Retrieve Platform Audit Logs using the API

If you have an organization-level API key or a Platform Admin user key, you can query audit logs using the REST API.

APIs on the Insight Platform

For more information on Insight Platform APIs, check out the Insight Platform API Overview.

Get a list of audit logs

To view a list of audit logs, create a new GET request using the URL and header information provided below.

Query audit logs

You can query your audit logs by adding the log ID to the specified URL, or filter audit logs by adding Log Entry Query Language (LEQL) to the URL. To query your logs using the API, you can use the URL we provide below and follow the instructions provided in InsightIDR API documentation.

Query a single audit log:

To query a single log, replace "< LOG ID >" in the following URL with the ID from the log you retrieved with your GET request. The log ID will be the first field in your log.

https://us.rest.logs.insight.rapid7.com/audit/query/logs/< LOG ID >?per_page=200&time_range=Last+30+Days.

As some queries take time to return results, the API response may return a URL that you must poll periodically until the query is complete. When the progress field in the response has a value of 100, it means that the query has completed. If the initial response from the API doesn’t contain the results, then you must poll the value of the links.href field until the response is correct. Use the same header as the previous query.

Query multiple audit logs:

Add the IDs of the logs you want to query to the URL. Each ID must be separated by a colon.

https://us.rest.logs.insight.rapid7.com/audit/query/logs/< LOG ID:< LOG ID >:< LOG ID >?per_page=200&time_range=Last+30+Days.

Filter logs by a specific value

You can filter based on specific values by adding LEQL to the URL.

To filter using LEQL: