Audit logs
The audit logs helps you trace and prevent security vulnerabilities for your organization.
You can read more about it in our dedicated Help Center article.
Fetching the logs
You can query the audit logs using the logs
command. For example:
dcli t logs
You can also save the logs to a file:
dcli t logs --start 0 --end now > logs.json
The logs are output in JSON format, each line is a new log entry.
{"uuid": "e2d9ce5b-[..redacted..]-b6de479b3483", "team_id": 1315574321, "category": "authentication", "log_type": "user_device_added", "date_time": 1688629046919, "properties": {"device_name": "Dashlane CLI", "author_login": "admin@something.io", "device_platform": "server_standalone"}, "author_user_id": 28080685, "schema_version": "1.0.0"}
{"uuid": "d2f5db34-[..redacted..]-1dfcc3bdf911", "team_id": 1315574321, "category": "authentication", "log_type": "user_device_added", "date_time": 1688628172021, "properties": {"device_name": "Chrome - Mac OS", "author_login": "admin@something.io", "device_platform": "server_standalone"}, "author_user_id": 28080685, "schema_version": "1.0.0"}
{"uuid": "4ca3bb56-[..redacted..]-66cbb387cb54", "team_id": 1315574321, "category": "authentication", "log_type": "user_device_added", "date_time": 1683303544898, "properties": {"device_name": "Firefox - Ubuntu", "author_login": "user@something.io", "device_platform": "server_standalone"}, "author_user_id": 28086620, "schema_version": "1.0.0"}
{"uuid": "68e70f62-[..redacted..]-1bb9830f9f18", "team_id": 1315574321, "category": "team_settings_sso", "log_type": "sso_service_provider_url_set", "date_time": 1671629557924, "properties": {"author_login": "admin@something.io", "service_provider_url": "https://sso.nitro.dashlane.com"}, "author_user_id": 28080685, "schema_version": "1.0.0"}
Filtering the logs
With the following options you can filter the logs by start and end date.
--start <start> start timestamp in ms (default: "0")
--end <end> end timestamp in ms (default: "now")
Filtering by date
We use epoch timestamps in milliseconds, so you can use the date
command to get the timestamp of a specific date:
# On Linux and Windows
date -d "2021-09-01" +%s000
# On macOS
date -j -f "%Y-%m-%d" "2021-09-01" +%s000
The final command would look like this using date
:
# On Linux and Windows
dcli t logs --start $(date -d "2021-09-01" +%s000) --end $(date -d "2021-09-02" +%s000)
# On macOS
dcli t logs --start $(date -j -f "%Y-%m-%d" "2021-09-01" +%s000) --end $(date -j -f "%Y-%m-%d" "2021-09-02" +%s000)
In the output logs timestamps are in milliseconds, so you can use the date
command to convert them to a human readable format:
# On Linux and Windows
date -d @1688629046919
# On macOS
date -r 1688629046919
Options
Export as CSV
You can export the logs as CSV using the --csv
option.
dcli t logs --csv --start 0 --end now > logs.csv
This allows you to open the logs in a spreadsheet editor like Excel or Google Sheets.
Note that the properties
field is kept as a JSON string in the CSV file because its content varies depending on the log type.
Human Readable dates
You can use the --human-readable
option to output the logs with human readable dates.
dcli t logs --human-readable
The date will be displayed in the ISO 8601 format.
Note that a new key named date_time_iso
will be added to the logs.
