Auditing events for IBM Log Analysis

As a security officer, auditor, or manager, you can use the Activity Tracker service to track how users and applications interact with the IBM Log Analysis service in IBM Cloud®.

As of 28 March 2024 the IBM Log Analysis and IBM Cloud Activity Tracker services are deprecated and will no longer be supported as of 30 March 2025. Customers will need to migrate to IBM Cloud Logs, which replaces these two services, prior to 30 March 2025.

IBM Cloud Activity Tracker records user-initiated activities that change the state of a service in IBM Cloud. You can use this service to investigate abnormal activity and critical actions and to comply with regulatory audit requirements. In addition, you can be alerted about actions as they happen. The events that are collected comply with the Cloud Auditing Data Federation (CADF) standard. For more information, see the getting started tutorial for IBM Cloud Activity Tracker.

IBM Log Analysis automatically generates events so that you can track activity on your service instance.

Determining an event initiator

The initiator.name field can contain the name of the resource or user that generated the event. If the initiator.name is IBM Log Analysis, the event is the result of an action taken by an IBM Log Analysis service operator.

For more information about IBM Cloud Activity Tracker event fields, see Event fields.

Management events

Account settings

Table 1. Events for account settings actions
Action	Description
`logdna.account.update`	This event is generated when an administrator turns on or off a feature for a logging instance.

The following table lists custom fields that are included in these events:

Table 2. Custom fields for account settings actions
Custom fields	Valid values	Description
`requestData.owneremail`	`xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx@logdna.ibm.com`	Defines a logging account.
`requestData.type`	`meta.addrawline`	Defines a logging administrative feature.
`requestData.value`	`false` `true`	When is set to `true`, the feature specified in the field `requestData.type` is enabled.
`responseData.logdnaId`	Sample `3a941d8ert`	Defines the logging ID that is associated with the IBM Log Analysis instance.

Archiving

Table 3. Events for archiving actions
Action	Description
`logdna.account-archive-setting.configure`	This event is generated when an administrator turns off archiving for a logging instance.
`logdna.archive-configuration.update`	This event is generated when an administrator turns on archiving for a logging instance.

The following table lists custom fields that are included in these events:

Table 4. Custom fields for archiving actions
Custom fields	Valid values	Description
`requestData.feature`	`archive`	Defines a logging administrative feature.
`requestData.isEnabled`	`false` `true`	Defines if archiving of the logging instance to a COS bucket is configured. When is set to `true`, archiving is enabled.
`requestData.provider`	`ibm`	Defines the Cloud provider where data is archived.
`responseData.logdnaId`	Sample `3a941d8ert`	Defines the logging ID that is associated with the IBM Log Analysis instance.

Exclusion rules

Table 5. Events for exclusion rules actions
Action	Description
`logdna.exclusion-rule.create`	This event is generated when an administrator creates an exclusion rule through the logging web UI.
`logdna.exclusion-rule.update`	This event is generated when an administrator updates an exclusion rule through the logging web UI.
`logdna.exclusion-rule.delete`	This event is generated when an administrator deletes an exclusion rule through the logging web UI.

The following table lists custom fields that are included in exclusion rule events:

Table 6. Custom fields for exclusion rules actions
Custom fields	Description
`feature`	Defines a logging administrative feature. Valid value is `exclusion-rule`.
`ruleId`	Defines the ID of the rule.
`isEnabled`	Defines when the exclusion rule is enabled. Set to `true` when the rule is enabled.
`requestData.hosts`	Defines 1 or more hosts whose data is excluded from search.
`requestData.apps`	Defines 1 or more apps whose data is excluded from search.
`requestData.query`	Defines an advanced query to refine the data that is excluded from search.
`requestData.description`	Description of the exclusion rule.
`requestData.indexonly`	Defines whether the data is available to see through the UI. Set to `true` when data is visible but not available for search.
`responseData.logdnaId`	Defines the logging ID that is associated with the IBM Log Analysis instance.

If the initiator.name field indicates a change was made by IBM Log Analysis, the change might have been made to stop a runaway logging scenario and temporarily limit logging. Exclusion rules should be reviewed to determine the required logging. Logging that is not required results in excess charges.

Ingestion keys

Table 7. Events for ingestion keys actions
Action	Description
`logdna.ingestion-key.create`	This event is generated when an administrator creates an ingestion key through the logging web UI.
`logdna.ingestion-key.delete`	This event is generated when an administrator deletes an ingestion key through the logging web UI.

The following table lists custom fields that are included in these events:

Table 8. Custom fields for ingestion keys actions
Custom fields	Valid values	Description
`requestData.key`	Masked field	Use this field to identify the ingestion key that is created.
`requestData.keyType`	`ingestion`	Defines the type of key that is configured.
`responseData.logdnaId`	Sample `3a941d8ert`	Defines the logging ID that is associated with the IBM Log Analysis instance.

Service keys

Table 9. Events for service keys actions
Action	Description
`logdna.service-key.create`	This event is generated when an administrator creates a service key through the logging web UI.
`logdna.service-key.delete`	This event is generated when an administrator deletes a service key through the logging web UI.

The following table lists custom fields that are included in these events:

Table 10. Custom fields for service keys actions
Custom fields	Valid values	Description
`requestData.key`	Masked field	Use this field to identify the service key that is created to export data by using the logging export API.
`requestData.keyType`	`service`	Defines the type of key that is configured.
`responseData.logdnaId`	Sample `3a941d8ert`	Defines the logging ID that is associated with the IBM Log Analysis instance.

