# System Events | Operation | Syntax | | ------------------------------- | ------------------------------ | | [List Events](#list-events) | GET /api/preview/events | | [Export Events](#export-events) | GET /api/preview/events/export | Event objects represent Veza platform activity, including integration parsing, notification activity, and user logins. You can list events that match a filter (such as a category or severity), or export a continuous list for integration with an external monitoring system, For logging Veza API activity, see [Audit Log API](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/developers/api/audit-logs). #### List events Returns an array of Veza platform `events`. If a `filter` is specified, the endpoint only returns events matching the SCIM filter expression. This can get events with a matching category or severity, for example: `GET /api/preview/events?page_size=10&filter=category+eq+"INTEGRATIONS"+and+timestamp+ge+"2023-04-17T22:29:22.440Z"` {% openapi src="" path="/api/preview/events" method="get" %} [openapi.yaml](https://1967633068-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MZDkWMxox3pekd0NsZJ%2Fuploads%2Fgit-blob-d0cc152d188a7ade16cd0e6e7f7f205786a7e186%2Fopenapi.yaml?alt=media) {% endopenapi %} #### Export events Returns a paginated list of platform events, intended for exporting a continuous log into an external system. The export endpoint can return the error code `ResourceExhaused`. When encountered, wait for one minute before retrying the request. {% openapi src="" path="/api/preview/events/export" method="get" %} [openapi.yaml](https://1967633068-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MZDkWMxox3pekd0NsZJ%2Fuploads%2Fgit-blob-d0cc152d188a7ade16cd0e6e7f7f205786a7e186%2Fopenapi.yaml?alt=media) {% endopenapi %} To capture events when they become available without skipping any entries, first make call with a `persisted_at GE "TIMESTAMP"` filter: ```shell curl -X GET "$VEZA_URL/api/preview/events/export?filter=persisted_at+GE+%222023-09-14T23:59:59.999999999Z%22&page_size=5" \ -H "authorization: Bearer $VEZA_TOKEN" ``` Use the `next_page_token` in the response to continuously call the next page: ```shell curl -X GET "$VEZA_URL/api/preview/events/export?page_token=eyJMaXNfQ==" \ -H "authorization: Bearer $VEZA_TOKEN" ``` Example response: ```json { "events": [ { "id": "e1560da1-bb88-4ef0-8d7f-e220fa2b33ca", "timestamp": "2023-09-21T12:41:27.111852371Z", "category": "INTEGRATIONS", "severity": "WARNING", "name": "OAA push", "message": "OAA data source pushed \"VEZAFILESERVER\"", "entity": "DATASOURCE", "entity_id": "b408b41f-a73b-4a73-90dc-013111d3b2d2", "error": { "reason": "OAA_PUSH_WARNINGS", "metadata": { "0": "Cannot find identity by names (values: CN=Domain Admins,CN=Users,DC=evergreentrucks,DC=local)", "1": "Cannot find identity by names (values: CN=Domain Users,CN=Users,DC=evergreentrucks,DC=local)", "2": "Empty permissions field", "3": "Empty identity_to_permissions field" }, "message": "OAA push had warnings.", "resolution": "Address the warnings and push the datasource again.", "request_id": "be920721634911577b8223f36f06ff1e" }, "entity_name": "VEZAFILESERVER", "event_type": "OAA push", "provider_id": "cbb69418-e9de-422a-945c-7e62ba3ae1ac" }, { "id": "ee79c82d-4574-42d9-840a-7fa5c32e8c37", "timestamp": "2023-09-21T12:42:16.300711343Z", "category": "INTEGRATIONS", "severity": "INFO", "name": "Data Source extracted", "message": "\"VEZAFILESERVER\" Data Source extracted (0s)", "entity": "DATASOURCE", "entity_id": "b408b41f-a73b-4a73-90dc-013111d3b2d2", "error": null, "entity_name": "VEZAFILESERVER", "event_type": "Data Source extracted", "provider_id": "cbb69418-e9de-422a-945c-7e62ba3ae1ac" } ], "next_page_token": "eyJMaXN0SW5wdXQiOnsiQ2F0ZWdvcnkiOjAsIlNldmVyaXR5IjowLCJTdGFydFRpbWUiOiIwMDAxLTAxLTAxVDAwOjAwOjAwWiIsIkVuZFRpbWUiOiIwMDAxLTAxLTAxVDAwOjAwOjAwWiIsIkVudGl0eUlEIjoiIiwiUHJvdmlkZXJJRCI6IiIsIkV2ZW50VHlwZSI6MCwiUGVyc2lzdGVkQXRHZSI6IjIwMjMtMDktMjFUMTI6NDI6MjAuOTc4MjA0MDA5WiIsIlBhZ2luYXRpb25MYXN0SUQiOiJlZTc5YzgyZC00NTc0LTQyZDktODQwYS03ZmE1YzMyZThjMzciLCJQYWdlU2l6ZSI6NSwiT3JkZXIiOjB9fQ==" } ``` #### Veza event schema | Field | Description | Example Value | | ------------- | -------------------------------------- | ------------------------------------------------------- | | `id` | Unique identifier for the event | d95ccc9c-9051-4ef7-9147-124a16409baa | | `timestamp` | Timestamp when the event occurred | 2023-05-18T14:23:35.151842912Z | | `category` | Category of the event | `SYSTEM`, `INTEGRATIONS`, `RULE`, `TAG`, `NOTIFICATION` | | `severity` | Severity level of the event | `INFO`, `WARNING`, `ERROR` | | `name` | Title of the event | Tagging request failed | | `message` | Descriptive message for the event | Tagging request failed for node test1 | | `provider_id` | Provider data source unique identifier | e88f5d72-6f79-41d1-99e3-8777e1727311 | | `entity` | Type of entity related to the event | `DATASOURCE`, `PROVIDER`, `RULE`, `TAG`, `NOTIFICATION` | | `entity_id` | Unique identifier for the entity | e88f5d72-6f79-41d1-99e3-8777e1727311 | | `entity_name` | Name of entity related to the event | SYSTEM\_resource\_managers:500008 | | `error` | Error details | See "error object