https://community.cisco.com/t5/network-security/fmc-and-audit-via-api/m-p/4107694#M1 <P>Hello,</P><P>&nbsp;</P><P>I'm auditing access control policies changes by clicking on <STRONG>System &gt; Monitoring - Audit &gt; Audit</STRONG> and searching for the last 30 days with changes on the following subsystem:</P><P>&nbsp;</P><P><STRONG>Policies &gt; Access Control &gt; Access Control &gt; Firewall Policy Editor</STRONG></P><P>&nbsp;</P><P>With this, I get a table with time and date, user, what policy was changed and also the IP of the user who performed the change.</P><P>&nbsp;</P><P>I'm having a hard time trying to guess how can I fetch this same table via REST API. Anyone ever tried this?</P> Tue, 23 Jun 2020 00:05:03 GMT renanhingel 2020-06-23T00:05:03Z https://community.cisco.com/t5/network-security/fmc-and-audit-via-api/m-p/4107694#M1 <P>Hello,</P><P>&nbsp;</P><P>I'm auditing access control policies changes by clicking on <STRONG>System &gt; Monitoring - Audit &gt; Audit</STRONG> and searching for the last 30 days with changes on the following subsystem:</P><P>&nbsp;</P><P><STRONG>Policies &gt; Access Control &gt; Access Control &gt; Firewall Policy Editor</STRONG></P><P>&nbsp;</P><P>With this, I get a table with time and date, user, what policy was changed and also the IP of the user who performed the change.</P><P>&nbsp;</P><P>I'm having a hard time trying to guess how can I fetch this same table via REST API. Anyone ever tried this?</P> Tue, 23 Jun 2020 00:05:03 GMT https://community.cisco.com/t5/network-security/fmc-and-audit-via-api/m-p/4107694#M1 renanhingel 2020-06-23T00:05:03Z https://community.cisco.com/t5/network-security/fmc-and-audit-via-api/m-p/4107734#M2 <P>I am able to query the same using the endpoint -</P> <PRE class="microlight">/api/fmc_platform/v1/domain/{UUID}/audit/auditrecords</PRE> <P><LI-WRAPPER></LI-WRAPPER></P> <P>A sample response -</P> <PRE class=" microlight"><SPAN style="color: #555;">"items"</SPAN><SPAN>:</SPAN> <SPAN>[</SPAN> <SPAN>{</SPAN> <SPAN style="color: #555;">"time"</SPAN><SPAN>:</SPAN> <SPAN style="color: #555; font-weight: bold;">1592881189</SPAN><SPAN>,</SPAN> <SPAN style="color: #555;">"message"</SPAN><SPAN>:</SPAN> <SPAN style="color: #555;">"Page View:"</SPAN><SPAN>,</SPAN> <SPAN style="color: #555;">"username"</SPAN><SPAN>:</SPAN> <SPAN style="color: #555;">"admin"</SPAN><SPAN>,</SPAN> <SPAN style="color: #555;">"subSystem"</SPAN><SPAN>:</SPAN> <SPAN style="color: #555;">"Policies &gt; Access Control &gt; Access Control &gt; Firewall Policy Editor"</SPAN><SPAN>,</SPAN> <SPAN style="color: #555;">"source"</SPAN><SPAN>:</SPAN> <SPAN style="color: #555;">"&lt;IP ADDR&gt;"</SPAN><SPAN>,</SPAN> <SPAN style="color: #555;">"domain"</SPAN><SPAN>:</SPAN> <SPAN style="color: #555;">"&lt;UUID&gt;"</SPAN> <SPAN>}</SPAN><SPAN>,</SPAN></PRE> <P>Is there a specific difficulty that you are facing here?</P> <P><LI-WRAPPER></LI-WRAPPER></P> Tue, 23 Jun 2020 03:55:39 GMT https://community.cisco.com/t5/network-security/fmc-and-audit-via-api/m-p/4107734#M2 Manoj Papisetty 2020-06-23T03:55:39Z https://community.cisco.com/t5/network-security/fmc-and-audit-via-api/m-p/4172128#M3 <P>Hello,</P><P>Sorry for the huge delay in responding, had issues with my API access.</P><P>&nbsp;</P><P>When issuing a GET request to the endpoint:</P><PRE>/api/fmc_platform/v1/domain/{UUID}/audit/auditrecords?expanded=true</PRE><P>I get all sorts of audit messages and I'm aiming to obtain only the following subsystem:</P><P>&nbsp;</P><P><STRONG>"subSystem": "Policies &gt; Access Control &gt; Access Control &gt; Firewall Policy Editor"</STRONG></P><P>&nbsp;</P><P>Have you managed to accomplish that?</P><P>Thanks in advance,<BR />Renan</P> Thu, 22 Oct 2020 21:34:35 GMT https://community.cisco.com/t5/network-security/fmc-and-audit-via-api/m-p/4172128#M3 renanhingel 2020-10-22T21:34:35Z https://community.cisco.com/t5/network-security/fmc-and-audit-via-api/m-p/4172158#M4 <P>Ok I have fiddled with the API some and now I understand I can make the GET call with the filter I need by using the endpoint below:</P><P>&nbsp;</P><PRE>/api/fmc_platform/v1/domain/{UUID}/audit/auditrecords?offset=0&amp;limit=1000&amp;starttime=1599007779&amp;subsystem=Policies&amp;expanded=true</PRE><P>The trick was add <STRONG>&amp;subsystem=Policies</STRONG> to my request.</P><P>&nbsp;</P><P>Thanks!</P> Thu, 22 Oct 2020 23:03:49 GMT https://community.cisco.com/t5/network-security/fmc-and-audit-via-api/m-p/4172158#M4 renanhingel 2020-10-22T23:03:49Z https://community.cisco.com/t5/network-security/fmc-and-audit-via-api/m-p/4172250#M5 <P>Glad that it is working now <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 23 Oct 2020 02:50:48 GMT https://community.cisco.com/t5/network-security/fmc-and-audit-via-api/m-p/4172250#M5 Manoj Papisetty 2020-10-23T02:50:48Z