IBM Cloud Docs
Auditing events for Activity Tracker

Auditing events for Activity Tracker

As a security officer, auditor, or manager, you can use the Activity Tracker service to track how users and applications interact with the Activity Tracker service in IBM Cloud®.

As of 28 March 2024 the IBM Log Analysis and IBM Cloud Activity Tracker services are deprecated and will no longer be supported as of 30 March 2025. Customers will need to migrate to IBM Cloud Logs, which replaces these two services, prior to 30 March 2025.

Activity Tracker records user-initiated activities that change the state of a service in IBM Cloud. You can use this service to investigate abnormal activity and critical actions and to comply with regulatory audit requirements. In addition, you can be alerted about actions as they happen. The events that are collected comply with the Cloud Auditing Data Federation (CADF) standard. For more information, see the getting started tutorial for Activity Tracker.

Activity Tracker automatically generates events so that you can track activity on your service instance.

Management events

Account settings

Table 6. Events for account settings actions
Action Description
logdnaat.account.update This event is generated when an administrator turns on or off a feature for an auditing instance.

The following table lists custom fields that are included in these events:

Table 7. Custom fields for account settings actions
Custom fields Valid values Description
requestData.owneremail xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx@logdna.ibm.com Defines an Activity Tracker account.
requestData.type meta.addrawline Defines an Activity Tracker administrative feature.
requestData.value false
true		 When is set to true, the feature specified in the field requestData.type is enabled.
responseData.logdnaId Sample 3a941d8ert Defines the Activity Tracker ID that is associated with the Activity Tracker instance.

Archiving

Table 8. Events for archiving actions
Action Description
logdnaat.account-archive-setting.configure This event is generated when an administrator configures archiving for an auditing instance.

The following table lists custom fields that are included in these events:

Table 9. Custom fields for archiving actions
Custom fields Valid values Description
requestData.feature archive Defines a Activity Tracker administrative feature.
requestData.isEnabled false
true		 Defines if archiving of the auditing instance to a COS bucket is configured.
When is set to true, archiving is enabled.
requestData.provider ibm Defines the Cloud provider where data is archived.
responseData.logdnaId Sample 3a941d8ert Defines the Activity Tracker ID that is associated with the Activity Tracker instance.

Exclusion rules

Table 10. Events for exclusion rules actions
Action Description
logdnaat.exclusion-rule.create This event is generated when an administrator creates an exclusion rule through the UI.
logdnaat.exclusion-rule.update This event is generated when an administrator updates an exclusion rule through the UI.
logdnaat.exclusion-rule.delete This event is generated when an administrator deletes an exclusion rule through the UI.

The following table lists custom fields that are included in exclusion rule events:

Table 11. Custom fields for exclusion rules actions
Custom fields Description
feature Defines an Activity Tracker administrative feature.
Valid value is exclusion-rule.
ruleId Defines the ID of the rule.
isEnabled Defines when the exclusion rule is enabled.
Set to true when the rule is enabled.
requestData.hosts Defines 1 or more hosts whose data is excluded from search.
requestData.apps Defines 1 or more apps whose data is excluded from search.
requestData.query Defines an advanced query to refine the data that is excluded from search.
requestData.description Description of the exclusion rule.
requestData.indexonly Defines whether the data is available to see through the UI.
Set to true when data is visible but not available for search.
responseData.logdnaId Defines the Activity Tracker ID that is associated with the Activity Tracker instance.

Ingestion keys

Table 12. Events for ingestion keys actions
Action Description
logdnaat.ingestion-key.create This event is generated when an administrator creates an ingestion key through the UI.
logdnaat.ingestion-key.delete This event is generated when an administrator deletes an ingestion key through the UI.

The following table lists custom fields that are included in these events:

Table 13. Custom fields for ingestion keys actions
Custom fields Valid values Description
requestData.key Masked field Use this field to identify the ingestion key that is created.
requestData.keyType ingestion Defines the type of key that is configured.
responseData.logdnaId Sample 3a941d8ert Defines the Activity Tracker ID that is associated with the Activity Tracker instance.

Service keys

Table 14. Events for service keys actions
Action Description
logdnaat.service-key.create This event is generated when an administrator creates a service key through the UI.
logdnaat.service-key.delete This event is generated when an administrator deletes a service key through the UI.

The following table lists custom fields that are included in these events:

Table 15. Custom fields for service keys actions
Custom fields Valid values Description
requestData.key Masked field Use this field to identify the service key that is created to export data by using the Activity Tracker export API.
requestData.keyType service Defines the type of key that is configured.
responseData.logdnaId Sample 3a941d8ert Defines the Activity Tracker ID that is associated with the Activity Tracker instance.