structure" | | `event_type` | Type or category of the event | Tagging request failed | Error object structure: * `message`: Error message * `metadata`: Additional metadata for the failed request. * `reason`: Reason for the error * `resolution`: Details to prevent the error * `request_id`: Unique identifier for the failed request #### Event types The following table describes all Veza platform event types, organized by functional area:
Integration Events | Event Type | Description | | ------------------------------------ | ------------------------------------------------------------------------------------------- | | `OUTDATED_AWS_EXTRACTION_POLICY` | AWS extraction policy requires updating | | `DATASOURCE_PARSED` | Data source metadata successfully processed | | `DATASOURCE_PARSED_NO_CHANGE` | Data source parsed but no changes detected | | `DATASOURCE_EXTRACTED` | Data source extraction completed successfully | | `DATASOURCE_EXTRACTED_NO_CHANGE` | Extraction completed but Access Graph unchanged | | `DATASOURCE_REGISTERED` | New data source registered in Veza | | `DATASOURCE_REMOVED` | Data source removed from Veza | | `DISCOVERY_FAILED` | Integration discovery process failed | | `DISCOVERY_SUCCESS` | Integration discovery completed successfully | | `OAA_PUSH` | Open Authorization API data push event | | `PROVIDER_CONFIG_CHANGED` | Integration provider configuration modified | | `AUDITLOG_EXTRACTED` | Audit log data extracted from integration | | `INSIGHT_POINT_UNAVAILABLE` | Insight Point connector offline (all instances unavailable) | | `INSIGHT_POINT_DEGRADED` | Insight Point operating with reduced functionality (some instances unavailable/out of sync) | | `INSIGHT_POINT_INSTANCE_OUT_OF_SYNC` | Insight Point instance has time drift issues (time not synchronized with control plane) | | `SNOWFLAKE_EXPORT` | Data export to Snowflake completed |
User Management Events | Event Type | Description | | -------------------------------- | ----------------------------------- | | `USER_LOGIN` | User successfully authenticated | | `USER_LOGOUT` | User session terminated | | `USER_CREATED` | New user account created | | `USER_DELETED` | User account permanently removed | | `USER_ENABLED` | User account activated or enabled | | `USER_DISABLED` | User account deactivated | | `USER_EMAIL_UPDATED` | User email address changed | | `USER_ROLES_UPDATED` | User role assignments modified | | `USER_PASSWORD_FORCED_RESET` | Administrator forced password reset | | `USER_PASSWORD_RESET` | User password reset initiated | | `USER_AUTH_FACTORS_RESET` | Authentication factors reset | | `USER_AUTH_FACTORS_FORCED_RESET` | Administrator forced MFA reset |
API Key Management Events | Event Type | Description | | -------------------- | -------------------------------------- | | `API_KEY_CREATED` | New API key generated | | `API_KEY_UPDATED` | API key properties modified | | `API_KEY_DELETED` | API key permanently removed | | `API_KEY_REVOKED` | API key temporarily disabled | | `API_KEY_REINSTATED` | Previously revoked API key reactivated |
System and Infrastructure Events | Event Type | Description | | -------------------------- | --------------------------------------- | | `RULE_NOTIFICATION_FAILED` | Alert rule notification delivery failed | | `TAGGING_REQUEST_FAILED` | Entity tagging operation failed | | `EMAIL_NOTIFICATION` | System email notification sent | | `EMAIL_SENT` | Email delivery confirmed | | `DOMAIN_NOT_IN_ALLOWLIST` | External domain access blocked | | `WEBHOOK_NOT_IN_ALLOWLIST` | Webhook URL blocked by allowlist |
Access Review Events | Event Type | Description | | -------------------------------------- | ------------------------------------- | | `ACCESS_REVIEW_CONFIGURATION_MODIFIED` | Review configuration settings changed | | `EMPTY_ACCESS_REVIEW_CLEANED_UP` | Empty review automatically removed |
Auth Changes Events | Event Type | Description | | ---------------------------- | ------------------------------------- | | `MFA_ENABLED` | Multi-factor authentication enabled | | `MFA_DISABLED` | Multi-factor authentication disabled | | `SCIM_PROVISIONING_ENABLED` | SCIM provisioning enabled | | `SCIM_PROVISIONING_DISABLED` | SCIM provisioning disabled | | `SSO_REDIRECT_ENABLED` | SSO redirect enabled | | `SSO_REDIRECT_DISABLED` | SSO redirect disabled | | `IDP_MANAGED_ROLES_ENABLED` | IdP-managed roles enabled | | `IDP_MANAGED_ROLES_DISABLED` | IdP-managed roles disabled | | `LOCAL_ACCOUNTS_ENABLED` | Local account authentication enabled | | `LOCAL_ACCOUNTS_DISABLED` | Local account authentication disabled | | `AUTH_PROVIDER_ENABLED` | Authentication provider enabled | | `AUTH_PROVIDER_DISABLED` | Authentication provider disabled |
**Event retention** Veza retains system events for one month. When requesting events outside that range, the response will have a field error message indicating the oldest valid timestamp: ```json { "field": "filter.start_time", "description": "Must be after or equal to 2023-05-13T21:39:21Z" } ``` **Pagination** Responses will contain a `next_page_token` when more events are available. Include this `page_token` in the request query to get the next batch of results. If no page size is specified, the default is 1,000. The maximum page size is currently 10,000 records.