Retrieving Access Control Events and Logs via REST API

alimul · May 5, 2026, 5:28am

We are currently working on security monitoring system and would like to understand the available options for retrieving access-related logs using the Milestone XProtect REST API.
For testing purposes, we are using XProtect Essential+ and can successfully authenticate and retrieve camera/site information using the /api/rest/v1/ endpoints. However, we would like to confirm the feasibility and requirements for retrieving the following data for a production environment:

Access attempt logs
Unauthorized or invalid credential attempts
Door forced-open or tamper events
Any audit logs related to ACM activity
API access for historical access event data
Could you please provide guidance on the following:

Tier Support: Is the XProtect Access module and the extraction of ACM event logs supported in this tier, or is an upgrade to a higher tier required to enable these features?
Permissions & Configuration: What are the exact Management Client permissions required to allow our API user to retrieve these specific log and event types?
Time-Range Filtering Syntax: What is the correct API syntax for retrieving historical events over a prolonged period ?
Any documentation references, examples of the expected JSON event payload structure, or best practices for retrieving these events would be greatly appreciated.

Thank you for your assistance!

Anders_Bent_Christensen · May 5, 2026, 7:30am

Hi, you should consider to use the WebSocket variant, as you here can subscribe on what you like to see , and dont need to do any polling

Bo_Ellegard_Andersen · May 5, 2026, 10:38am

Two forms of information is involved here and they are treated very different in the XProtect VMS.

Audit logs.

These can be retrieved using the MIP SDK, you can see it in the Log Reader sample. There is no method for using the Rest API.
In XProtect 2026R1 and newer the audit logging is modernized and you can use OpenTelemetry, read about it here: Milestone Documentation Portal
My guess that OpenTelemetry will open up for a more modern integration for you.

Access control events.

Subscribing or retrieving events that are stored, most events are per default not stored and you might need to modify the Alarms and Events options.
There is a Rest API and there is a Events & State API (Websocket). MIPVMSAPI documentation.
Samples:

I agree with the previously posted recommendation to use the Events & State API (Websocket).