Business
Audit Logs

Audit logs

💡
Needs team credentials to use this command.

Fetching the logs

You can query the audit logs using the logs command. For example:

dcli t logs

You can also save the logs to a file:

dcli t logs --start 0 --end now > logs.json

The logs are output in JSON format, each line is a new log entry.

{"uuid": "e2d9ce5b-[..redacted..]-b6de479b3483", "team_id": 1315574321, "category": "authentication", "log_type": "user_device_added", "date_time": 1688629046919, "properties": {"device_name": "Dashlane CLI", "author_login": "admin@something.io", "device_platform": "server_standalone"}, "author_user_id": 28080685, "schema_version": "1.0.0"}
{"uuid": "d2f5db34-[..redacted..]-1dfcc3bdf911", "team_id": 1315574321, "category": "authentication", "log_type": "user_device_added", "date_time": 1688628172021, "properties": {"device_name": "Chrome - Mac OS", "author_login": "admin@something.io", "device_platform": "server_standalone"}, "author_user_id": 28080685, "schema_version": "1.0.0"}
{"uuid": "4ca3bb56-[..redacted..]-66cbb387cb54", "team_id": 1315574321, "category": "authentication", "log_type": "user_device_added", "date_time": 1683303544898, "properties": {"device_name": "Firefox - Ubuntu", "author_login": "user@something.io", "device_platform": "server_standalone"}, "author_user_id": 28086620, "schema_version": "1.0.0"}
{"uuid": "68e70f62-[..redacted..]-1bb9830f9f18", "team_id": 1315574321, "category": "team_settings_sso", "log_type": "sso_service_provider_url_set", "date_time": 1671629557924, "properties": {"author_login": "admin@something.io", "service_provider_url": "https://sso.nitro.dashlane.com"}, "author_user_id": 28080685, "schema_version": "1.0.0"}

Filtering the logs

With the following options you can filter the logs by start and end date, log type and category.

  --start <start>        start timestamp in ms (default: "0")
  --end <end>            end timestamp in ms (default: "now")
  --type <type>          log type
  --category <category>  log category

Filtering by date

We use epoch timestamps in milliseconds, so you can use the date command to get the timestamp of a specific date:

# On Linux and Windows
date -d "2021-09-01" +%s000
 
# On macOS
date -j -f "%Y-%m-%d" "2021-09-01" +%s000

The final command would look like this using date:

# On Linux and Windows
dcli t logs --start $(date -d "2021-09-01" +%s000) --end $(date -d "2021-09-02" +%s000)
 
# On macOS
dcli t logs --start $(date -j -f "%Y-%m-%d" "2021-09-01" +%s000) --end $(date -j -f "%Y-%m-%d" "2021-09-02" +%s000)

In the output logs timestamps are in milliseconds, so you can use the date command to convert them to a human readable format:

# On Linux and Windows
date -d @1688629046919
 
# On macOS
date -r 1688629046919

Options

Export as CSV

You can export the logs as CSV using the --csv option.

dcli t logs --csv --start 0 --end now > logs.csv

This allows you to open the logs in a spreadsheet editor like Excel or Google Sheets. Note that the properties field is kept as a JSON string in the CSV file because its content varies depending on the log type.

Human Readable dates

You can use the --human-readable option to output the logs with human readable dates.

dcli t logs --human-readable

The date will be displayed in the ISO 8601 format.

Note that a new key named date_time_iso will be added to the logs.

