# Audit Logs **Sync Type: Incremental** ## Overview The Kolide Audit Logs input collects audit trail data from your Kolide instance, providing visibility into all administrative actions and security-relevant activities. This integration captures events such as user invitations, device enrollments, policy changes, API key creation, and configuration updates performed by users, API keys, or the system. ## Authentication This integration uses Kolide's API key authentication. API requests are authenticated using a Bearer token sent in the `Authorization` header, along with the required `X-Kolide-Api-Version` header. ## Prerequisites ### 1. Kolide Account Access You must have a Kolide account with **Full Access admin role** to create API keys. Standard or limited admin roles do not have permission to access the audit logs API or generate API tokens. ### 2. Kolide API Access Audit log access requires that your Kolide subscription includes API access. If you receive a `401 Unauthorized` response, the API feature may be disabled for your organization — contact Kolide support to enable it. ## API Key Setup ### 1. Log into the Kolide admin console Navigate to your Kolide instance and sign in with a Full Access admin account. ### 2. Navigate to API Keys Go to **Settings > Developers > API Keys**. ### 3. Create a new API key Click **Create API Key**, provide a descriptive name (e.g., `monad-audit-logs`), and confirm creation. ### 4. Copy the token Copy the token value immediately — it will only be displayed once. Store it securely before closing the dialog. ## Configuration ### Settings | Setting | Type | Required | Description | | ------------------- | ------ | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Backfill Start Time | string | false | The date to start fetching data from. If not specified, no past records will be fetched. | | API Rate Limit | object | No | Optional limit on the connector's outbound request rate to the source API. Leave blank to use the connector's default behavior. See [API Rate Limiting](../../../guides/rate-limiting) for the field format, limits, and how to choose a value. | ### Secrets | Setting | Type | Required | Description | | --------- | ------ | -------- | --------------------------------------------------------------------------------------------------------- | | API Token | string | true | Kolide API Bearer token. Obtained from Settings > Developers > API Keys. Requires Full Access admin role. | ## Related Articles - [Kolide API Reference](https://kolideapi.readme.io/reference/get_audit-logs) - [Getting Started with the Kolide API](https://kolideapi.readme.io/docs/getting-started-with-the-kolide-api) - [Kolide Audit Log Admin Docs](https://www.kolide.com/docs/admins/settings-admin-tools/audit-log) ## Sample Record ```json { "id": "256", "timestamp": "2025-02-12T14:30:22.213Z", "actor_name": "Jane Smith", "actor_type": "User", "actor_email": "jane.smith@example.com", "ip_address": "192.0.2.42", "description": "user 'jane.smith@example.com' was invited to Kolide" } ``` ### Record Fields | Field | Type | Nullable | Description | | ----------- | ---------------- | -------- | ---------------------------------------------------------------- | | id | string | No | Unique identifier for the audit log entry | | timestamp | string (RFC3339) | No | When the action occurred, in UTC with millisecond precision | | actor_name | string | No | Full name of the user or system that performed the action | | actor_type | string | No | Type of actor: `User`, `ApiKey`, or `System` | | actor_email | string | Yes | Email address of the actor (present when `actor_type` is `User`) | | ip_address | string | Yes | IP address from which the action was initiated | | description | string | No | Human-readable description of the action that occurred |