-df03-4a8f-ab55-3e2efdbb6166",
"targetSystem": "DIRECTORY",
"tenantId": "ia07886af2bd2f5dcb824806ec1ef6deb8",
"timestamp": "2024-08-14T21:27:15.054Z"
}Successful IDP logout
{
"actionId": "idp.logout",
"ext.User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36",
"hostIp": "172.17.84.154",
"id": "4e1e9d37-1abc-4121-800c-9842a0d9b238",
"moduleId": "net.idauto.audit.module.idp",
"perpDN": "idautoID=f7e65320-df03-4a8f-ab55-3e2efdbb6166,ou=Accounts,dc=meta",
"perpId": "f7e65320-df03-4a8f-ab55-3e2efdbb6166",
"perpIp": "172.17.81.157",
"perpIpForwarded": "10.9.8.7",
"productId": "net.idauto.audit.product.saml",
"successful": "true",
"targetSystem": "SYSTEM",
"tenantId": "ia07886af2bd2f5dcb824806ec1ef6deb8",
"timestamp": "2024-08-14T21:27:03.442Z"
}Failed IDP authentication
{
"actionId": "net.idauto.audit.idp.action.authentication",
"ext.User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36",
"ext.json_data": "{\n \"errorMessage\" : \"Authentication Failed\",\n \"policy\" : {\n \"id\" : \"a0892c93-a6ce-4796-8bf6-47dbce93dddd\",\n \"name\" : \"Default Password Policy\",\n \"version\" : 3\n },\n \"methods\" : [ \"username\" ],\n \"failedStep\" : \"password\"\n}",
"hostIp": "172.17.84.154",
"id": "cc260535-0663-4901-b6cd-c38c11b834e1",
"moduleId": "net.idauto.audit.module.idp",
"perpDN": "idautoID=f7e65320-df03-4a8f-ab55-3e2efdbb6166,ou=Accounts,dc=meta",
"perpId": "f7e65320-df03-4a8f-ab55-3e2efdbb6166",
"perpIp": "172.17.81.157",
"perpIpForwarded": "10.9.8.7",
"productId": "net.idauto.audit.product.saml",
"successful": "false",
"target": "tester1@somedomain.net",
"targetId": "f7e65320-df03-4a8f-ab55-3e2efdbb6166",
"targetSystem": "DIRECTORY",
"tenantId": "ia07886af2bd2f5dcb824806ec1ef6deb8",
"timestamp": "2024-08-14T21:27:29.287Z"
}Was this article helpful?