list_audit_logs
List and search audit logs to track changes, user activity, and security events in LogicMonitor for compliance and troubleshooting.
Instructions
List audit logs in LogicMonitor (LM) monitoring for compliance and security auditing.
Returns: Array of audit log entries with: id, username, IP address, timestamp (happenedOn in epoch SECONDS), description of action performed, sessionId.
When to use:
Investigate changes: "Who deleted this resource/device?" → filter:"description~*Delete*,description~*device*"
Track user activity: "What did john.doe do today?" → filter:"username:john.doe,happenedOn>1730851200"
Monitor API usage: Find actions performed via API tokens
Compliance audits: Export log history for specific time periods
Security investigation: Track login attempts, IP addresses, suspicious activities
Troubleshooting: "Who changed this alert rule?" → filter:"description~*AlertRule*"
Two search modes:
Simple search: Use query parameter with free text (e.g., query:"john.doe", query:"device") - searches across username, description, and IP fields
Advanced filtering: Use filter parameter with LM filter syntax (e.g., filter:"username:admin,happenedOn>1640995200") for precise control
Common filter patterns:
By user: filter:"username:john.doe"
By time: filter:"happenedOn>1640995200" (IMPORTANT: epoch SECONDS, not milliseconds!)
By action type: filter:"description~*Create*" or filter:"description~*Delete*" or filter:"description~*Update*"
By resource: filter:"description~*device*" or filter:"description~*dashboard*"
By IP: filter:"ip:192.168.1.100"
Combined (AND): filter:"username:admin,happenedOn>1640995200,description~*device*"
Query vs Filter:
query: Simple text search across username, description, IP (OR logic). Use for quick lookups: query:"john.doe", query:"device"
filter: Precise LM filter syntax with any field. Use for time ranges, exact matches: filter:"happenedOn>1640995200"
If both provided, query is converted to filter and combined with provided filter using AND logic
Critical notes:
Time uses epoch SECONDS (not milliseconds like other LM APIs)
Cannot use OR operator (||) in audit logs, only AND (comma)
Use autoPaginate:true for complete history (may take time for large datasets)
Web UI access: https://mycompany.logicmonitor.com/santaba/uiv4/settings/access-logs (Settings → Audit Logs)
Important: A negative "total" value in the response indicates incomplete results. Use pagination (size/offset parameters) or set autoPaginate: true to retrieve all items.
Related tools: "get_audit_log" (details of specific entry).
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| query | No | Simple search query. Free text (e.g., "john.doe", "device", "192.168.1.100") automatically searches across username, description, and IP fields. Can also use filter syntax (e.g., "username:admin") which gets formatted automatically. | |
| size | No | Number of results per page (default: 50, max: 1000). | |
| offset | No | Starting offset for pagination (default: 0). Use this to skip a specific number of results. | |
| autoPaginate | No | Automatically fetch all pages (default: false). When true, fetches all results across multiple pages. When false, returns only the requested page. Use false for large result sets to avoid long response times. | |
| filter | No | Filter expression using LogicMonitor query syntax. Examples: name:*prod*, displayName~*server*, id>100, hostStatus:normal. Available operators: : (equals), ~ (includes), !: (not equals), !~ (not includes), >: (greater than or equals), <: (less than or equals), > (greater than), < (less than). Multiple conditions: Use comma (,) for AND, use || for OR. Do NOT use &&. | |
| fields | No | Comma-separated list of fields to include in response. Examples: "id,displayName,hostStatus" or use "*" for all fields. Omit this parameter to receive a curated set of commonly used fields. |