Exporting audit logs

This document lists all audit trail codes necessary for writing audit-related queries and subsequently, exporting audit log results by third-party integrations.

Querying audit logs in Infinity

To query audit logs follow these steps:

1. Identify the required fields from the Audit logs table by accessing the NQL data model documentation.

2. Determine the required audit trail codes to audit the actions of Nexthink users.

3. Run the NQL query in any of the query-based features from Nexthink Infinity.

Refer to the Audit trail codes Infinity documentation for audit trail codes that apply to Nexthink Infinity.

NQL query example with audit trail codes

The NQL query example below uses the platform.audit_logs field and the 94011 audit trail code to retrieve all manual executions of remote actions taken by Nexthink users in the UI.

platform.audit_logs during past 30d
| where code == 94011

After running the NQL query example in the NQL editor of an investigation, the investigation results report the following information under the Message column:

• Web request manual execution of remote action

• source= source where remote action is triggered

• ID=remote action uid

• name=remote action on n devices with uids devices uids

In the image below you can see the result in the Message column in the Nexthink web interface.

Exporting audit logs by third-party integrations

To export audit logs to a third-party system, you have the following integration options:

• Data exporter for Azure Data Lake - recommended option

  • Handle up to 1 million records per request.

• NQL API export

  • Handle up to 1 million records per request.

  • Avoid consuming more than 24 API calls per day to prevent the system from exhausting the maximum daily limit of 50 requests.