# Exporting audit logs

This document lists all audit trail codes necessary for writing audit-related queries and subsequently, exporting audit log results by third-party integrations.

## Querying audit logs in Infinity <a href="#audittrailcodes-usingaudittrailcodesininfinitynqlqueries" id="audittrailcodes-usingaudittrailcodesininfinitynqlqueries"></a>

{% hint style="warning" %}
The procedures and NQL queries in this section apply to Nexthink Infinity.

Refer to the [Audit Trail API (classic)](/platform/configuring_nexthink/bringing-data-into-your-nexthink-instance/integrating-nexthink-with-third-party-tools/api-and-integrations-classic/audit-trail-api-classic.md) documentation only if you still need to track Experience events (Engine, Finder) when exporting the audit logs.
{% endhint %}

To query audit logs follow these steps:

1. Identify the required fields from the Audit logs table by accessing the [NQL data model ](/platform/understanding-key-data-platform-concepts/nql-data-model.md)documentation.
2. Determine the required [audit trail codes](/platform/security/exporting-audit-logs/audit-trail-codes.md) to audit the actions of Nexthink users or system.
3. Run the NQL query in any of the query-based features from Nexthink Infinity.

Refer to the [Audit trail codes Infinity ](/platform/security/exporting-audit-logs/audit-trail-codes.md)documentation for audit trail codes that apply to Nexthink Infinity.

### NQL query example with audit trail codes

The NQL query example below uses the `platform.audit_logs` field and the `94011` audit trail code to retrieve all **manual executions of remote actions** taken by Nexthink users in the UI.

{% code title="Code" overflow="wrap" lineNumbers="true" %}

```
platform.audit_logs during past 30d
| where code == 94011
```

{% endcode %}

After running the NQL query example in the [NQL editor](/platform/user-guide/investigations/creating-investigations/nql-editor.md) of an investigation, the investigation results report the following information under the **Message** column:

* `Web request manual execution of remote action`
* `source= source where remote action is triggered`
* `ID=remote action uid`
* `name=remote action on n devices with uids devices uids`

In the image below you can see the result in the **Message** column in the Nexthink web interface.

{% hint style="info" %}
Refer to the [Roles](/platform/user-guide/administration/account-management/roles.md) documentation to grant the **View audit logs in NQL** permission required for querying audit logs.
{% endhint %}

<figure><img src="/files/RCB1xipXJZLpadPUCpJK" alt="Running Audit logs table and codes in the NQL Editor." width="760"><figcaption></figcaption></figure>

## Exporting audit logs by third-party integrations <a href="#audittrailcodes-exportingauditlogsbythird-partyintegrations" id="audittrailcodes-exportingauditlogsbythird-partyintegrations"></a>

To export audit logs to a third-party system, you have the following integration options:

* [Data exporter for Azure Data Lake](/platform/configuring_nexthink/bringing-data-into-your-nexthink-instance/integrating-nexthink-with-third-party-tools/outbound-connectors/data-exporters/exporter-for-azure-data-lake.md) - recommended option
  * Handle up to 1 million records per request.
* [NQL API export](https://docs.nexthink.com/api/nql)
  * Handle up to 1 million records per request.
  * Avoid consuming more than 24 API calls per day to prevent the system from exhausting the maximum daily limit of 50 requests.
* [Webhooks](/platform/configuring_nexthink/bringing-data-into-your-nexthink-instance/integrating-nexthink-with-third-party-tools/outbound-connectors/webhooks.md)

Audit logs are also available as event triggers for workflows; refer to the [Triggering workflows](/platform/user-guide/workflows/triggering-workflows.md#triggeringworkflows-triggeringaneventworkflow) documentation.

{% hint style="info" %}
Refer to the [Audit trail codes Infinity ](/platform/security/exporting-audit-logs/audit-trail-codes.md)documentation for audit trail codes that apply to Nexthink Infinity.

Refer to the documentation specific to [Audit trail codes Engine (classic)](/platform/security/exporting-audit-logs/audit-trail-codes-engine-classic.md) and [Audit trail codes Portal (classic)](/platform/security/exporting-audit-logs/audit-trail-codes-portal-classic.md), depending on the case.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.nexthink.com/platform/security/exporting-audit-logs.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.