Get Runtime Log Inspection Audit Events

GET 
/api/v30.00/audits/runtime/log-inspection

x-prisma-cloud-target-env: {"permission":"monitorRuntimeHosts","saas":true,"self-hosted":true}
x-public: true

Retrieves all audit events for log inspection checks that are configured under host runtime rules.

cURL Request

Refer to the following example cURL command:

$ curl -k \
  -u <USER> \
  -H 'Content-Type: application/json' \
  -X GET \
  "https://<CONSOLE>/api/v<VERSION>/audits/runtime/log-inspection"

cURL Response

{
   "_id": "637639e2b962a7ae744851bf",
   "logfile": "/var/lib/twistlock/log/console.log",
   "line": "DEBU 2022-11-17T13:40:50.066 route_handler_middleware.go:507 GET /api/v1/audits/runtime/log-inspection?limit=20&offset=0&project=Central+Console&reverse=false&search=panic ssugandh admin 0.10s",
   "time": "2022-11-17T13:40:50.067Z",
   "hostname": "jen-cen8-cons-dock-0811t160649-cons-ssugandh-lngcon230.c.twistlock-test-247119.internal",
   "ruleName": "panic_error_log",
   "accountID": "twistlock-test-247119",
   "collections": [
     "All",
     "registry_scan_container_cen8-container_22_11_384_piu",
     "cnnf_cen8_client_itu"
   ],
   "cluster": ""
}

Request

Query Parameters

offset integer

Offsets the result to a specific report count. Offset starts from 0.

limit integer

Number of reports to retrieve in a page. For PCCE, the maximum limit is 250. For PCEE, the maximum limit is 50. The default value is 50.

search string

Retrieves the result for a search term.

sort string

Sorts the result using a key. Refer to the columns in the relevant Prisma Cloud Compute user interface to use them as sort keys.

reverse boolean

Sorts the result in reverse order.

collections string[]

Filters the result based on collection names that you have defined in Prisma Cloud Compute.

provider string[]

Scopes the query by cloud provider.

accountIDs string[]

Filters the result based on cloud account IDs.

resourceIDs string[]

Scopes the query by resource ID.

region string[]

Scopes the query by cloud region.

fields string[]

Retrieves the fields that you need in a report. Use the list of fields you want to retrieve. By default, the result shows all fields of data.

id string[]

IDs is the list of IDs to use for filtering.

from date-time

From is an optional minimum time constraints for the event.

to date-time

To is an optional maximum time constraints for the event.

hostname string[]

Hosts is the list of hosts to use for filtering.

logfile string[]

Logfiles is the list of log files to use for filtering.

cluster string[]

Clusters is the cluster filter.

Responses

200

application/json

Schema

Schema

• Array [
_id string

ID is event's unique identifier.

accountID string

AccountID is the cloud account ID.

cluster string

Cluster is the cluster on which the event was found.

collections string[]

Collections are collections to which this event applies.

hostname string

Hostname is the hostname on which the event was found.

line string

Line is the matching log line.

logfile string

Logfile is the log file which triggered the event.

ruleName string

RuleName is the name of the applied rule for auditing log inspection events.

time date-time

Time is the time of the event.

• ]

Example (from schema)

[
  {
    "_id": "string",
    "accountID": "string",
    "cluster": "string",
    "collections": [
      "string"
    ],
    "hostname": "string",
    "line": "string",
    "logfile": "string",
    "ruleName": "string",
    "time": "2023-12-06T03:39:59.198Z"
  }
]

default

Loading...