Using a Python Script to Grab Audit Data from Workspace ONE Access
Introduction:
For organizations who wish to capture audit data from their VMware Workspace ONE Access tenant(s) without having to manually export the admin audit data manually, 10K lines at a time, the below Python script will allow you to export that data via an authenticated API and store it locally on your own system. The export can be executed manually or automatically and can be set to pull a specified time range or constantly listen and pull live data.
Credits:
Huge thanks to Assaf Abramovich, Michael Almond, Kamlesh Patil, and Balaine Wightman for developing this.
Download:
Download audit_server_v2.zip from EverNote. If you are prompted for a login, please cancel/close that tab and right-click on the audit_server_v2.zip file link and open it in a new tab or Window. If you are still prompted for login or if you wish to see this blog posting on EverNote directly, please go here.
Instructions:
Here are the instructions for getting this up and running. It is highly recommended to test this on a NON-PRODUCTION environment first in order to ensure it works as expected and has no negative impacts (it shouldn't as it is only pulling data via a bearer token, but I never suggest testing in production as that is bad form).
- Install python v3.7.4 or higher onto a workstation
- Install ‘pip install requests’ & ‘pip install tabulate’
- On macos this is done from Terminal and may require running "pip3" instead of "pip"
- In Windows, this is done from command prompt with "pip" command.
- Create a new Remote App Access ‘audit-service’ within the Workspace ONE Access tenant as Admin.
- Login to Workspace ONE Access tenant as tenant Super Admin and create the Service Client Bearer Token and copy the Client ID and Shared Secret to be used in the config.ini file.
- Under Catalog (menu), select Settings, then select Remote App Settings and ensure CLIENT is selected in the main page
- Click CREATE CLIENT
- Access Type: Service Client Token
- Client ID:
- Example: "audit-service" (no quotes)
- Expand ADVANCED
- Generate Shared Secret
- Token Type: Bearer
- Click ADD
- Download the ZIP file above in the "Download" section
- Copy and paste both ‘audit_api_runner.py’ & ‘config.ini’ to a directory (e.g. ‘
\Scripts’) - Edit the ‘config.ini’ file to include the client ID & client secret
- Run the script (On Windows, all commands should be executed from the ‘
\Scripts’ working directory - On Mac, commands can be launched from within IDLE via - Run the following command to continuously pull data as a live stream"
\Scripts> audit_api_runner.py -d -f 1 -p" - The above will run continuously streaming the output to an "output" folder
- Run the following command from the working directory (command prompt as Administrator) to pull historical data"
\Scripts> audit_api_runner.py -f 100 -o logs -i" - The CONFIG file may need to be manually specified if python does not automatically find it in the same folder (even if it is in the same folder) Using the "-c" command line option allows for specifying the full path to the config.ini file"
\Scripts> audit_api_runner.py -c "" -f 100 -o logs -i " " " - Command line options for specifying various options may be found by running the 'audit_api_runner.py' command without any switches.
- NOTE: This is also a good way to see if Python correctly sees the "requests" and "tabulate" modules as these MUST be installed prior to running and obtaining audit data
- The "-d" option is for debugging
- The "-p" option is for continuous polling. Default is 1 second
- When pulling historical data, "-f" is still needed and frequency interval should be increased from default for lighter loads to pull historical data as needed
- The script will create a directory called ‘audit-data’ from the working directory
"\Scripts\audit-data"
Notes:
This audit-data export is in the form of a CSV which can then be opened externally in Excel or some other spreadsheet or database tool.