IBM Cloud Docs
Activity Tracker events

Activity Tracker events

Use the IBM Cloud® Activity Tracker service to track how users and applications interact with the Event Streams service on the Standard and Enterprise plans in IBM Cloud.

The IBM Cloud Activity Tracker service records user-initiated activities that change the state of a service in IBM Cloud. For more information, see Activity Tracker.

Events are formatted according to the Cloud Auditing Data Federation (CADF) standard. For further details of the information they include, see CADF standard.

Topic events

Event Streams instances that are on the Enterprise plan or the Standard plan automatically generate topic events.

The following table lists the topic events:

Table 1. Event Streams topic events
Action Description
event-streams.topic.create An event is created when you create a topic.
event-streams.topic.delete An event is created when you delete a topic.
event-streams.topic.update An event is created when you update a topic's configuration or increase partitions.

Additional information about topic configuration is logged in the update and delete events, for example partitions, retentionMs, and segmentMs.

Message audit events

You can enable message audit events on a per topic basis for Event Streams instances that are on the Enterprise plan. Also, see How to enable message audit events.

The following table lists the message audit events:

Table 2. Event Streams message events
Action Description
event-streams.message.read An event is created when message audit is enabled on a topic and a consumer is reading data from the topic.
event-streams.message.write An event is created when message audit is enabled on a topic and a producer is writing data to the topic.
event-streams.message.delete An event is created when message audit is enabled on a topic and records are deleted from the topic. Records deletion because of retention policy does not generate.

Event Streams can sustain high request rates, so not every request triggers an event. Instead, events are aggregated by initiator (user ID or service ID), host (IP address), operation (read, write, delete), outcome (success or failure), and topic over a 1-hour period.

Other events

Event Streams instances that are on the Enterprise plan automatically generate events so that you can track activity on your service.

Table 3. Event Streams events
Action Description
event-streams.storage-key.read An event is created when access to the disk encryption key in Key Protect changed. If the outcome of this event is success, access to the disk encryption key is restored, and the Event Streams instance is available for use. If the outcome is failure, access to the disk encryption key was withdrawn, and the Event Streams instance is not available for use.
event-streams.storage-key.update The disk encryption key in Key Protect was rotated and the Event Streams instance was updated to use the new key.
event-streams.schema.create A schema or schema version was created or updated in the Event Streams schema registry for the enterprise instance either through the administration API or through the Confluent Serdes.
event-streams.schema.delete A schema or schema version was deleted from the Event Streams schema registry for the enterprise instance.
event-streams.schema-rule.create A new rule or global rule was created in the Event Streams schema registry for the enterprise instance.
event-streams.schema-rule.update An existing rule or global rule was updated in the Event Streams schema registry for the enterprise instance.
event-streams.schema-rule.delete A rule was deleted in the Event Streams schema registry for the enterprise instance.

Where to view the events

Activity Tracker events are available in the Activity Tracker account domain that is available in the IBM Cloud location (region) where the events are generated.

Events that are generated by an instance of the Event Streams service are automatically forwarded to the IBM Cloud Activity Tracker service instance that is available in the same location.

IBM Cloud Activity Tracker can have only one instance per location. To view events, you must access the web UI of the IBM Cloud Activity Tracker service in the same location where your service instance is available. For more information, see Launch the web UI.

How to enable message audit events

Message audit events can be enabled on a per topic basis. To do so, complete the following steps:

  1. Install Event Streams CLI plug-in v2.3 or later:

    ibmcloud plugin install event-streams

  2. Enable message audit on an existing topic:

    ibmcloud es topic-update <topic-name> --config message.audit.enable=true

    Or create a new topic with message audit enabled:

    ibmcloud es topic-create <topic-name> --partitions <number-of-partitions> --config message.audit.enable=true

After the topic's message audit config is updated, it takes about 5 minutes for message audit events to show up in Activity Tracker.

Additionally, be aware of the implications of enabling message audit events:

  1. An internal Kafka topic is used for streaming events to Activity Tracker, thus it uses a small amount of the cluster's network bandwidth and storage. Typically throughput is less than 1 KB/s, and storage does not exceed 1 GB.

  2. Because more events are sent to Activity Tracker, enabling message audit events incurs extra storage costs for Activity Tracker. Each event's size is about 1 KB, see the following rough estimation of how much storage it takes. Assuming that the cluster has 100 topics, each topic has 10 clients actively producing and consuming, and each client runs on three different locations. It then generates 100x10x3=3000 events per hour, so 2 GB per month.