LogoLogo
KeeperPAM and Secrets Manager
KeeperPAM and Secrets Manager
  • KeeperPAM
  • Privileged Access Manager
    • Setup Steps
    • Quick Start: Sandbox
    • Getting Started
      • Architecture
        • Architecture Diagram
        • Vault Security
        • Router Security
        • Gateway Security
        • Connection and Tunnel Security
      • KeeperPAM Licensing
      • Enforcement Policies
      • Vault Structure
      • Record Linking
      • Applications
      • Devices
      • Gateways
        • Creating a Gateway
        • Docker Installation
        • Linux Installation
        • Windows Installation
        • Auto Updater
        • Alerts and SIEM Integration
        • Advanced Configuration
          • Gateway Configuration with AWS KMS
          • Gateway Configuration with Custom Fields
      • PAM Configuration
        • AWS Environment Setup
        • Azure Environment Setup
        • Local Environment Setup
      • PAM Resources
        • PAM Machine
          • Example: Linux Machine
          • Example: Azure Windows VM
        • PAM Database
          • Example: MySQL Database
          • Example: PostgreSQL Database
          • Example: Microsoft SQL Server Database
        • PAM Directory
        • PAM Remote Browser
        • PAM User
      • Sharing and Access Control
      • Just-In-Time Access (JIT)
    • Password Rotation
      • Rotation Overview
      • Rotation Use Cases
        • Azure
          • Azure AD Users
          • Azure VM User Accounts
          • Azure Managed Database
            • Azure SQL
            • Azure MySQL - Single or Flexible Database
            • Azure MariaDB Database
            • Azure PostgreSQL - Single or Flexible Database
          • Azure App Secret Rotation
        • AWS
          • IAM User Password
          • Managed Microsoft AD User
          • EC2 Virtual Machine User
          • IAM User Access Key
          • Managed Database
            • AWS RDS for MySQL
            • AWS RDS for SQL Server
            • AWS RDS for PostgreSQL
            • AWS RDS for MariaDB
            • AWS RDS for Oracle
        • Local Network
          • Active Directory or OpenLDAP User
          • Windows User
          • Linux User
          • macOS User
          • Database
            • Native MySQL
            • Native MariaDB
            • Native PostgreSQL
            • Native MongoDB
            • Native MS SQL Server
            • Native Oracle
        • SaaS Accounts
          • Okta User
          • Snowflake User
          • Rotate Credential via REST API
        • Network Devices
          • Cisco IOS XE
          • Cisco Meraki
      • Service Management
      • Post-Rotation Scripts
        • Inputs and Outputs
        • Attaching Scripts
        • Code Examples
    • Connections
      • Getting Started
      • Session Protocols
        • SSH Connections
        • RDP Connections
        • MySQL Connections
        • SQL Server Connections
        • PostgreSQL Connections
        • VNC Connections
        • Telnet Connections
        • Kubernetes
        • RBI Connections
      • Examples
        • SSH Protocol - Linux Machine
        • RDP Protocol - Azure Virtual Machine
        • MySQL Protocol - MySQL Database
        • PostgreSQL Protocol - PostgreSQL Database
    • Tunnels
      • Setting up Tunnels
    • Remote Browser Isolation
      • Setting up RBI
        • URL Patterns & Resource URL Patterns
        • Browser Autofill
    • Session Recording & Playback
    • SSH Agent
      • Integration with Git
    • Discovery
      • Discovery Basics
      • Discovery using Commander
      • Discovery using the Vault
    • On-Prem Connection Manager
    • References
      • Port Mapping
      • Setting up SSH
      • Setting up WinRM
      • Setting up SQL Server
      • Database Import and Export
      • Installing sqlcmd on Linux
      • Installing Docker on Linux
      • Creating KSM App for Rotation
      • Active Directory Least Privilege
      • Event Reporting
      • Importing PAM Records
      • Managing Rotation via CLI
      • Commander SDK
      • Cron Spec
      • Preview Access
  • Endpoint Privilege Manager
    • Overview
    • Setup
    • Deployment
    • Policies
    • Managing Requests
  • FAQs
  • Secrets Manager
    • Secrets Manager Overview
    • Quick Start Guide
    • About KSM
      • Architecture
      • Terminology
      • Security & Encryption Model
      • One Time Access Token
      • Secrets Manager Configuration
      • Keeper Notation
      • Event Reporting
      • Field/Record Types
    • Secrets Manager CLI
      • Profile Command
      • Init Command
      • Secret Command
      • Folder Command
      • Sync Command
      • Exec Command
      • Config Command
      • Version Command
      • Misc Commands
      • Docker Container
      • Custom Record Types
    • Password Rotation
    • Developer SDKs
      • Python SDK
      • Java/Kotlin SDK
        • Record Field Classes
      • JavaScript SDK
      • .NET SDK
      • Go SDK
        • Record Field Classes
      • PowerShell
      • Vault SDKs
    • Integrations
      • Ansible
        • Ansible Plugin
        • Ansible Tower
      • AWS CLI Credential Process
      • AWS Secrets Manager Sync
      • AWS KMS Encryption
      • Azure DevOps Extension
      • Azure Key Vault Sync
      • Azure Key Vault Encryption
      • Bitbucket Plugin
      • Docker Image
      • Docker Runtime
      • Docker Writer Image
      • Entrust HSM Encryption
      • Git - Sign Commits with SSH
      • GitHub Actions
      • GitLab
      • Google Cloud Secret Manager Sync
      • Google Cloud Key Management Encryption
      • Hashicorp Vault
      • Heroku
      • Jenkins Plugin
      • Keeper Connection Manager
      • Kubernetes External Secrets Operator
      • Kubernetes (alternative)
      • Linux Keyring
      • Octopus Deploy
      • Oracle Key Vault Encryption
      • PowerShell Plugin
      • ServiceNow
      • TeamCity
      • Teller
      • Terraform Plugin
        • Terraform Registry
      • Windows Credential Manager
      • XSOAR
    • Troubleshooting
  • Commander CLI
    • Commander Overview
    • Installation and Setup
      • CLI Installation on Windows
      • CLI Installation on macOS
      • CLI Installation on Linux
      • Python Developer Setup
      • .NET Developer Setup
      • PowerShell Module
      • Logging in
      • Configuration and Usage
        • AWS Secrets Manager
        • AWS Key Management Service
      • Automating with Windows Task
      • Automating with AWS Lambda
      • Uninstallation
    • Command Reference
      • Import and Export Data
        • Import/Export Commands
        • CyberArk Import
        • LastPass Data Import
        • Delinea / Thycotic Secret Server Import
        • Keepass Import
        • ManageEngine Import
        • Myki Import
        • Proton Pass Import
        • CSV Import
        • JSON Import
      • Reporting Commands
        • Report Types
      • Enterprise Management Commands
        • Creating and Inviting Users
        • Compliance Commands
        • Breachwatch Commands
        • SCIM Push Configuration
      • Record Commands
        • Record Type Commands
        • Creating Record Types
      • Sharing Commands
      • KeeperPAM Commands
      • Connection Commands
        • SSH
        • SSH Agent
        • RDP
        • Connect Command
        • SFTP Sync
      • Secrets Manager Commands
      • MSP Management Commands
      • Miscellaneous Commands
      • Password Rotation
        • Password Rotation Commands
        • AWS Plugin
        • Azure Plugin
        • Microsoft SQL Server Plugin
        • MySQL Plugin
        • Oracle Plugin
        • PostgreSQL Plugin
        • PSPasswd Plugin
        • SSH Plugin
        • Unix Passwd Plugin
        • Windows Plugin
        • Active Directory Plugin
        • Automatic Execution
    • Service Mode REST API
    • Troubleshooting
Powered by GitBook

