audit.query

Query contents of audit databases specified by services.

Type: object

Call parameters

Type: array
No Additional Items

Tuple Validation

Parameter 1: data

data

Type: object
No Additional Properties

services

Services

Type: array of enum (of string) Default: ["MIDDLEWARE", "SUDO"]
No Additional Items

Each item of this array must be:

Type: enum (of string)

Must be one of:

• "MIDDLEWARE"
• "SMB"
• "SUDO"
• "SYSTEM"

query-filters

Query-Filters

Type: array Default: []

List of filters for query results. See API documentation for "Query Methods" for more guidance.

No Additional Items

Each item of this array must be:

Type: object

Examples:

[
    [
        "name",
        "=",
        "bob"
    ]
]

[
    [
        "OR",
        [
            [
                [
                    "name",
                    "=",
                    "bob"
                ]
            ],
            [
                [
                    "name",
                    "=",
                    "larry"
                ]
            ]
        ]
    ]
]

query-options

QueryOptions

Type: object

If the query-option force_sql_filters is true, then the query will be converted into a more efficient form for
better performance. This will not be possible if filters use keys within svc_data and event_data.

No Additional Properties

relationships

Relationships

Type: boolean Default: true

extend

Extend

Default: null

Any of

• Option 1
• Option 2

Type: string

Type: null

extend_fk

Extend Fk

Type: array of string Default: []
No Additional Items

Each item of this array must be:

Type: string

extend_context

Extend Context

Default: null

Any of

• Option 1
• Option 2

Type: string

Type: null

prefix

Prefix

Default: null

Any of

• Option 1
• Option 2

Type: string

Type: null

extra

Extra

Type: object Default: {}

Extra options are defined on a per-endpoint basis and are described in the documentation for the associated
query method.

order_by

Order By

Type: array of string Default: []

An array of field names describing the manner in which query results should be ordered. The field names may
also have one of more of the following special prefixes: - (reverse sort direction), nulls_first: (place
any null values at the head of the results list), nulls_last: (place any null values at the tail of the
results list).

No Additional Items

Each item of this array must be:

Type: string

Example:

[
    "size",
    "-devname",
    "nulls_first:-expiretime"
]

select

Select

Type: array Default: []

An array of field names specifying the exact fields to include in the query return. The dot character .
may be used to explicitly select only subkeys of the query result.

No Additional Items

Each item of this array must be:

Any of

• Option 1
• Option 2

Type: string

Type: array
No Additional Items

Each item of this array must be:

Type: object

Example:

[
    "username",
    "Authentication.status"
]

count

Count

Type: boolean Default: false

Return a numeric value representing the number of items that match the specified query-filters.

get

Get

Type: boolean Default: false

Return the JSON object of the first result matching the specified query-filters. The query fails
if there specified query-filters return no results.

offset

Offset

Type: integer Default: 0

This specifies the beginning offset of the results array. When combined with the limit query-option
it may be used to implement pagination of large results arrays. WARNING: some query methods provide
volatile results and the onus is on the developer to understand whether pagination is appropriate
for a particular query API method.

limit

Limit

Type: integer Default: 0

This specifies the maximum number of results matching the specified query-filters to return. When
combined wtih the offset query-option it may be used to implement pagination of large results arrays.
WARNING: some query methods provide volatile results and the onus is on the developer to understand whether
pagination is appropriate for a particular query API method.

force_sql_filters

Force Sql Filters

Type: boolean Default: false

remote_controller

Remote Controller

Type: boolean Default: false

HA systems may direct the query to the 'remote' controller by including 'remote_controller=True'. The default
is the 'current' controller.

Return value

Result

Any of

• Option 1
• AuditQueryResultItem
• Option 3

Type: integer

AuditQueryResultItem

Type: object
No Additional Properties

audit_id

Audit Id

GUID uniquely identifying this specific audit event.

Any of

• Option 1
• Option 2
• Option 3

Type: string

Type: integer

Type: null

message_timestamp

Message Timestamp

Type: integer

Unix timestamp for when the audit event was written to the auditing database.

timestamp

Timestamp

Type: stringFormat: date-time

Converted ISO-8601 timestamp from application recording when event occurred.

address

Address

Type: string

IP address of client performing action that generated the audit message.

username

Username

Type: string

Username used by client performing action.

session

Session

GUID uniquely identifying the client session.

Any of

• Option 1
• Option 2
• Option 3

Type: string

Type: integer

Type: null

service

Service

Type: enum (of string)

Name of the service that generated the message. This will be one of the names specified in services.

Must be one of:

• "MIDDLEWARE"
• "SMB"
• "SUDO"
• "SYSTEM"

service_data

Service Data

JSON object containing variable data depending on the particular service. See TrueNAS auditing documentation for
the service in question.

Any of

• Option 1
• Option 2

Type: object

Type: null

event

Event

Type: string

Name of the event type that generated the audit record. Each service has its own unique event identifiers.

event_data

Event Data

JSON object containing variable data depending on the particular event type. See TrueNAS auditing documentation
for the service in question.

Any of

• Option 1
• Option 2

Type: object

Type: null

success

Success

Type: boolean

Boolean value indicating whether the action generating the event message succeeded.

Type: array of object
No Additional Items

Each item of this array must be:

AuditQueryResultItem

Type: object
No Additional Properties

audit_id

Audit Id

GUID uniquely identifying this specific audit event.

Any of

• Option 1
• Option 2
• Option 3

Type: string

Type: integer

Type: null

message_timestamp

Message Timestamp

Type: integer

Unix timestamp for when the audit event was written to the auditing database.

timestamp

Timestamp

Type: stringFormat: date-time

Converted ISO-8601 timestamp from application recording when event occurred.

address

Address

Type: string

IP address of client performing action that generated the audit message.

username

Username

Type: string

Username used by client performing action.

session

Session

GUID uniquely identifying the client session.

Any of

• Option 1
• Option 2
• Option 3

Type: string

Type: integer

Type: null

service

Service

Type: enum (of string)

Name of the service that generated the message. This will be one of the names specified in services.

Must be one of:

• "MIDDLEWARE"
• "SMB"
• "SUDO"
• "SYSTEM"

service_data

Service Data

JSON object containing variable data depending on the particular service. See TrueNAS auditing documentation for
the service in question.

Any of

• Option 1
• Option 2

Type: object

Type: null

event

Event

Type: string

Name of the event type that generated the audit record. Each service has its own unique event identifiers.

event_data

Event Data

JSON object containing variable data depending on the particular event type. See TrueNAS auditing documentation
for the service in question.

Any of

• Option 1
• Option 2

Type: object

Type: null

success

Success

Type: boolean

Boolean value indicating whether the action generating the event message succeeded.

Required roles: SYSTEM_AUDIT_READ