06-22-2020 05:05 PM
Hello,
I'm auditing access control policies changes by clicking on System > Monitoring - Audit > Audit and searching for the last 30 days with changes on the following subsystem:
Policies > Access Control > Access Control > Firewall Policy Editor
With this, I get a table with time and date, user, what policy was changed and also the IP of the user who performed the change.
I'm having a hard time trying to guess how can I fetch this same table via REST API. Anyone ever tried this?
Solved! Go to Solution.
06-22-2020 08:55 PM
I am able to query the same using the endpoint -
/api/fmc_platform/v1/domain/{UUID}/audit/auditrecords
A sample response -
"items": [ { "time": 1592881189, "message": "Page View:", "username": "admin", "subSystem": "Policies > Access Control > Access Control > Firewall Policy Editor", "source": "<IP ADDR>", "domain": "<UUID>" },
Is there a specific difficulty that you are facing here?
10-22-2020 02:34 PM
Hello,
Sorry for the huge delay in responding, had issues with my API access.
When issuing a GET request to the endpoint:
/api/fmc_platform/v1/domain/{UUID}/audit/auditrecords?expanded=true
I get all sorts of audit messages and I'm aiming to obtain only the following subsystem:
"subSystem": "Policies > Access Control > Access Control > Firewall Policy Editor"
Have you managed to accomplish that?
Thanks in advance,
Renan
06-22-2020 08:55 PM
I am able to query the same using the endpoint -
/api/fmc_platform/v1/domain/{UUID}/audit/auditrecords
A sample response -
"items": [ { "time": 1592881189, "message": "Page View:", "username": "admin", "subSystem": "Policies > Access Control > Access Control > Firewall Policy Editor", "source": "<IP ADDR>", "domain": "<UUID>" },
Is there a specific difficulty that you are facing here?
10-22-2020 02:34 PM
Hello,
Sorry for the huge delay in responding, had issues with my API access.
When issuing a GET request to the endpoint:
/api/fmc_platform/v1/domain/{UUID}/audit/auditrecords?expanded=true
I get all sorts of audit messages and I'm aiming to obtain only the following subsystem:
"subSystem": "Policies > Access Control > Access Control > Firewall Policy Editor"
Have you managed to accomplish that?
Thanks in advance,
Renan
10-22-2020 04:03 PM
Ok I have fiddled with the API some and now I understand I can make the GET call with the filter I need by using the endpoint below:
/api/fmc_platform/v1/domain/{UUID}/audit/auditrecords?offset=0&limit=1000&starttime=1599007779&subsystem=Policies&expanded=true
The trick was add &subsystem=Policies to my request.
Thanks!
10-22-2020 07:50 PM
Glad that it is working now
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: