Activity tracking events for Container Registry
IBM Cloud services, such as IBM Cloud® Container Registry, generate activity tracking events.
Activity tracking events report on activities that change the state of a service in IBM Cloud. You can use the events to investigate abnormal activity and critical actions and to comply with regulatory audit requirements.
You can use IBM Cloud Activity Tracker Event Routing, a platform service, to route auditing events in your account to destinations of your choice by configuring targets and routes that define where activity tracking events are sent. For more information, see About IBM Cloud Activity Tracker Event Routing.
You can use IBM Cloud Logs to visualize and alert on events that are generated in your account and routed by IBM Cloud Activity Tracker Event Routing to an IBM Cloud Logs instance.
As of 28 March 2024, the IBM Cloud Activity Tracker service is deprecated and will no longer be supported as of 30 March 2025. Customers will need to migrate to IBM Cloud Logs before 30 March 2025. During the migration period, customers can use IBM Cloud Activity Tracker along with IBM Cloud Logs. Activity tracking events are the same for both services. For more information about migrating from IBM Cloud Activity Tracker to IBM Cloud Logs and running the services in parallel, see migration planning.
Locations where activity tracking events are generated
You can track how users and applications interact with the IBM Cloud Container Registry service. The following tables list the locations where the automatic collection of Container Registry service events is enabled.
| Locations in Americas | Service events available |
|---|---|
Dallas (us-south) |
Yes |
Sao Paulo (br-sao) |
Yes |
Toronto (ca-tor) |
Yes |
| Locations in Asia Pacific | Service events available |
|---|---|
Osaka (jp-osa) |
Yes |
Sydney (au-syd) |
Yes |
Tokyo (jp-tok) |
Yes |
| Locations in Europe | Service events available |
|---|---|
Frankfurt (eu-de) |
Yes |
London (eu-gb) |
Yes |
Madrid (eu-es) |
Yes |
| Location for Global | Service events available |
|---|---|
Global |
Yes |
For more information about where to find Container Registry events, see Viewing activity tracking events for Container Registry.
Locations where activity tracking events are sent to IBM Cloud Activity Tracker hosted event search
As of 28 March 2024, the IBM Cloud Activity Tracker service is deprecated and will no longer be supported as of 30 March 2025. Customers will need to migrate to IBM Cloud Logs before 30 March 2025. During the migration period, customers can use IBM Cloud Activity Tracker along with IBM Cloud Logs. Activity tracking events are the same for both services. For more information about migrating from IBM Cloud Activity Tracker to IBM Cloud Logs and running the services in parallel, see migration planning.
Container Registry sends activity tracking events to the IBM Cloud Activity Tracker hosted event search in the regions that are indicated in the following tables.
The region in which a Container Registry or a Vulnerability Advisor event is available corresponds to the region of the Container Registry that generated the event,
except for ap-south. Events for ap-south show in Tokyo (jp-tok).
The following table shows the location of IBM Cloud Activity Tracker events.
| Region for your account's registry | Domain name of your registry | Location of IBM Cloud Activity Tracker events |
|---|---|---|
ap-north |
jp.icr.io |
Tokyo (jp-tok) |
ap-south |
au.icr.io |
Tokyo (jp-tok) |
br-sao |
br.icr.io |
Sao Paulo (br-sao) |
ca-tor |
ca.icr.io |
Toronto (ca-tor) |
eu-central |
de.icr.io |
Frankfurt (eu-de) |
eu-es |
es.icr.io |
Madrid (eu-es) |
jp-osa |
jp2.icr.io |
Osaka (jp-osa) |
uk-south |
uk.icr.io |
London (eu-gb) |
us-south |
us.icr.io |
Dallas (us-south) |
The following table shows the location of global registry IBM Cloud Activity Tracker events.
| Registry | Global registry | Location of IBM Cloud Activity Tracker events |
|---|---|---|
Global |
icr.io |
Dallas (us-south) |
Locations where activity tracking events are sent by IBM Cloud Activity Tracker Event Routing
Container Registry sends activity tracking events by IBM Cloud Activity Tracker Event Routing in the regions that are indicated in the following tables.
