Audit Logs
Sync Type: Incremental
Overview
The Kolide Audit Logs input collects audit trail data from your Kolide instance, providing visibility into all administrative actions and security-relevant activities. This integration captures events such as user invitations, device enrollments, policy changes, API key creation, and configuration updates performed by users, API keys, or the system.
Authentication
This integration uses Kolide's API key authentication. API requests are authenticated using a Bearer token sent in the Authorization header, along with the required X-Kolide-Api-Version header.
Prerequisites
1. Kolide Account Access
You must have a Kolide account with Full Access admin role to create API keys. Standard or limited admin roles do not have permission to access the audit logs API or generate API tokens.
2. Kolide API Access
Audit log access requires that your Kolide subscription includes API access. If you receive a 401 Unauthorized response, the API feature may be disabled for your organization — contact Kolide support to enable it.
API Key Setup
1. Log into the Kolide admin console
Navigate to your Kolide instance and sign in with a Full Access admin account.
2. Navigate to API Keys
Go to Settings > Developers > API Keys.
3. Create a new API key
Click Create API Key, provide a descriptive name (e.g., monad-audit-logs), and confirm creation.
4. Copy the token
Copy the token value immediately — it will only be displayed once. Store it securely before closing the dialog.
Configuration
Settings
| Setting | Type | Required | Description |
|---|---|---|---|
| Backfill Start Time | string | false | The date to start fetching data from. If not specified, no past records will be fetched. |
Secrets
| Setting | Type | Required | Description |
|---|---|---|---|
| API Token | string | true | Kolide API Bearer token. Obtained from Settings > Developers > API Keys. Requires Full Access admin role. |
Related Articles
Sample Record
{
"id": "256",
"timestamp": "2025-02-12T14:30:22.213Z",
"actor_name": "Jane Smith",
"actor_type": "User",
"actor_email": "jane.smith@example.com",
"ip_address": "192.0.2.42",
"description": "user 'jane.smith@example.com' was invited to Kolide"
}
Record Fields
| Field | Type | Nullable | Description |
|---|---|---|---|
| id | string | No | Unique identifier for the audit log entry |
| timestamp | string (RFC3339) | No | When the action occurred, in UTC with millisecond precision |
| actor_name | string | No | Full name of the user or system that performed the action |
| actor_type | string | No | Type of actor: User, ApiKey, or System |
| actor_email | string | Yes | Email address of the actor (present when actor_type is User) |
| ip_address | string | Yes | IP address from which the action was initiated |
| description | string | No | Human-readable description of the action that occurred |