Audit logs
The audit logs helps you trace and prevent security vulnerabilities for your organization.
You can read more about it in our dedicated Help Center article (opens in a new tab).
Fetching the logs
You can query the audit logs using the logs command. For example:
dcli t logsYou can also save the logs to a file:
dcli t logs --start 0 --end now > logs.jsonThe logs are output in JSON format, each line is a new log entry.
{"uuid": "e2d9ce5b-[..redacted..]-b6de479b3483", "team_id": 1315574321, "category": "authentication", "log_type": "user_device_added", "date_time": 1688629046919, "properties": {"device_name": "Dashlane CLI", "author_login": "admin@something.io", "device_platform": "server_standalone"}, "author_user_id": 28080685, "schema_version": "1.0.0"}
{"uuid": "d2f5db34-[..redacted..]-1dfcc3bdf911", "team_id": 1315574321, "category": "authentication", "log_type": "user_device_added", "date_time": 1688628172021, "properties": {"device_name": "Chrome - Mac OS", "author_login": "admin@something.io", "device_platform": "server_standalone"}, "author_user_id": 28080685, "schema_version": "1.0.0"}
{"uuid": "4ca3bb56-[..redacted..]-66cbb387cb54", "team_id": 1315574321, "category": "authentication", "log_type": "user_device_added", "date_time": 1683303544898, "properties": {"device_name": "Firefox - Ubuntu", "author_login": "user@something.io", "device_platform": "server_standalone"}, "author_user_id": 28086620, "schema_version": "1.0.0"}
{"uuid": "68e70f62-[..redacted..]-1bb9830f9f18", "team_id": 1315574321, "category": "team_settings_sso", "log_type": "sso_service_provider_url_set", "date_time": 1671629557924, "properties": {"author_login": "admin@something.io", "service_provider_url": "https://sso.nitro.dashlane.com"}, "author_user_id": 28080685, "schema_version": "1.0.0"}Filtering the logs
With the following options you can filter the logs by start and end date, log type and category.
--start <start> start timestamp in ms (default: "0")
--end <end> end timestamp in ms (default: "now")
--type <type> log type
--category <category> log categoryFiltering by date
We use epoch timestamps in milliseconds, so you can use the date command to get the timestamp of a specific date:
# On Linux and Windows
date -d "2021-09-01" +%s000
# On macOS
date -j -f "%Y-%m-%d" "2021-09-01" +%s000The final command would look like this using date:
# On Linux and Windows
dcli t logs --start $(date -d "2021-09-01" +%s000) --end $(date -d "2021-09-02" +%s000)
# On macOS
dcli t logs --start $(date -j -f "%Y-%m-%d" "2021-09-01" +%s000) --end $(date -j -f "%Y-%m-%d" "2021-09-02" +%s000)In the output logs timestamps are in milliseconds, so you can use the date command to convert them to a human readable format:
# On Linux and Windows
date -d @1688629046919
# On macOS
date -r 1688629046919Options
Export as CSV
You can export the logs as CSV using the --csv option.
dcli t logs --csv --start 0 --end now > logs.csvThis allows you to open the logs in a spreadsheet editor like Excel or Google Sheets.
Note that the properties field is kept as a JSON string in the CSV file because its content varies depending on the log type.
Human Readable dates
You can use the --human-readable option to output the logs with human readable dates.
dcli t logs --human-readableThe date will be displayed in the ISO 8601 format.
Note that a new key named date_time_iso will be added to the logs.
