Retrieve Activity Records
Endpoint
Use to export data from the Audit Database. By default, first 1,000 Activity Records are returned. To get the next Activity Records, send a POST request to the same endpoint containing a Continuation mark.
| Method | Endpoint | POST Data |
|---|---|---|
| GET | https://{host:port}/netwrix/api/v1/activity_records/enum{?format=json}{&count=Number} | — |
| POST | https://{host:port}/netwrix/api/v1/activity_records/enum{?format=json}{&count=Number} | Continuation Mark |
Request Parameters
| Parameter | Mandatory | Description |
|---|---|---|
host:port | Yes | Replace with the IP address or a name of your Netwrix Auditor Server host and port (e.g., 172.28.6.15:9699, stationwin12:9699, WKSWin2012.enterprise.local:9699). With enabled HTTPS, provide the computer name as it appears in certificate properties. |
format=json | No | Add this parameter to retrieve data in JSON format. Otherwise, XML-formatted Activity Records will be returned. |
count=Number | No | Add this parameter to define the number of Activity Records to be exported. Replace Number with a number (e.g., &count=1500). |
Optional parameters (format and count) can be provided in any order. The first parameter must start
with ?, others are joined with &, no spaces required (e.g., ?format=json&count=1500).
Response
| Request Status | Response |
| -------------- | ------------------------------------------------------------------------------------------------------------------------- | --- | --- | --- | --- | --- | --- | --- | --- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --- |
| Success | The HTTP status code in the response header is 200 OK. The response body contains Activity Records and Continuation Mark. | | | | | --- | --- | --- | | HTTP/1.1 200 OK `````` Server: Microsoft-HTTPAPI/2.0 `````` Content-Length: 311896 `````` Content-Type: application/xml `````` Date: Fri, 08 Apr 2017 13:56:22 GMT | or | HTTP/1.1 200 OK `````` Server: Microsoft-HTTPAPI/2.0 `````` Content-Length: 311896 `````` Content-Type: application/json `````` Date: Fri, 08 Apr 2017 13:56:22 GMT | |
| Error | The header status code is an error code. Depending on the error code, the response body may contain an error object. |
Usage Example—Retrieve All Activity Records
This example describes how to retrieve all Activity Records from the Audit Database.
Step 1 – Send a GET request. For example:
| Format | Request |
|---|---|
| XML | curl https://WKSWin2012:9699/netwrix/api/v1/activity_records/enum -u Enterprise\NetwrixUser:NetwrixIsCool |
| JSON | curl https://WKSWin2012:9699/netwrix/api/v1/activity_records/enum?format=json -u Enterprise\NetwrixUser:NetwrixIsCool |
Step 2 – Receive the response. Activity Records are retrieved according to the account's
delegated scope. Below is an example of a successful GET request. The status is 200 OK. For XML, a
response body contains the ActivityRecordList root element with Activity Records and a
Continuation mark inside. For JSON, a response body contains the ActivityRecordList array with
Activity Records collected in braces and a Continuation mark.
| XML |
<?xml version="1.0" standalone="yes"?> `````` <ActivityRecordList xmlns="http://schemas.netwrix.com/api/v1/activity_records/"> `````` <ContinuationMark>PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A</ContinuationMark> `````` <ActivityRecord> `````` <MonitoringPlan> `````` <Name>AD Monitoring</Name> `````` <ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID> `````` </MonitoringPlan> `````` <DataSource>Active Directory</DataSource> `````` <Item> `````` <Name>enterprise.local (Domain)</Name> `````` </Item> `````` <ObjectType>user</ObjectType> `````` <RID>20160215110503420B9451771F5964A9EAC0A5F35307EA155</RID> `````` <What>\local\enterprise\Users\Jason Smith</What> `````` <Action>Added</Action> `````` <When>2017-02-14T15:42:34Z</When> `````` <Where>EnterpriseDC1.enterprise.local</Where> `````` <Who>ENTERPRISE\Administrator</Who> `````` <Workstation>EnterpriseDC1.enterprise.local</Workstation> `````` </ActivityRecord> `````` <ActivityRecord>...</ActivityRecord> `````` <ActivityRecord>...</ActivityRecord> `````` </ActivityRecordList> |
| JSON |
{ `````` "ActivityRecordList": [ `````` { `````` "Action": "Added", `````` "MonitoringPlan" : { `````` "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", `````` "Name": "AD Monitoring" `````` }, `````` "DataSource": "Active Directory", `````` "Item": {"Name": "enterprise.local (Domain)"}, `````` "ObjectType": "user", `````` "RID": "20160215110503420B9451771F5964A9EAC0A5F35307EA155", `````` "What": "\\local\\enterprise\\Users\\Jason Smith", `````` "When": "2017-02-14T15:42:34Z", `````` "Where": "EnterpriseDC1.enterprise.local", `````` "Who": "ENTERPRISE\\Administrator", `````` "Workstation": "EnterpriseDC1.enterprise.local" `````` }, `````` {...}, `````` {...} `````` ], `````` "ContinuationMark": "PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A" `````` } |
Step 3 – Continue retrieving Activity Records. Send a POST request containing this Continuation mark to the same endpoint. See the Continuation Mark topic for more information. For example:
| XML |
curl -H "Content-Type: application/xml; Charset=UTF-8" https://WKSWin2012:9699/netwrix/api/v1/activity_records/enum -u Enterprise\NetwrixUser:NetwrixIsCool --data-binary @C:\APIdocs\ContMark.xml <?xml version="1.0" standalone="yes"?> `````` <ContinuationMark xmlns="http://schemas.netwrix.com/api/v1/activity_records/"> `````` PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A+PC9ucj4A `````` </ContinuationMark> |
| JSON |
curl -H "Content-Type: application/json; Charset=UTF-8" https://WKSWin2012:9699/netwrix/api/v1/activity_records/enum?format=json -u Enterprise\NetwrixUser:NetwrixIsCool --data-binary ``````@C:\APIdocs\ContMark.json "PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A+PC9ucj4A" |
Ensure to pass information about transferred data, including Content-Type:application/xml or
application/json and encoding. The syntax greatly depends on the tool you use.
Step 4 – Receive the next response. On success, the status is 200 OK. For XML, a response body
contains the ActivityRecordList root element with next Activity Records and a new Continuation
mark inside. For JSON, a response body contains the ActivityRecordSearch array with next Activity
Records collected in braces and a new Continuation mark.
Step 5 – Continue retrieving Activity Records. Send POST requests containing new Continuation
marks until you receive a 200 OK response with no Activity Records inside the ActivityRecordList.
It means you reached the end of the Audit Database.