Logs types

Default types

TypeEvent message
master_password_reset_acceptedAccepted an Account Recovery request from %(email)s
master_password_reset_refusedDenied an Account Recovery request from %(email)s
user_device_addedAdded the device %(name)s
user_device_removedRemoved the device %(name)s
requested_account_recoveryRequested Account Recovery
completed_account_recoveryRecovered their account through Account Recovery
dwm_email_addedAdded %(email)s to Dark Web Monitoring
dwm_email_removedRemoved %(email)s from Dark Web Monitoring
user_group_createdCreated a group named %(groupName)s
user_group_renamedRenamed the %(oldGroupName)s group to %(newGroupName)s
user_group_deletedDeleted the %(groupName)s group
user_joined_user_groupJoined the %(groupName)s group
user_invited_to_user_groupInvited %(email)s to the %(groupName)s group
user_declined_invite_to_user_groupDeclined to join the %(groupName)s group
user_removed_from_user_groupRemoved %(email)s from the %(groupName)s group
team_name_changedChanged your company name to “%(name)s”
new_billing_period_createdExtended your account until %(date)s
seats_addedAdded %(count)s seats to your account
domain_requestedAdded %(domain)s as an unverified domain
domain_validatedVerified the domain %(domain)s
collect_sensitive_data_audit_logs_enabled(user) turned on unencrypted vault logs
collect_sensitive_data_audit_logs_disabled(user) turned off unencrypted vault logs
sso_idp_metadata_setUpdated SSO identity provider metadata
sso_service_provider_url_setConfigured SSO service provider URL
sso_enabledEnabled SSO
sso_disabledDisabled SSO
contact_email_changedChanged contact email to %(email)s
master_password_mobile_reset_enabledTurned on biometric recovery for %(deviceName)s
two_factor_authentication_login_method_addedActivated a 2FA method
two_factor_authentication_login_method_removedRemoved a 2FA method
user_invitedInvited %(email)s to your account
user_removedRevoked %(email)s from your account
team_captain_addedChanged %(email)s to admin rights
team_captain_removedChanged %(email)s to member rights
group_manager_addedChanged %(email)s to group manager rights
group_manager_removedChanged %(email)s to member rights
user_reinvitedResent an invite to %(email)s
billing_admin_addedMade %(name)s the billing contact
billing_admin_removedRevoked %(name)s as the billing contact

Sensitive types

You can turn on logging sensitive actions in the Policies section of Settings in the Admin Console. Read more about it in our dedicated Help Center article (opens in a new tab).

TypeEvent message
collect_sensitive_data_audit_logs_enabled(user) turned on additional activity logs (unencrypted)
collect_sensitive_data_audit_logs_disabled(user) turned off additional activity logs (unencrypted)
user_shared_credential_with_group(user) shared %(rights [limited/full]) rights to the %(domain)s
user_shared_credential_with_email(user) shared %(rights [limited/full]) rights to the %(domain)s
user_shared_credential_with_external(user) shared %(rights [limited/full]) rights to the %(domain)s
user_accepted_sharing_invite_credential(user) accepted a sharing invitation for the %(domain)s
user_rejected_sharing_invite_credential(user) rejected a sharing invitation for the %(domain)s
user_revoked_shared_credential_group(user) revoked access to the %(domain)s login
user_revoked_shared_credential_external(user) revoked access to the %(domain)s login
user_revoked_shared_credential_email(user) revoked access to the %(domain)s login
user_created_credential(user) created a login for %(domain)s
user_modified_credential(user) modified the login for %(domain)s
user_deleted_credential(user) deleted the login for %(domain)s

Logs categories

Category
authentication
dark_web_monitoring
groups
sharing
team_account
team_settings
team_settings_sso
users
user_settings
vault_passwords

Use cases

Sending audit logs to a SIEM or log management solution

If you want to send the logs to a SIEM for instance, you can pull the logs periodically and only get the new logs by using the --start option.

Here is an example of a cron job that pulls the latest logs of the day and append them to a file:

#!/bin/bash
 
# Create the cron job
# crontab -e
# 0 0 * * * /path/to/script.sh
 
# Get the latest pull date
if [ -f "last_pull_date" ]; then
  last_pull_date=$(cat last_pull_date)
else
  last_pull_date=0
fi
 
# Save the latest pull date
date +%s000 > last_pull_date
 
# Pull the logs
dcli t logs --start $last_pull_date >> logs.json

Make sure to replace /path/to/script.sh with the actual path to the script. The other paths in the script are only examples and may not reflect the permissions of your system, you can change them to your needs.

Configure your SIEM agent to watch the logs.json file changes.