Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1659
Views
0
Helpful
4
Replies

FMC and audit via API

Go to solution
renanhingel
Level 1
Level 1

‎06-22-2020 05:05 PM

Hello,

 

I'm auditing access control policies changes by clicking on System > Monitoring - Audit > Audit and searching for the last 30 days with changes on the following subsystem:

 

Policies > Access Control > Access Control > Firewall Policy Editor

 

With this, I get a table with time and date, user, what policy was changed and also the IP of the user who performed the change.

 

I'm having a hard time trying to guess how can I fetch this same table via REST API. Anyone ever tried this?

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Manoj Papisetty
Cisco Employee
Cisco Employee

‎06-22-2020 08:55 PM

I am able to query the same using the endpoint -

/api/fmc_platform/v1/domain/{UUID}/audit/auditrecords

A sample response -

"items": [
    {
      "time": 1592881189,
      "message": "Page View:",
      "username": "admin",
      "subSystem": "Policies > Access Control > Access Control > Firewall Policy Editor",
      "source": "<IP ADDR>",
      "domain": "<UUID>"
    },

Is there a specific difficulty that you are facing here?

View solution in original post

0 Helpful

Go to solution
renanhingel
Level 1
Level 1
In response to Manoj Papisetty

‎10-22-2020 02:34 PM

Hello,

Sorry for the huge delay in responding, had issues with my API access.

 

When issuing a GET request to the endpoint:

/api/fmc_platform/v1/domain/{UUID}/audit/auditrecords?expanded=true

I get all sorts of audit messages and I'm aiming to obtain only the following subsystem:

 

"subSystem": "Policies > Access Control > Access Control > Firewall Policy Editor"

 

Have you managed to accomplish that?

Thanks in advance,
Renan

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Manoj Papisetty
Cisco Employee
Cisco Employee

‎06-22-2020 08:55 PM

I am able to query the same using the endpoint -

/api/fmc_platform/v1/domain/{UUID}/audit/auditrecords

A sample response -

"items": [
    {
      "time": 1592881189,
      "message": "Page View:",
      "username": "admin",
      "subSystem": "Policies > Access Control > Access Control > Firewall Policy Editor",
      "source": "<IP ADDR>",
      "domain": "<UUID>"
    },

Is there a specific difficulty that you are facing here?

0 Helpful

Go to solution
renanhingel
Level 1
Level 1
In response to Manoj Papisetty

‎10-22-2020 02:34 PM

Hello,

Sorry for the huge delay in responding, had issues with my API access.

 

When issuing a GET request to the endpoint:

/api/fmc_platform/v1/domain/{UUID}/audit/auditrecords?expanded=true

I get all sorts of audit messages and I'm aiming to obtain only the following subsystem:

 

"subSystem": "Policies > Access Control > Access Control > Firewall Policy Editor"

 

Have you managed to accomplish that?

Thanks in advance,
Renan

0 Helpful

Go to solution
renanhingel
Level 1
Level 1
In response to renanhingel

‎10-22-2020 04:03 PM

Ok I have fiddled with the API some and now I understand I can make the GET call with the filter I need by using the endpoint below:

 

/api/fmc_platform/v1/domain/{UUID}/audit/auditrecords?offset=0&limit=1000&starttime=1599007779&subsystem=Policies&expanded=true

The trick was add &subsystem=Policies to my request.

 

Thanks!

0 Helpful

Go to solution
Manoj Papisetty
Cisco Employee
Cisco Employee
In response to renanhingel

‎10-22-2020 07:50 PM

Glad that it is working now

0 Helpful
Customers Also Viewed These Support Documents