From 3035b265223c956a9eee03784446d5d5c70d4a21 Mon Sep 17 00:00:00 2001
From: Corentin Mors <corentin@dashlane.com>
Date: Mon, 31 Jul 2023 16:30:24 +0200
Subject: [PATCH] Give usage example of audit logs

Fix #113 #118
---
 documentation/pages/business/audit-logs.mdx | 44 ++++++++++++++++++++-
 documentation/pages/business/index.mdx      |  2 +
 documentation/pages/business/reports.mdx    |  4 --
 src/index.ts                                |  6 +--
 4 files changed, 47 insertions(+), 9 deletions(-)

diff --git a/documentation/pages/business/audit-logs.mdx b/documentation/pages/business/audit-logs.mdx
index b1b8082c..435bbf5f 100644
--- a/documentation/pages/business/audit-logs.mdx
+++ b/documentation/pages/business/audit-logs.mdx
@@ -12,6 +12,12 @@ You can query the audit logs using the `logs` command. For example:
 dcli t logs
 ```
 
+You can also save the logs to a file:
+
+```sh copy
+dcli t logs --start 0 --end now > logs.json
+```
+
 The logs are output in JSON format, each line is a new log entry.
 
 ```json
@@ -26,8 +32,8 @@ The logs are output in JSON format, each line is a new log entry.
 With the following options you can filter the logs by start and end date, log type and category.
 
 ```sh
-  --start <start>        start timestamp (default: "0")
-  --end <end>            end timestamp (default: "now")
+  --start <start>        start timestamp in ms (default: "0")
+  --end <end>            end timestamp in ms (default: "now")
   --type <type>          log type
   --category <category>  log category
 ```
@@ -110,3 +116,37 @@ You can turn on logging sensitive actions in the Policies section of Settings in
 | users               |
 | user_settings       |
 | vault_passwords     |
+
+## Use cases
+
+### Sending audit logs to a SIEM or log management solution
+
+If you want to send the logs to a SIEM for instance, you can pull the logs periodically and only get the new logs by using the `--start` option.
+
+Here is an example of a cron job that pulls the latest logs of the day and append them to a file:
+
+```sh
+#!/bin/bash
+
+# Create the cron job
+# crontab -e
+# 0 0 * * * /path/to/script.sh
+
+# Get the latest pull date
+if [ -f "last_pull_date" ]; then
+  last_pull_date=$(cat last_pull_date)
+else
+  last_pull_date=0
+fi
+
+# Save the latest pull date
+date +%s000 > last_pull_date
+
+# Pull the logs
+dcli t logs --start $last_pull_date >> logs.json
+```
+
+Make sure to replace `/path/to/script.sh` with the actual path to the script.
+The other paths in the script are only examples and may not reflect the permissions of your system, you can change them to your needs.
+
+Configure your SIEM agent to watch the `logs.json` file changes.
diff --git a/documentation/pages/business/index.mdx b/documentation/pages/business/index.mdx
index 78d8bd77..38fd4551 100644
--- a/documentation/pages/business/index.mdx
+++ b/documentation/pages/business/index.mdx
@@ -22,6 +22,8 @@ export DASHLANE_TEAM_ACCESS_KEY=f56[..redacted..]56ce
 export DASHLANE_TEAM_SECRET_KEY=839c9[..redacted..]3ada5
 ```
 
+Make sure you save them in a safe place (use a secure note for instance 😉).
+
 ## Revoke credentials
 
 <Callout emoji="💡">Needs to be authenticated as an admin to use this command.</Callout>
diff --git a/documentation/pages/business/reports.mdx b/documentation/pages/business/reports.mdx
index 6cfe038d..4540460d 100644
--- a/documentation/pages/business/reports.mdx
+++ b/documentation/pages/business/reports.mdx
@@ -1,11 +1,7 @@
-import { Callout } from 'nextra/components';
-
 # Reports
 
 You can get reports on your team about the number of seats provisioned, used and pending. You can also get reports on the aggregated password health history of your team.
 
-<Callout emoji="💡">Needs team credentials to use this command.</Callout>
-
 ## Fetch reports
 
 The following commands take in input the number of days to look back for the password health history. The default is 0 day.
diff --git a/src/index.ts b/src/index.ts
index 4b7feac0..620aa6da 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -206,8 +206,8 @@ teamGroup
     .command('logs')
     .alias('l')
     .description('List audit logs')
-    .option('--start <start>', 'start timestamp', '0')
-    .option('--end <end>', 'end timestamp', 'now')
+    .option('--start <start>', 'start timestamp in ms', '0')
+    .option('--end <end>', 'end timestamp in ms (use "now" to get the current timestamp)', 'now')
     .option('--type <type>', 'log type')
     .option('--category <category>', 'log category')
     .action(async (options: { start: string; end: string; type: string; category: string }) => {
@@ -216,7 +216,7 @@ teamGroup
         }
 
         const { start, type, category } = options;
-        const end = options.end === 'now' ? Math.floor(Date.now() / 1000).toString() : options.end;
+        const end = options.end === 'now' ? Date.now().toString() : options.end;
 
         const { db } = await connectAndPrepare({ autoSync: false });
         await getAuditLogs({