Logs types
Default types
| Type | Event message |
|---|---|
| master_password_reset_accepted | Accepted an Account Recovery request from %(email)s |
| master_password_reset_refused | Denied an Account Recovery request from %(email)s |
| user_device_added | Added the device %(name)s |
| user_device_removed | Removed the device %(name)s |
| requested_account_recovery | Requested Account Recovery |
| completed_account_recovery | Recovered their account through Account Recovery |
| dwm_email_added | Added %(email)s to Dark Web Monitoring |
| dwm_email_removed | Removed %(email)s from Dark Web Monitoring |
| user_group_created | Created a group named %(groupName)s |
| user_group_renamed | Renamed the %(oldGroupName)s group to %(newGroupName)s |
| user_group_deleted | Deleted the %(groupName)s group |
| user_joined_user_group | Joined the %(groupName)s group |
| user_invited_to_user_group | Invited %(email)s to the %(groupName)s group |
| user_declined_invite_to_user_group | Declined to join the %(groupName)s group |
| user_removed_from_user_group | Removed %(email)s from the %(groupName)s group |
| team_name_changed | Changed your company name to “%(name)s” |
| new_billing_period_created | Extended your account until %(date)s |
| seats_added | Added %(count)s seats to your account |
| domain_requested | Added %(domain)s as an unverified domain |
| domain_validated | Verified the domain %(domain)s |
| collect_sensitive_data_audit_logs_enabled | (user) turned on unencrypted vault logs |
| collect_sensitive_data_audit_logs_disabled | (user) turned off unencrypted vault logs |
| sso_idp_metadata_set | Updated SSO identity provider metadata |
| sso_service_provider_url_set | Configured SSO service provider URL |
| sso_enabled | Enabled SSO |
| sso_disabled | Disabled SSO |
| contact_email_changed | Changed contact email to %(email)s |
| master_password_mobile_reset_enabled | Turned on biometric recovery for %(deviceName)s |
| two_factor_authentication_login_method_added | Activated a 2FA method |
| two_factor_authentication_login_method_removed | Removed a 2FA method |
| user_invited | Invited %(email)s to your account |
| user_removed | Revoked %(email)s from your account |
| team_captain_added | Changed %(email)s to admin rights |
| team_captain_removed | Changed %(email)s to member rights |
| group_manager_added | Changed %(email)s to group manager rights |
| group_manager_removed | Changed %(email)s to member rights |
| user_reinvited | Resent an invite to %(email)s |
| billing_admin_added | Made %(name)s the billing contact |
| billing_admin_removed | Revoked %(name)s as the billing contact |
Sensitive types
You can turn on logging sensitive actions in the Policies section of Settings in the Admin Console. Read more about it in our dedicated Help Center article (opens in a new tab).
| Type | Event message |
|---|---|
| collect_sensitive_data_audit_logs_enabled | (user) turned on additional activity logs (unencrypted) |
| collect_sensitive_data_audit_logs_disabled | (user) turned off additional activity logs (unencrypted) |
| user_shared_credential_with_group | (user) shared %(rights [limited/full]) rights to the %(domain)s |
| user_shared_credential_with_email | (user) shared %(rights [limited/full]) rights to the %(domain)s |
| user_shared_credential_with_external | (user) shared %(rights [limited/full]) rights to the %(domain)s |
| user_accepted_sharing_invite_credential | (user) accepted a sharing invitation for the %(domain)s |
| user_rejected_sharing_invite_credential | (user) rejected a sharing invitation for the %(domain)s |
| user_revoked_shared_credential_group | (user) revoked access to the %(domain)s login |
| user_revoked_shared_credential_external | (user) revoked access to the %(domain)s login |
| user_revoked_shared_credential_email | (user) revoked access to the %(domain)s login |
| user_created_credential | (user) created a login for %(domain)s |
| user_modified_credential | (user) modified the login for %(domain)s |
| user_deleted_credential | (user) deleted the login for %(domain)s |
Logs categories
| Category |
|---|
| authentication |
| dark_web_monitoring |
| groups |
| sharing |
| team_account |
| team_settings |
| team_settings_sso |
| users |
| user_settings |
| vault_passwords |
Use cases
Sending audit logs to a SIEM or log management solution
If you want to send the logs to a SIEM for instance, you can pull the logs periodically and only get the new logs by using the --start option.
Here is an example of a cron job that pulls the latest logs of the day and append them to a file:
#!/bin/bash
# Create the cron job
# crontab -e
# 0 0 * * * /path/to/script.sh
# Get the latest pull date
if [ -f "last_pull_date" ]; then
last_pull_date=$(cat last_pull_date)
else
last_pull_date=0
fi
# Save the latest pull date
date +%s000 > last_pull_date
# Pull the logs
dcli t logs --start $last_pull_date >> logs.jsonMake sure to replace /path/to/script.sh with the actual path to the script.
The other paths in the script are only examples and may not reflect the permissions of your system, you can change them to your needs.
Configure your SIEM agent to watch the logs.json file changes.