Dallas (us-south) |
Washington (us-east) |
Toronto (ca-tor) |
Sao Paulo (br-sao) |
|---|---|---|---|
| Yes | Yes (global) |
Yes | Yes |
Tokyo (jp-tok) |
Sydney (au-syd) |
Osaka (jp-osa) |
|---|---|---|
| Yes | Yes | Yes |
Frankfurt (eu-de) |
London (eu-gb) |
Madrid (eu-es) |
|---|---|---|
| Yes | Yes | Yes |
Viewing activity tracking events for Container Registry
You can use IBM Cloud Logs to visualize and alert on events that are generated in your account and routed by IBM Cloud Activity Tracker Event Routing to an IBM Cloud Logs instance.
Launching IBM Cloud Logs from the Observability page
For information about launching the IBM Cloud Logs UI, see Launching the UI in the IBM Cloud Logs documentation.
Account management events
Actions that generate account management events for authorization, plans, quotas, and settings.
| Action | Description |
|---|---|
container-registry.auth.get |
Check whether the use of public connections is prevented for image pushes or pulls in your account. |
container-registry.auth.set |
Prevent or allow image pulls or pushes over public network connections for your account. |
container-registry.plan.get |
Display information about the current pricing plan. |
container-registry.plan.set |
Upgrade to the standard plan. |
container-registry.quota.get |
Display the current quotas for traffic and storage, and the usage information against those quotas. |
container-registry.quota.set |
Modify the quotas. Quota settings must be managed separately for your account in each registry instance. You can set quota limits for storage in your free or standard plan. |
container-registry.settings.get |
Get registry service settings for the targeted account, such as whether platform metrics are enabled. |
container-registry.settings.set |
Update registry service settings for the targeted account, such as enabling platform metrics. |
Events for images
The following table shows actions that generate management and data events for images.
| Action | Description |
|---|---|
container-registry.image.inspect |
Display details about an image. |
container-registry.image.list |
List the images in your IBM account. |
container-registry.image.tag |
Add a tag that refers to a pre-existing Container Registry image. |
container-registry.image.untag |
Remove a tag, or tags, from each specified image in Container Registry. |
container-registry.manifest.inspect |
View the contents of the manifest for an image. |
container-registry.retention.analyze |
List the images that are deleted if you apply a specific retention policy. |
container-registry.retention.list |
List the image retention policies for your account. |
container-registry.retention.set |
Set a policy to retain images in a namespace in Container Registry by applying specified criteria. |
container-registry.trash.list |
Display all the images in the trash in your IBM Cloud account. |
container-registry.trash.restore |
Restore a deleted image from the trash. If the deleted image is signed, the signature is restored too. |
| Action | Description |
|---|---|
container-registry.image.bulkdelete |
Delete multiple images from Container Registry. If the image is signed, the signature is deleted as well. |
container-registry.image.delete |
Delete an image from Container Registry. If the image is signed, the signature is deleted as well. |
container-registry.image.pull |
Pull an image from Container Registry. |
container-registry.image.push |
Push an image to Container Registry. |
container-registry.signature.delete |
Delete a signature from an image in Container Registry. |
container-registry.signature.read |
Read a signature from an image in Container Registry. |
container-registry.signature.write |
Write a signature to an image in Container Registry. |
Events for namespaces
The following table shows actions that generate management events for namespaces.
| Action | Description |
|---|---|
container-registry.namespace.create |
Create a namespace in Container Registry. |
container-registry.namespace.delete |
Delete a namespace from Container Registry. |
container-registry.namespace.list |
List the Container Registry namespaces in your IBM account. |
Events for vulnerabilities
The following table shows actions that generate management events for vulnerabilities and Vulnerability Advisor exemption policies.
| Action | Description |
|---|---|
container-registry.account-vulnerability-report.list |
View the Vulnerability Advisor reports for images in your Container Registry account.
For more information about request data, see Request data for the account vulnerability report. |
container-registry.account-vulnerability-status.list |
View Vulnerability Advisor security status for images in your Container Registry account.
For more information about request data, see Request data for the account vulnerability status. |
container-registry.image-vulnerability-report.read |
View the Vulnerability Advisor report for an image in Container Registry.
For more information about request and response data, see Request and response data for the vulnerability report. |
container-registry.image-vulnerability-status.read |
View the Vulnerability Advisor security status for an image in Container Registry.
