Audit Log Commands¶
audit-log¶
View audit log events.
Usage:
audit-log [OPTIONS] COMMAND [ARGS]...
Options:
--log-stderr Enable logging to stderr.
--log-file TEXT Specify file path to write log output to.
--log-level TEXT Set level for Incydr client logging.
--help Show this message and exit.
audit-log clear-checkpoint¶
Remove the saved audit log checkpoint from searches made with --checkpoint mode.
Usage:
audit-log clear-checkpoint [OPTIONS] CHECKPOINT_NAME
Options:
--help Show this message and exit.
audit-log download¶
Download audit log events in CSV format. Returns up to the most recent 100,000 events that match the search criteria.
Use the --path option to specify where to save the CSV. Defaults to the current directory if not specified.
Usage:
audit-log download [OPTIONS]
Options:
--user-types TEXT Filter events by user type. Comma delimited
string of user types.
--resource-ids TEXT Filter events by resource ID. Comma delimited
string of resource IDs.
--event-types TEXT Filter events by event type. Comma delimited
string of event types.
--actor-names TEXT Filter events by actor usernames. Comma-delimited
string of actor usernames.
--actor-ip-addresses TEXT Filter events by actor IP addresses. Comma-
delimited string of actor IP addresses.
--actor-ids TEXT Filter events by the actor IDs. Comma-delimited
string of actor user IDs.
--end TEXT The end of the date range in which to look for
audit log events, argument format options are the
same as `--start`.
--start TEXT The beginning of the date range in which to look
for audit log events. Accepts a date/time in
yyyy-MM-dd (UTC) oryyyy-MM-dd HH:MM:SS (UTC+24-hr
time) format.
--path DIRECTORY The file path where to save the CSV. Defaults to
the current directory if not specified.
--log-stderr Enable logging to stderr.
--log-file TEXT Specify file path to write log output to.
--log-level TEXT Set level for Incydr client logging.
--help Show this message and exit.
audit-log search¶
Search audit log events. Returns all events that match the search criteria with paging.
Defaults to searching for most recent events.
Results will be output to the console by default, use the --output option to send data to a server.
Checkpointing is available through the --checkpoint <checkpoint-name> option and will only return new results
on subsequent queries with that same checkpoint. Checkpointing filters by timestamp, additional filter
options will need to be included in each run.
Usage:
audit-log search [OPTIONS]
Options:
--checkpoint TEXT Use a checkpoint with the given name to only
get search results that were not previously
retrieved. If a checkpoint for the search
with the given name doesn't exist, it will
be created on the first run. Subsequent CLI
runs with this option and the same name will
use the stored checkpoint to modify the
search query and then update the stored
checkpoint.Checkpointing is most accurate
with json outputs. For table and csv
formats, checkpointing will track the last
returned event in the table.
-f, --format [csv|json-lines|json-pretty]
Format to print result. One of 'json-
pretty', 'json-lines', or 'csv. 'table'
format is unavailable due to long processing
times for very large data sets.If
environment has INCYDR_USE_RICH=false set,
defaults to 'json-lines', else defaults to
'json-pretty'.CSV output includes limited
fields, use audit-log download for a more
comprehensive CSV download.
--user-types TEXT Filter events by user type. Comma delimited
string of user types.
--resource-ids TEXT Filter events by resource ID. Comma
delimited string of resource IDs.
--event-types TEXT Filter events by event type. Comma delimited
string of event types.
--actor-names TEXT Filter events by actor usernames. Comma-
delimited string of actor usernames.
--actor-ip-addresses TEXT Filter events by actor IP addresses. Comma-
delimited string of actor IP addresses.
--actor-ids TEXT Filter events by the actor IDs. Comma-
delimited string of actor user IDs.
--end TEXT The end of the date range in which to look
for audit log events, argument format
options are the same as `--start`.
--start TEXT The beginning of the date range in which to
look for audit log events. Accepts a
date/time in yyyy-MM-dd (UTC) oryyyy-MM-dd
HH:MM:SS (UTC+24-hr time) format.
--columns TEXT Comma-delimited string of column names.
Nested values should be specified in dot-
notation. Limits output to contain only the
specified columns in CSV or Table format.
Ignored for JSON output formats.
--ignore-cert-validation BOOLEAN
Set to skip CA certificate validation for
the TLS-TCP protocol. Incompatible with the
'certs' option.
--certs TEXT A CA certificates-chain file for the TLS-TCP
protocol.
--output TEXT Use to send the raw-json data in to a syslog
server. Pass a string in the format
PROTOCOL:HOSTNAME:PORT to output to the
specified server endpoint, where format is
either TCP, TLS-TCP, or UDP (ex:
TCP:localhost:5000). Also accepts strings of
the format HOSTNAME and HOSTNAME:PORT.
Defaults to TCP protocol on port 601. The
--certs or --ignore-cert-validation option
can be used with TLS-TCP format. Note that
most data will be too large to be sent via
UDP protocol.
--log-stderr Enable logging to stderr.
--log-file TEXT Specify file path to write log output to.
--log-level TEXT Set level for Incydr client logging.
--help Show this message and exit.