# Exporting audit logs

This document lists all audit trail codes necessary for writing audit-related queries and subsequently, exporting audit log results by third-party integrations.

## Querying audit logs in Infinity <a href="#audittrailcodes-usingaudittrailcodesininfinitynqlqueries" id="audittrailcodes-usingaudittrailcodesininfinitynqlqueries"></a>

{% hint style="warning" %}
The procedures and NQL queries in this section apply to Nexthink Infinity.

Refer to the [Audit Trail API (classic)](https://docs.nexthink.com/platform/configuring_nexthink/bringing-data-into-your-nexthink-instance/integrating-nexthink-with-third-party-tools/api-and-integrations-classic/audit-trail-api-classic) documentation only if you still need to track Experience events (Engine, Finder) when exporting the audit logs.
{% endhint %}

To query audit logs follow these steps:

1. Identify the required fields from the Audit logs table by accessing the [NQL data model ](https://docs.nexthink.com/platform/understanding-key-data-platform-concepts/nql-data-model)documentation.
2. Determine the required [audit trail codes](https://docs.nexthink.com/platform/security/exporting-audit-logs/audit-trail-codes) to audit the actions of Nexthink users or system.
3. Run the NQL query in any of the query-based features from Nexthink Infinity.

Refer to the [Audit trail codes Infinity ](https://docs.nexthink.com/platform/security/exporting-audit-logs/audit-trail-codes)documentation for audit trail codes that apply to Nexthink Infinity.

### NQL query example with audit trail codes

The NQL query example below uses the `platform.audit_logs` field and the `94011` audit trail code to retrieve all **manual executions of remote actions** taken by Nexthink users in the UI.

{% code title="Code" overflow="wrap" lineNumbers="true" %}

```
platform.audit_logs during past 30d
| where code == 94011
```

{% endcode %}

After running the NQL query example in the [NQL editor](https://docs.nexthink.com/platform/user-guide/investigations/creating-investigations/nql-editor) of an investigation, the investigation results report the following information under the **Message** column:

* `Web request manual execution of remote action`
* `source= source where remote action is triggered`
* `ID=remote action uid`
* `name=remote action on n devices with uids devices uids`

In the image below you can see the result in the **Message** column in the Nexthink web interface.

{% hint style="info" %}
Refer to the [Roles](https://docs.nexthink.com/platform/user-guide/administration/account-management/roles) documentation to grant the **View audit logs in NQL** permission required for querying audit logs.
{% endhint %}

<figure><img src="https://268444917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxJSUDk9NTtCHYPG5EWs3%2Fuploads%2Fgit-blob-995fb24e293a10e46dddb2906caa31b621c592d4%2Faudittrailscodeapplication-1716897403.png?alt=media" alt="Running Audit logs table and codes in the NQL Editor." width="760"><figcaption></figcaption></figure>

## Exporting audit logs by third-party integrations <a href="#audittrailcodes-exportingauditlogsbythird-partyintegrations" id="audittrailcodes-exportingauditlogsbythird-partyintegrations"></a>

To export audit logs to a third-party system, you have the following integration options:

* [Data exporter for Azure Data Lake](https://docs.nexthink.com/platform/configuring_nexthink/bringing-data-into-your-nexthink-instance/integrating-nexthink-with-third-party-tools/outbound-connectors/data-exporters/exporter-for-azure-data-lake) - recommended option
  * Handle up to 1 million records per request.
* [NQL API export](https://docs.nexthink.com/api/nql)
  * Handle up to 1 million records per request.
  * Avoid consuming more than 24 API calls per day to prevent the system from exhausting the maximum daily limit of 50 requests.
* [Webhooks](https://docs.nexthink.com/platform/configuring_nexthink/bringing-data-into-your-nexthink-instance/integrating-nexthink-with-third-party-tools/outbound-connectors/webhooks)

Audit logs are also available as event triggers for workflows; refer to the [#triggeringworkflows-triggeringaneventworkflow](https://docs.nexthink.com/platform/user-guide/workflows/triggering-workflows#triggeringworkflows-triggeringaneventworkflow "mention") documentation.

{% hint style="info" %}
Refer to the [Audit trail codes Infinity ](https://docs.nexthink.com/platform/security/exporting-audit-logs/audit-trail-codes)documentation for audit trail codes that apply to Nexthink Infinity.

Refer to the documentation specific to [Audit trail codes Engine (classic)](https://docs.nexthink.com/platform/security/exporting-audit-logs/audit-trail-codes-engine-classic) and [Audit trail codes Portal (classic)](https://docs.nexthink.com/platform/security/exporting-audit-logs/audit-trail-codes-portal-classic), depending on the case.
{% endhint %}