Activity Tracker events
Use the IBM Cloud® Activity Tracker service to track how users and applications interact with IBM Cloud Object Storage (COS).
This feature is not currently supported in Object Storage for Satellite. Learn more.
The IBM Cloud Activity Tracker service records user-initiated activities that change the state of a service in IBM Cloud. For more information, see IBM Cloud Activity Tracker.
By default, COS events that report on global actions such as creation of a bucket are collected automatically. You can monitor global actions through the Activity Tracker instance that is located in the Frankfurt location.
In IBM Cloud Object Storage, you can also monitor management events and COS data events.
- Collection of these events in your account is optional.
- You must configure each bucket to enable management events, or management and data events. Notice that you cannot enable data events only for a bucket.
- To monitor management events, you must configure a bucket and specify the Activity Tracker instance where those events will be collected and forwarded.
- To monitor data events, you must select the option Track data events.
- Each action that a user performs on a COS resource has a unique ID that is included in the event in the
responseData.requestIdfield.
You can use this service to investigate abnormal activity and critical actions, and to comply with regulatory audit requirements. In addition, you can be alerted about actions as they happen. The events that are collected comply with the Cloud Auditing Data Federation (CADF) standard.
Management events
Management events are classified in the following categories:
- Global events
- Resource configuration events
- Bucket events
- Object events
Global events
The following table lists the COS actions that generate a global event. You can monitor this events through the Activity Tracker instance that is available in the Frankfurt location.
| Action | Description |
|---|---|
cloud-object-storage.instance.list |
List the buckets in the service instance |
cloud-object-storage.bucket.create |
Create a bucket in the service instance |
cloud-object-storage.bucket.delete |
Delete a bucket in the service instance |
Resource configuration events
The following table lists the COS resource configuration events:
| Action | Description |
|---|---|
cloud-object-storage.resource-configuration.read |
Read the resource configuration for the bucket |
cloud-object-storage.resource-configuration.update |
Update the resource configuration for the bucket |
Bucket events
The following table lists the COS bucket events:
| Action | Description |
|---|---|
cloud-object-storage.bucket-cors.read |
Get the CORS configuration |
cloud-object-storage.bucket-cors.create |
Create the CORS configuration |
cloud-object-storage.bucket-cors.delete |
Delete the CORS configuration |
cloud-object-storage.bucket-lifecycle.read |
Get the bucket lifecycle configuration |
cloud-object-storage.bucket-lifecycle.create |
Create the bucket lifecycle configuration |
cloud-object-storage.bucket-lifecycle.delete |
Delete the bucket lifecycle configuration |
cloud-object-storage.bucket-acl.read |
Get the bucket ACLA list that statelessly manages inbound and outbound traffic for a subnet through the use of rules. An access control list helps provide security at the subnet level. |
cloud-object-storage.bucket-acl.create |
Create the bucket ACLA list that statelessly manages inbound and outbound traffic for a subnet through the use of rules. An access control list helps provide security at the subnet level. |
cloud-object-storage.bucket-crn.read |
Get the bucket CRN |
cloud-object-storage.bucket-location.read |
Get the bucket location |
cloud-object-storage.bucket-retention.read |
Get the bucket retention |
cloud-object-storage.bucket-retention.create |
Create the bucket retention |
cloud-object-storage.bucket-key-state.update |
Updating a Key Protect root encryption key |
cloud-object-storage.bucket-public-access-block.create |
Add a public ACL block configuration |
cloud-object-storage.bucket-public-access-block.read |
Read a public ACL block configuration |
cloud-object-storage.bucket-public-access-block.delete |
Delete a public ACL block configuration |
For cloud-object-storage.bucket-key-state.update events, the following fields include extra information:
| Field | Description |
|---|---|
requestData.eventType |
The type of lifecycle event that occurred, such as deletion, rotation, and so on |
requestData.requestedKeyState |
The the requested state of the key (enabled or disabled). |
requestData.requestKeyVersion |
The requested version of the key. |
requestData.bucketLocation |
The location of the bucket that uses the key. |
responseData.eventID |
The unique identifier associated with the key lifecycle event. |
responseData.adopterKeyState |
The current state the key (enabled or disabled). |
responseData.adopterKeyVersion |
The current version of the key. |
Object events
The following table lists the COS object events:
| Action | Description |
|---|---|
cloud-object-storage.object-cors.read |
Get the CORS configuration |
cloud-object-storage.object-acl.read |
Get the object ACL |
cloud-object-storage.object-acl.create |
Create the object ACL |
cloud-object-storage.object-retention-legal-hold.list |
List the legal holds on the object |
cloud-object-storage.object-retention-legal-hold.update |
Add or remove object legal hold |
cloud-object-storage.object-retention.update |
Extend the retention time |
cloud-object-storage.object-expire.read |
Get when the object will expire |
Data Events
Data events are classified in the following categories:
- Bucket access events
- Object access events
- Multipart events
- Bucket versioning events
Bucket access events
The following table lists the COS bucket access events:
| Action | Description |
|---|---|
cloud-object-storage.bucket.list |
List the objects in the bucket |
cloud-object-storage.bucket-metadata.read |
Get the metadata for the bucket |
Object access events
The following table lists the COS object access events:
| Action | Description |
|---|---|
cloud-object-storage.object-metadata.read |
Get the metadata for the object |
cloud-object-storage.object.read |
Read the object |
cloud-object-storage.object.create |
Create the object |
cloud-object-storage.object.delete |
Delete the object |
cloud-object-storage.objects.delete |
Delete multiple objects |
cloud-object-storage.object-batch.delete |
Delete an object in a batch |
cloud-object-storage.object-copy.read |
Read the source object to copy |
cloud-object-storage.object-copy.create |
Create the target object from the copy |
cloud-object-storage.object-restore.read |
Read the source object to restore |
cloud-object-storage.object-restore.create |
Create the target object from the restore |
If versioning is enabled for a bucket, then target.versionId will be present for operations that make use of object versions.