Company

  • Keeper Home
  • About Us
  • Careers
  • Security

Support

  • Help Center
  • Contact Sales
  • System Status
  • Terms of Use

Solutions

  • Enterprise Password Management
  • Business Password Management
  • Privileged Access Management
  • Public Sector

Pricing

  • Business and Enterprise
  • Personal and Family
  • Student
  • Military and Medical

© 2025 Keeper Security, Inc.

On this page
  • About
  • Common Reports
  • Saving Reports to a File
  • Examples
  • Report Types
  • Common Reports in Detail
  • Find Users that have not Logged in
  • See the last time each user logged in
  • Find users that have not created or updated any records
  • See all records accessed by a user
  • See What Shared Folders Teams Have Access To
  • Determine which record passwords have NOT been changed

Was this helpful?

Export as PDF
  1. Commander CLI
  2. Command Reference
  3. Reporting Commands

Report Types

Learn about reporting with Commander

About

Commander provides the ability to run a variety of reports using event data and compliance data.

Common Reports

A few examples of the types of reports that Commander can run include the following:

  • Find users that have not logged in for X days

  • See the last time each user last logged in

  • Find users that have not created or updated any records in X days

  • See all record UIDs that have been accessed by a user

  • Determine which shared folders that a team has access to

  • Determine which record passwords have NOT been changed in X days

Saving Reports to a File

All reports in Commander can be saved to a file. To do this, add the following options to any report command:

--format This option tells Commander what form to return the report in. The options are json, csv, and table (which is the default view)

--output This option tells Commander the name of the file to save the report output to. If the given file does not exist, it will be created.

Examples

Save a report as a CSV for use with Microsoft Excel or Google Sheets.

share-report --shared-folders --format csv --output "shared_folder_report_results.csv"

Save a report as a json file for use with scripts

user-report --format json --output "user_report.json"
Where are files saved?

When Commander creates a file it can be saved in one of a few places depending on how Commander is being run and what options were used.

Default Commander File Locations

If you are using the application version of Commander, files are saved to your user directory be default. That is C:\users\username for Windows and /Users/username for MacOS.

If you are using Commander from the command line/terminal then files will be saved in the current directory by default.

Setting Specific Locations

When creating a file with Commander, if you provide a path before the filename, Commander will add the file in the specified location. Paths can be relative or specific. e.g. [...] --output "/reports/report.csv" will put the file in a folder called "reports" relative to the default location (so /Users/username/reports/ on Application version and current directory/reports/ if using the command line)

[...] --output "C:\reports\report.csv" will place the file in a folder named "reports" in the C directory (if on Windows)

Report Types

Learn more about the reports that Commander can run. Click an option from this list to see the command documentation.

Command
Explanation

Show users that haven't performed a specific action in a given number of days

Display a report of password changes and search for records that have NOT been changed

Export the enterprise audit and event logs

Show a customized report of audit events

See information about records in vaults of users across the enterprise

Display information on managed company plans and available licenses

Show report of password security strength for each user in the enterprise

Display information about shared records

Show a report of shared records in the logged-in Keeper vault

Show a report of user logins

Common Reports in Detail

Find Users that have not Logged in

Requires the ARAM add-on

action-report --target no-logon

By default this looks back 30 days (results are all users that have not logged in in 30 days). The number of days to look back for can be changed with the flag: --days X where "X" is the number of days to use.

Example
My Vault> action-report --target no-logon

Admin Action Taken:
        COMMAND: None
        STATUS: n/a
        SERVER MESSAGE: n/a
        AFFECTED: 0

3 Users With "no-logon" Status Older Than 30 Day(s):

username
-----------------------------------------
john.smith@examplecorp.com
jane.doe@examplecorp.com
chris.apple@examplecorp.com

See the last time each user logged in

user-report --last-login

To include more details, such as the user's team(s) and Node run user-report without --last-login

Example
My Vault> user-report --last-login
Querying latest login for the last 365 days
Email                                      Name                                       Status    Transfer Status    Last Login
-----------------------------------------  -----------------------------------------  --------  -----------------  -------------------------
john.smith@examplecorp.com                 John Smith                                 Active                       2022-08-22 12:33:03-05:00
chris.apple@examplecorp.com                Chris Apple                                Invited
sam.strong@examplecorp.com                 Samantha Strong                            Active                       2022-08-09 13:03:31-05:00
jane.doe@examplecorp.com                   Jane Doe                                   Active                       2022-10-10 09:07:34-05:00
admin+comms@examplecorp.com                Communication Admin                        Active

Find users that have not created or updated any records

Requires the ARAM add-on

action-report --target no-update

By default this looks back 30 days (results are all users that have not created or updated records in 30 days). The number of days to look back for can be changed with the flag: --days X where "X" is the number of days to use.

