Skip to main content

List Authentication Logs

Returns a paged list of authentication log events ranging from the last 180 days up to as recently as two minutes before the API request. To fetch all results, call repeatedly with the next_offset paging parameter as long as the result metadata has next_offset values. Requires "Grant read log" API permission.

There is an intentional two minute delay in availability of new authentications in the API response. Duo operates a large scale distributed system, and this two minute buffer period ensures that calls will return consistent results. Querying for results more recent than two minutes will return as empty.

We recommend requesting logs no more than once per minute.

Basic Parameters

ParameterDescription
Maximum TimeReturn records that have a 13 character Unix timestamp in milliseconds of maxtime or earlier.This value must be strictly greater then mintime.
Minimum TimeReturn records that have a 13 character Unix timestamp in milliseconds of mintime or later.This value must be strictly less then maxtime.

Advanced Parameters

ParameterDescription
Custom FiltersAny additional custom filters to apply to the search.View [https://duo.com/docs/adminapi#authentication-logs] for a list of possible parameters.
LimitThe maximum number of records returned.Default: 100; Max: 1000
Next OffsetThe offset at which to start record retrieval.This value is provided in the metadata in the form of a 13 character date string in milliseconds and the event txid.Both of these values must be provided when used, separated by a comma (e.g. 1547486297000,5bea1c1e-612c-4f1d-b310-75fd31385b15).When used with "limit", the handler will return "limit" records starting at the n-th record, where n is the offset.Default: None.
SortThe order in which to return records. One of:
  • ts:asc - Return logs in chronological order.
  • ts:desc - Return logs in reverse chronological order.

Example Output

{
"stat": "OK",
"response": {
"authlogs": [
{
"access_device": {
"browser": "Chrome",
"browser_version": "67.0.3396.99",
"flash_version": "uninstalled",
"hostname": null,
"ip": "169.232.89.219",
"is_encryption_enabled": true,
"is_firewall_enabled": true,
"is_password_set": true,
"java_version": "uninstalled",
"location": {
"city": "Ann Arbor",
"country": "United States",
"state": "Michigan"
},
"os": "Mac OS X",
"os_version": "10.14.1",
"security_agents": []
},
"adaptive_trust_assessments": {
"more_secure_auth": {
"features_version": "3.0",
"model_version": "2022.07.19.001",
"policy_enabled": false,
"reason": "Normal level of trust; no detection of known attack pattern",
"trust_level": "NORMAL"
},
"remember_me": {
"features_version": "3.0",
"model_version": "2022.07.19.001",
"policy_enabled": false,
"reason": "Known Access IP",
"trust_level": "NORMAL"
}
},
"alias": "",
"application": {
"key": "DIY231J8BR23QK4UKBY8",
"name": "Microsoft Azure Active Directory"
},
"auth_device": {
"ip": "192.168.225.254",
"key": "DP5BJ05HI4WRBVI4Q7JF",
"location": {
"city": "Ann Arbor",
"country": "United States",
"state": "Michigan"
},
"name": "My iPhone X (734-555-2342)"
},
"email": "narroway@example.com",
"event_type": "authentication",
"factor": "duo_push",
"isotimestamp": "2020-02-13T18:56:20.351346+00:00",
"ood_software": null,
"reason": "user_approved",
"result": "success",
"timestamp": 1581620180,
"trusted_endpoint_status": "not trusted",
"txid": "340a23e3-23f3-23c1-87dc-1491a23dfdbb",
"user": {
"groups": [
"Duo Users",
"CorpHQ Users"
],
"key": "DU3KC77WJ06Y5HIV7XKQ",
"name": "narroway@example.com"
}
},
],
"metadata": {
"next_offset": [
"1532951895000",
"af0ba235-0b33-23c8-bc23-a31aa0231de8"
],
"total_objects": 1
}
}
}

Workflow Library Example

List Authentication Logs with Duo and Send Results Via Email

Workflow LibraryPreview this Workflow on desktop