For cloud-object-storage.object.delete and cloud-object-storage.object-batch.delete events, the following fields include extra information:
| Field | Description |
|---|---|
responseData.deleteMarker.created |
The object has been versioned and replaced with a delete marker. |
Multipart events
The following table lists the COS multipart events:
| Action | Description |
|---|---|
cloud-object-storage.bucket-multipart.list |
List multipart uploads of objects in a bucket |
cloud-object-storage.object-multipart.list |
List parts of an object |
cloud-object-storage.object-multipart.start |
Initiate a multipart upload of an object |
cloud-object-storage.object-multipart.create |
Create a part of a multipart upload of an object |
cloud-object-storage.object-multipart.complete |
Complete a multipart upload of an object |
cloud-object-storage.object-multipart.delete |
Abort an incomplete multipart upload of an object |
Bucket versioning events
The following table lists the COS versioning events:
| Action | Description |
|---|---|
cloud-object-storage.bucket-versioning.create |
Enable versioning on a bucket |
cloud-object-storage.bucket-versioning.read |
Check versioning status of a bucket |
cloud-object-storage.bucket-versioning.list |
List versions of objects in a bucket |
For cloud-object-storage.bucket-versioning.create events, the following fields include extra information:
| Field | Description |
|---|---|
requestData.newValue.versioning.state |
The versioning state of the bucket (enabled or suspended). |
Viewing events
You can view the Activity Tracker events that are associated with your Object Storage instance by using IBM Cloud Activity Tracker.
You can only provision 1 instance of the IBM Cloud Activity Tracker service per location.
To view events, you must identify the location where events are collected and available for monitoring. Then, you must access the web UI of the IBM Cloud Activity Tracker instance in that location. For more information, see Launching the web UI through the IBM Cloud UI.
Management events
Object Storage global events are forwarded to the IBM Cloud Activity Tracker service instance that is located in Frankfurt.
All other Object Storage management events are forwarded to the IBM Cloud Activity Tracker instance that is associated with the bucket.
To view events, you must access the web UI of the IBM Cloud Activity Tracker instance in the location that is associated with the bucket.
Data events
Object Storage data events are forwarded to the IBM Cloud Activity Tracker instance that is associated with the bucket.
To view events, you must access the web UI of the IBM Cloud Activity Tracker instance in the location that is associated with the bucket.
Analyzing events
Identifying the COS instance ID that generates the event
In the IBM Cloud, you can have 1 or more COS instances.
To quickly identify the COS instance ID in your account that has generated an event, check the field responseData.serviceInstanceId that is set in the responseData field.
Identifying the bucket location
To quickly identify the bucket location, check the field responseData.bucketLocation that is set in the responseData field.
Getting the unique ID of a request
Each action that a user performs on a COS resource has a unique ID.
To get the unique ID of a request to a COS resource, check the field responseData.requestId that is set in the responseData field.
Getting all events for a multipart upload operations
When you upload a large object by using multipart upload operations, each operation generates an event. In each event, the field responseData.uploadId is set to the same value.
To search for all events that are part of a multipart upload operation, you can search for a specific responseData.uploadId value.
Getting all events that are generated for a restore request
A request to restore an object from an archive generates multiple events in COS:
- A read action of the source object. This action generates an event with action cloud-object-storage.object-restore.read.
- A create action of the object into a bucket. This action generates an event with action cloud-object-storage.object-restore.create.
You can use the responseData.requestId field to identify the events that are generated when you restore an object.
Getting all events that are generated for copying an object from one bucket to another
A request to copy an object from one bucket to a different one generates multiple events in COS:
- A read action of the source object. This action generates an event with action cloud-object-storage.object-copy.read.
- A create action of the object into the new bucket. This action generates an event with action cloud-object-storage.object-copy.create.
To collect and monitor all events that report on a copy action across buckets, consider configuring each bucket to collect and forward events to the same Activity Tracker instance in your account.
- If one bucket is not enabled to collect management and data events, you will not receive the event that reports any copy action on that bucket.
- If you configure different Activity Tracker instances for each bucket, you will have one event in 1 instance and the other event in a different instance.
You can use the responseData.requestId field to identify the events that are generated when you copy an object from one bucket to another.
Getting the details of a firewall update
Updating a bucket's firewall will generate a cloud-object-storage.resource-configuration.update event.
To get the details of what was changed, check for fields requestData.allowedIp, requestData.deniedIp, and requestData.allowedNetworkTypes that appear in the requestData field.