Logs types
Default types
Type | Event message |
---|---|
master_password_reset_accepted | Accepted an Account Recovery request from %(email)s |
master_password_reset_refused | Denied an Account Recovery request from %(email)s |
user_device_added | Added the device %(name)s |
user_device_removed | Removed the device %(name)s |
requested_account_recovery | Requested Account Recovery |
completed_account_recovery | Recovered their account through Account Recovery |
dwm_email_added | Added %(email)s to Dark Web Monitoring |
dwm_email_removed | Removed %(email)s from Dark Web Monitoring |
user_group_created | Created a group named %(groupName)s |
user_group_renamed | Renamed the %(oldGroupName)s group to %(newGroupName)s |
user_group_deleted | Deleted the %(groupName)s group |
user_joined_user_group | Joined the %(groupName)s group |
user_invited_to_user_group | Invited %(email)s to the %(groupName)s group |
user_declined_invite_to_user_group | Declined to join the %(groupName)s group |
user_removed_from_user_group | Removed %(email)s from the %(groupName)s group |
team_name_changed | Changed your company name to “%(name)s” |
new_billing_period_created | Extended your account until %(date)s |
seats_added | Added %(count)s seats to your account |
domain_requested | Added %(domain)s as an unverified domain |
domain_validated | Verified the domain %(domain)s |
collect_sensitive_data_audit_logs_enabled | (user) turned on unencrypted vault logs |
collect_sensitive_data_audit_logs_disabled | (user) turned off unencrypted vault logs |
sso_idp_metadata_set | Updated SSO identity provider metadata |
sso_service_provider_url_set | Configured SSO service provider URL |
sso_enabled | Enabled SSO |
sso_disabled | Disabled SSO |
contact_email_changed | Changed contact email to %(email)s |
master_password_mobile_reset_enabled | Turned on biometric recovery for %(deviceName)s |
two_factor_authentication_login_method_added | Activated a 2FA method |
two_factor_authentication_login_method_removed | Removed a 2FA method |
user_invited | Invited %(email)s to your account |
user_removed | Revoked %(email)s from your account |
team_captain_added | Changed %(email)s to admin rights |
team_captain_removed | Changed %(email)s to member rights |
group_manager_added | Changed %(email)s to group manager rights |
group_manager_removed | Changed %(email)s to member rights |
user_reinvited | Resent an invite to %(email)s |
billing_admin_added | Made %(name)s the billing contact |
billing_admin_removed | Revoked %(name)s as the billing contact |
nitro_integration_app_installed | Installed %(integration_app)s integration |
nitro_integration_app_uninstalled | Uninstalled %(integration_app)s integration |
nudge_configured | Set %(nudge_name)s to %(status)s |
nudge_executed | Nudged %(successes)s users for %(nudge_name)s |
user_received_nudge | Received %(nudge_received)s nudge |
Sensitive types
You can turn on logging sensitive actions in the Policies section of Settings in the Admin Console. Read more about it in our dedicated Help Center article.
Type | Event message |
---|---|
collect_sensitive_data_audit_logs_enabled | (user) turned on additional activity logs (unencrypted) |
collect_sensitive_data_audit_logs_disabled | (user) turned off additional activity logs (unencrypted) |
user_shared_credential_with_group | (user) shared %(rights [limited/full]) rights to the %(domain)s |
user_shared_credential_with_email | (user) shared %(rights [limited/full]) rights to the %(domain)s |
user_shared_credential_with_external | (user) shared %(rights [limited/full]) rights to the %(domain)s |
user_accepted_sharing_invite_credential | (user) accepted a sharing invitation for the %(domain)s |
user_revoked_shared_credential_group | (user) revoked access to the %(domain)s login |
user_revoked_shared_credential_external | (user) revoked access to the %(domain)s login |
user_revoked_shared_credential_email | (user) revoked access to the %(domain)s login |
user_created_credential | (user) created a login for %(domain)s |
user_modified_credential | (user) modified the login for %(domain)s |
user_deleted_credential | (user) deleted the login for %(domain)s |
user_performed_autofill_credential | Autofilled %(credential_login)s login for %(credential_domain)s on %(autofilled_domain)s |
user_performed_autofill_payment | Autofilled %(item_type [bank_account/credit_card])s %(item_name)s on %(autofilled_domain)s |
user_authenticated_with_passkey | Logged in with %(credential_login)s passkey for %(passkey_domain)s on %(current_domain)s |
user_copied_credential_field | Copied %(field)s for %(credential_login)s %(credential_domain)s login |
user_copied_credit_card_field | Copied %(field)s for %(name)s credit card |
user_copied_bank_account_field | Copied %(field)s for %(name)s bank account |
Logs categories
Category |
---|
authentication |
dark_web_monitoring |
groups |
nudges |
item_usage |
sharing |
team_account |
team_settings |
team_settings_sso |
users |
user_settings |
vault_passwords |
Use cases
Sending audit logs to a SIEM or log management solution
If you want to send the logs to a SIEM for instance, you can pull the logs periodically and only get the new logs by using the --start
option.
Here is an example of a cron job that pulls the latest logs of the day and append them to a file:
#!/bin/bash
# Create the cron job
# crontab -e
# 0 0 * * * /path/to/script.sh
# Get the latest pull date
if [ -f "last_pull_date" ]; then
last_pull_date=$(cat last_pull_date)
else
last_pull_date=0
fi
# Save the latest pull date
date +%s000 > last_pull_date
# Pull the logs
dcli t logs --start $last_pull_date >> logs.json
Make sure to replace /path/to/script.sh
with the actual path to the script.
The other paths in the script are only examples and may not reflect the permissions of your system, you can change them to your needs.
Configure your SIEM agent to watch the logs.json
file changes.