Exporting logs using API
Forcepoint Data Security Cloud | SSE Log Export REST API allows customers to query and pull Cloud and Access Logs.
For authorizing users, refer to Configuring API authentication.
Note: Customers with Splunk or QRadar can instead utilize the Bitglass Splunk App or the Bitglass QRadar App instead to make pulling logs easier. You can
learn how to setup each app by going to their respective pages (Integrating Splunk application with Forcepoint Data Security Cloud | SSE or Integrating QRadar application with Forcepoint Data Security Cloud | SSE). Once configured, you will be able to view any of your Forcepoint Data Security Cloud | SSE logs (API, Proxy, Health, Admin, etc) within your app instance.
API Calls
All calls require the following:
- Method = HTTP POST
- URI Params define the type of operation and action to performType:
- type = access
- type = cloudsummary
- type = cloudaudit
- type = admin
- type = swgweb
- type = swgwebdlp
- type = healthproxy
- type = healthapi
- type = healthsystem
- type = ztna
- HTTP body as JSON
URL: https://portal.bitglass.com/api/bitglassapi/logs/v1/
Query Parameters
| Parameter Name | Value | Description | Notes | Cloud | Access | Web Proxy | Web DLP | Health |
|---|---|---|---|---|---|---|---|---|
| startdate | datetime | Specifies the start datetime for which the logs need to be returned. The first request must always include this parameter | UTC | X | X | X | X | X |
| responseformat | Specifies the format in which the user expects the response Acceptable values are: "json" "csv" | Default - csv | X | X | X | X | X | |
| type | string | Specifies the type of logs to be fetched.Acceptable values are: "cloudsummary", "cloudaudit", " access", "admin", "swgweb", "swgwebdlp", "healthproxy", "healthapi", "healthsystem" | X | X | X | X | X | |
| nextpagetoken | string | Should be a part of subsequent requests after the first one. Opaque token used for pagination. | X | X | X | X | X | |
| cv (collector version) | string | Is required to specify the version of the log collector. | X | X | X | X | X |
Response
{
"status": "...",
"nextpagetoken": "...",
"response": {
"dataformat": "...",
"dataencoding": "...",
"data": [...]
}
}Response Keys
| Key | Description |
|---|---|
| status | Success, Unauthorized |
| nextpagetoken | Pagination token |
| response | container for response |
| dataformat | csv or json |
| dataencoding | utf-8 |
| data | Described in Data Keys table below |
Response Codes
| Response Code | Message | Notes | Cloud | Access |
|---|---|---|---|---|
| 503 | Temporarily unavailable | X | X | |
| 429 | You have exceeded your allowance of 300 requests per day for <log type> logs. Limit will reset at <Current Date +1> 00:00:00+00:00 |
Too many requests. You will need to wait for the limit to reset before proceeding. Information regarding the rate limit can be seen in the X-RateLimit-* headers. X-RateLimit-Limit: max amount of requests allowed X-RateLimit-Remaining: How many requests left X-RateLimit-Reset: Time your limit will reset. |
X | X |
| 403 | Unauthorized | User is not a sysadmin or API livesetting is not enabled for the company | X | X |
| 401 | Invalid credentials | User does not exist or invalid password | X | X |
| 401 | Authorization required | Authorization header missing | X | X |
| 401 | Basic auth required | Authorization is not basic | X | X |
| 400 | Invalid responseformat: <response format>. Supported values: csv, json | Invalid response format | X | X |
| 400 | Start date and nextpagetoken is missing | startdate and nextpagetoken missing | X | X |
| 400 | Provide either the start date or nextpagetoken | Both startdate and nextpagetoken provided | X | X |
| 400 | Invalid type: <type>. Supported types are: cloudsummary, cloudaudit, and access | Invalid value for type | X | X |
| 400 | Invalid start date format <user startdate> Expected format: %Y-%m-%dT%H:%M:%SZ | Invalid start date format | X | X |
| 400 | Invalid next page token | Invalid next page token | X | X |
| 200 | Request was successful | X | X |