For more information about request and response data, see Request and response data for the vulnerability status. |
container-registry.exemption.create |
Create a Vulnerability Advisor exemption. |
container-registry.exemption.delete |
Delete a Vulnerability Advisor exemption. |
Analyzing Container Registry activity tracking events
The following fields are populated as described, depending on how you populate the request:
-
target.nameshows the image name and, if you request an image name with a tag, a tag. If you request an image name by digest, the digest is shown instead of the tag because the digest might have many tags. -
target.idshows the image name by digest to represent a searchable unique ID for the image, unless the request is for an image with a tag and the request fails before the digest is discovered. To see all the events for this digest across all tags, you can search bytarget.id. -
target.resourceGroupIdshows the resource group ID that is associated with a namespace and its resources. For more information, see Set up a namespace.Earlier namespaces that aren't migrated to IAM don't have a resource group; therefore, this field is not available.
Request data for vulnerability events
Get the data for vulnerability events in Container Registry.
Request data for the account vulnerability report
Get the vulnerability assessment (container-registry.account-vulnerability-report.list) for the list of registry images that belong to a specific account.
The following table lists the fields that are available through the requestData field in events with the action container-registry.account-vulnerability-report.list.
| Custom Event Fields | Type | Description |
|---|---|---|
requestData.RequestParameters.repository |
String | The name of the repository that you want to see image vulnerability assessments for. For example, us.icr.io/namespace/image. |
requestData.RequestParameters.includeIBM |
String | When set to true, the returned list contains IBM public images and the account images. If not set, or set to false, the list contains only the account images. |
requestData.RequestParameters.includePrivate |
String | When set to false, the returned list does not contain the private account images. If not set, or set to true, the list contains the private account images. |
For more information about the action container-registry.account-vulnerability-report.list, see Get the vulnerability assessment for all images in the API documentation.
Request data for the account vulnerability status
Get the vulnerability assessment status (container-registry.account-vulnerability-status.list) for the list of registry images that belong to a specific account.
The following table lists the fields that are available through the requestData field in events with the action container-registry.account-vulnerability-status.list.
| Custom Event Fields | Type | Description |
|---|---|---|
requestData.RequestParameters.repository |
String | The name of the repository that you want to see image vulnerability assessments for. For example, us.icr.io/namespace/image. |
requestData.RequestParameters.includeIBM |
String | When set to true, the returned list contains IBM public images and the account images. If not set, or set to false, the list contains only the account images. |
requestData.RequestParameters.includePrivate |
String | When set to false, the returned list does not contain the private account images. If not set, or set to true, the list contains the private account images. |
For more information about the action container-registry.account-vulnerability-status.list, see Get vulnerability assessment status for all images in the API
documentation.
Request and response data for the vulnerability report
Get the vulnerability assessment (container-registry.image-vulnerability-report.read) for a registry image.
The following table lists the fields that are available through the requestData and responseData fields in events with the action container-registry.image-vulnerability-report.read.
| Custom Event Fields | Type | Description |
|---|---|---|
requestData.RequestParameters.name |
String | The name of the image. For example, us.icr.io/namespace/repository:tag.
The following constraint applies: The value must match the regular expression |
responseData.id |
String | The unique ID of the report. |
responseData.status |
String | The following values for the overall vulnerability assessment status are available:
For more information about these status codes, see Vulnerability report status codes in the API documentation. |
For more information, see Get vulnerability assessment status in the API documentation.
Request and response data for the vulnerability status
Get the overall vulnerability status (container-registry.image-vulnerability-status.read) for a registry image.
The following table lists the fields that are available through the requestData and responseData fields in events with the action container-registry.image-vulnerability-status.read.
| Custom Event Fields | Type | Description |
|---|---|---|
requestData.RequestParameters.name |
String | The name of the image. For example, us.icr.io/namespace/repository:tag.
The following constraint applies: The value must match the regular expression |
responseData.status |
String | The following values for the overall vulnerability assessment status are available:
For more information about these status codes, see Vulnerability report status codes in the API documentation. |
For more information, see Get vulnerability status in the API documentation.
Request data for image signing events
Get the data for events about image signing in Container Registry.
The following table lists the fields that are available through the requestData field in events with the following actions:
container-registry.signature.deletecontainer-registry.signature.readcontainer-registry.signature.write
| Custom Event Fields | Type | Description |
|---|---|---|
requestData.RequestParameters.repository |
String | The name of the repository for which you want to see image signing reports. For example, us.icr.io/namespace/image. |
requestData.RequestParameters.signatureMethod |
String | Displays the technology that is used to sign the image, such as Red Hat Signing. |
requestData.RequestParameters.signatureObject |
String | Specifies the object type upon which a signing operation is performed, for example, image. |