Example
My Vault> action-report --target no-update

Admin Action Taken:
        COMMAND: None
        STATUS: n/a
        SERVER MESSAGE: n/a
        AFFECTED: 0

3 Users With "no-update" Status Older Than 30 Day(s):

username
-----------------------------------------
john.smith@examplecorp.com
jane.doe@examplecorp.com
chris.apple@examplecorp.com

See all records accessed by a user

Requires ARAM add-on and Compliance Reports add-on

compliance record-access-report <USERNAME>

Replace <USERNAME> with the username or email address of the user to see access history of.

Example
My Vault> compliance record-access-report john.smith@examplecorp.com
Loading record information.....
Record UID              Record Title                       Record URL                         Record Owner                IP Address       Device             Last Access
----------------------  ---------------------------------  ---------------------------------  -------------------------   ---------------  -----------------  -------------------
x4AOxLwR5tSA7u5R9Bwplw  wifi details                                                          john.smith@examplecorp.com  11.00.001.001    Web App 16.7.3     2022-10-13 12:38:33
xrnnK1HWSLMVh_irjIGAJw  SAP Connect                                                           john.smith@examplecorp.com  11.00.001.001    Commander 16.7.0   2022-10-13 12:12:46
xB36NT_lPxestkuCCg_35w                                                                                                    11.00.001.001    Web App 16.8.0     2022-10-07 09:39:10
U7YOaZv4pmLXGfTHPXuvaA                                                                                                    11.00.001.001    Commander 16.7.0   2022-10-05 15:09:43
a9TshEIoSluKXAccdJhHIQ  Dropbox                            dropbox.com/login                  sam.strong@examplecorp.com  11.00.001.001    Commander 16.7.0   2022-10-05 15:09:31
6wSYfG9UeHTzDDSIGeuiyg  Twitter                            https://www.twitter.com            john.smith@examplecorp.com  11.00.001.001    Commander 16.7.0   2022-10-05 15:09:25
o6BJUKCGLa7mmMApzPjw4A  KCM Connect SSH                    127.0.0.1                          john.smith@examplecorp.com  11.00.001.001    Commander 16.7.0   2022-10-05 15:09:14

See What Shared Folders Teams Have Access To

Requires Compliance Reports add-on

compliance team-report
Example
My Vault> compliance team-report
Loading compliance data....:...:...:...:...:...:...:...:...:...:...:...:...:

Team Name    Shared Folder Name     Shared Folder UID       Permissions
-----------  --------------------   ----------------------  -------------
Comms-Team   Comms Team Logins      8-2gk4cde5hWN5q7ENwpCA  read-only
Engineering  Deployment Credentials 3kf9kd4e5hWdN5q7Ed9fS0  can-edit
Management   Finances Logins        dO9S0cMQ_kPYAsUYILVlSA  can-share

Determine which record passwords have NOT been changed

Requires Compliance Reports add-on

aging-report
Example
My Vault> aging-report --format=table --period=1y

Owner            Record Title  Last Password Change    Shared    Record URL
---------------  ------------  ----------------------  --------  ----------
user1@company.com  Hilton      2020-05-14 12:41:48     False     https://...
user1@company.com  AlienVault  2020-02-04 12:30:35     True      https://...             
user1@company.com  TripAdvisor 2020-07-08 15:22:55     False     https://...             
user2@company.com  Amazon      ---                     False     https://...                
user2@company.com  Kayak       2021-05-25 09:13:56     False     https://...             
user2@company.com  Amazon      ---                     False     https://...
PreviousReporting CommandsNextEnterprise Management Commands

Last updated 10 months ago

Was this helpful?

action-report
aging-report
audit-log
audit-report
compliance-report
msp-license-report
security-audit-report
shared-records-report
share-report
user-report