Streaming events

Table 16. Events for streaming actions
Action Description
logdnaat.streaming-configuration.validate This event is generated when you configure the connection in Activity Tracker to Event Streams.
logdnaat.streaming-samples.send This event is generated when sample data is sent to verify the connection.
logdnaat.account-streaming-setting.configure This event is generated when you start streaming.
logdnaat.streaming-configuration.deactivate This event is generated when you stop streaming.
logdnaat.streaming-logs.send This event is generated when there is a failure streaming data.
logdnaat.exclusion-rule.create This event is generated when an streaming exclusion rule is configured.
logdnaat.exclusion-rule.delete This event is generated when an streaming exclusion rule is deleted.

Parsing templates

Table 17. Events for parsing templates actions
Action Description
logdnaat.parsing-template.create This event is generated when an administrator creates a parsing template through the UI.
logdnaat.parsing-template.update This event is generated when an administrator updates a parsing template through the UI.
logdnaat.parsing-template.delete This event is generated when an administrator deletes a parsing template through the UI.

The following table lists custom fields that are included in these events:

Table 18. Custom fields for parsing templates actions
Custom fields Description
requestData.feature Defines an Activity Tracker administrative feature.
Valid value is custom-parsing.
requestData.isEnabled Defines when the template is enabled.
Set to true when the template is enabled.
requestData.name Defines the name of the template.
This field is available for create actions.
requestData.query Defines the query that is configured to identify log lines where the custome parsing is applied.
requestData.templateId Defines the ID of the template.
This field is available for update actions.
responseData.logdnaId Defines the Activity Tracker ID that is associated with the Activity Tracker instance.

Configuration

Table 19. Events for user-metadata related actions
Action Description
logdnaat.configuration.import This event is generated when an administrator imports user-metadata such as views, and alerts through the UI.
logdnaat.configuration.export This event is generated when an administrator exports user-metadata such as views, and alerts through the UI.

The following table lists custom fields that are included in these events:

Table 20. Custom fields for user-metadata related actions
Custom fields Description
feature Defines an Activity Tracker administrative feature.
Valid value is export-configuration.
requestData.configResources Defines the list of resources that a user chooses to export or import.
responseData.logdnaId Defines the Activity Tracker ID that is associated with the Activity Tracker instance.

Data events

Views

Table 21. Events for views
Action Description
logdnaat.view.create This event is generated when a view is created.
logdnaat.view.update This event is generated when a view is updated. This event is also generated when an alert is attached or dettached from a view.
logdnaat.view.delete This event is generated when a view is deleted.

The following table lists custom fields that are included in these events:

Table 22. Custom fields for view actions
Custom fields Description
requestData.name Defines the name of the view.
requestData.query Defines the search query that is applied to filter data in the view.
requestData.hosts Defines the list of hosts that are selected and whose data is included in the view.
requestData.apps Defines the list of apps that are selected and whose data is included in the view.
requestData.levels Defines the list of levels that are selected and whose data is included in the view.
requestData.category Defines the category where the view is included.
requestData.viewId Defines the view ID.
requestData.description Describes the view.
requestData.customLine Describes how the information is displayed in the view.
responseData.logdnaId Defines the Activity Tracker ID that is associated with the Activity Tracker instance.

Presets (alerts)

Table 23. Events for alerts
Action Description
logdnaat.alert.create This event is generated when an alert is created as a preset.
logdnaat.alert.update This event is generated when an alert is updated.
logdnaat.alert.delete This event is generated when an alert is deleted.

The following table lists custom fields that are included in these events:

Table 24. Custom fields for view actions
Custom fields Description
requestData.alertId Defines the preset ID.
requestData.name Defines the name of the preset.
requestData.preset Defines whether the alert is defined as a preset.
requestData.channels List of channels that are configured in a preset. Each channel includes information about the notification method and the trigger conditions per method.
responseData.logdnaId Defines the Activity Tracker ID that is associated with the Activity Tracker instance.

Dashboards

Table 25. Events for dashboards
Action Description
logdnaat.board.create This event is generated when a dashboard is created.
logdnaat.board.delete This event is generated when a dashboard is deleted.
logdnaat.board-graph.update This event is generated when a graph is added to a dashboard.

The following table lists custom fields that are included in these events:

Table 26. Custom fields for boards
Custom fields Description
requestData.boardId Defines the ID of the dashboard.
requestData.category Defines the category where the board is included.
requestData.title Defines the name of the dashboard.
requestData.graphId Defines the ID of a graph that is added to a board.
responseData.logdnaId Defines the Activity Tracker ID that is associated with the Activity Tracker instance.

Viewing events

Events that are generated by an instance of the Activity Tracker service are automatically forwarded to the Activity Tracker service instance that is available in the same location. For more information, see Cloud services locations.

Activity Tracker can have only one instance per location. To view events, you must access the web UI of the Activity Tracker service in the same location where your service instance is available. For more information, see Launching the web UI through the IBM Cloud UI.

Analyzing events

Activity Tracker hosted event search offerings events only report success outcomes.

Activity Tracker hosted event search offerings events that report update actions do not include information about the delta of the change.