audit.query¶
Query contents of audit databases specified by services.
No Additional Items
Tuple Validation
Parameter 1: data
data
Type: objectAudit query configuration specifying services, filters, and options.
No Additional PropertiesServices
Type: array of enum (of string) Default: ["MIDDLEWARE"]Array of services to include in the audit query.
No Additional ItemsEach item of this array must be:
Must be one of:
- "MIDDLEWARE"
- "SMB"
- "SUDO"
- "SYSTEM"
Query-Filters
Type: array Default: []Array of filters to apply to the audit query results.
No Additional ItemsEach item of this array must be:
[
[
"name",
"=",
"bob"
]
]
[
[
"OR",
[
[
"name",
"=",
"bob"
],
[
"name",
"=",
"larry"
]
]
]
]
QueryOptions
Type: objectIf the query-option force_sql_filters is true, then the query will be converted into a more efficient form for better performance. This will not be possible if filters use keys within svc_data and event_data.
Extra
Type: object Default: {}Extra options are defined on a per-endpoint basis and are described in the documentation for the associated query method.
Order By
Type: array of string Default: []An array of field names describing the manner in which query results should be ordered. The field names may also have one of more of the following special prefixes: - (reverse sort direction), nulls_first: (place any null values at the head of the results list), nulls_last: (place any null values at the tail of the results list).
Each item of this array must be:
[
"size",
"-devname",
"nulls_first:-expiretime"
]
Select
Type: array Default: []An array of field names specifying the exact fields to include in the query return. The dot character . may be used to explicitly select only subkeys of the query result.
Each item of this array must be:
No Additional Items
Each item of this array must be:
[
"username",
"Authentication.status"
]
Count
Type: boolean Default: falseReturn a numeric value representing the number of items that match the specified query-filters.
Get
Type: boolean Default: falseReturn the JSON object of the first result matching the specified query-filters. The query fails if there specified query-filters return no results.
Offset
Type: integer Default: 0This specifies the beginning offset of the results array. When combined with the limit query-option it may be used to implement pagination of large results arrays. WARNING: some query methods provide volatile results and the onus is on the developer to understand whether pagination is appropriate for a particular query API method.
Limit
Type: integer Default: 0This specifies the maximum number of results matching the specified query-filters to return. When combined wtih the offset query-option it may be used to implement pagination of large results arrays.
WARNING: Some query methods provide volatile results and the onus is on the developer to understand whether pagination is appropriate for a particular query API method.
Force Sql Filters
Type: boolean Default: falseForce use of SQL for result filtering to reduce response time. May not work for all methods.
Remote Controller
Type: boolean Default: falseHA systems may direct the query to the 'remote' controller by including 'remote_controller=True'. The default is the 'current' controller.
Result
No Additional Items
Each item of this array must be:
Required roles: SYSTEM_AUDIT_READ