Streaming events

Table 11. Events for streaming actions
Action	Description
`logdna.streaming-configuration.validate`	This event is generated when you configure the connection in Log Analysis to Event Streams.
`logdna.streaming-samples.send`	This event is generated when sample data is sent to verify the connection.
`logdna.account-streaming-setting.configure`	This event is generated when you start streaming.
`logdna.streaming-configuration.deactivate`	This event is generated when you stop streaming.
`logdna.streaming-logs.send`	This event is generated when there is a failure streaming data.
`logdna.exclusion-rule.create`	This event is generated when an streaming exclusion rule is configured.
`logdna.exclusion-rule.delete`	This event is generated when an streaming exclusion rule is deleted.

Parsing templates

Table 12. Events for parsing templates actions
Action	Description
`logdna.parsing-template.create`	This event is generated when an administrator creates a parsing template through the logging web UI.
`logdna.parsing-template.update`	This event is generated when an administrator updates a parsing template through the logging web UI.
`logdna.parsing-template.delete`	This event is generated when an administrator deletes a parsing template through the logging web UI.

The following table lists custom fields that are included in these events:

Table 13. Custom fields for parsing templates actions
Custom fields	Description
`requestData.feature`	Defines a logging administrative feature. Valid value is `custom-parsing`.
`requestData.isEnabled`	Defines when the template is enabled. Set to `true` when the template is enabled.
`requestData.name`	Defines the name of the template. This field is available for create actions.
`requestData.query`	Defines the query that is configured to identify log lines where the custome parsing is applied.
`requestData.templateId`	Defines the ID of the template. This field is available for update actions.
`responseData.logdnaId`	Defines the logging ID that is associated with the IBM Log Analysis instance.

Configuration

Table 14. Events for user-metadata related actions
Action	Description
`logdna.configuration.import`	This event is generated when an administrator imports user-metadata such as views, and alerts through the logging web UI.
`logdna.configuration.export`	This event is generated when an administrator exports user-metadata such as views, and alerts through the logging web UI.

The following table lists custom fields that are included in these events:

Table 15. Custom fields for user-metadata related actions
Custom fields	Description
`feature`	Defines a logging administrative feature. Valid value is `export-configuration`.
`requestData.configResources`	Defines the list of resources that a user chooses to export or import.
`responseData.logdnaId`	Defines the logging ID that is associated with the IBM Log Analysis instance.

Data events

Views

Table 16. Events for views
Action	Description
`logdna.view.create`	This event is generated when a view is created.
`logdna.view.update`	This event is generated when a view is updated. This event is also generated when an alert is attached or dettached from a view.
`logdna.view.delete`	This event is generated when a view is deleted.

The following table lists custom fields that are included in these events:

Table 17. Custom fields for view actions
Custom fields	Description
`requestData.name`	Defines the name of the view.
`requestData.query`	Defines the search query that is applied to filter data in the view.
`requestData.hosts`	Defines the list of hosts that are selected and whose data is included in the view.
`requestData.apps`	Defines the list of apps that are selected and whose data is included in the view.
`requestData.levels`	Defines the list of levels that are selected and whose data is included in the view.
`requestData.category`	Defines the category where the view is included.
`requestData.viewId`	Defines the view ID.
`requestData.description`	Describes the view.
`requestData.customLine`	Describes how the information is displayed in the view.
`responseData.logdnaId`	Defines the logging ID that is associated with the IBM Log Analysis instance.

Presets (alerts)

Table 18. Events for alerts
Action	Description
`logdna.alert.create`	This event is generated when an alert is created as a preset.
`logdna.alert.update`	This event is generated when an alert is updated.
`logdna.alert.delete`	This event is generated when an alert is deleted.

The following table lists custom fields that are included in these events:

Table 19. Custom fields for view actions
Custom fields	Description
`requestData.alertId`	Defines the preset ID.
`requestData.name`	Defines the name of the preset.
`requestData.preset`	Defines whether the alert is defined as a preset.
`requestData.channels`	List of channels that are configured in a preset. Each channel includes information about the notification method and the trigger conditions per method.
`responseData.logdnaId`	Defines the logging ID that is associated with the IBM Log Analysis instance.

Dashboards

Table 20. Events for dashboards
Action	Description
`logdna.board.create`	This event is generated when a dashboard is created.
`logdna.board.delete`	This event is generated when a dashboard is deleted.
`logdna.board-graph.update`	This event is generated when a graph is added to a dashboard.

The following table lists custom fields that are included in these events:

Table 21. Custom fields for boards
Custom fields	Description
`requestData.boardId`	Defines the ID of the dashboard.
`requestData.category`	Defines the category where the board is included.
`requestData.title`	Defines the name of the dashboard.
`requestData.graphId`	Defines the ID of a graph that is added to a board.
`responseData.logdnaId`	Defines the logging ID that is associated with the IBM Log Analysis instance.

Viewing events

Events that are generated by an instance of the IBM Log Analysis service are automatically forwarded to the IBM Cloud Activity Tracker service instance that is available in the same location. For more information, see Cloud services locations.

IBM Cloud Activity Tracker can have only one instance per location. To view events, you must access the web UI of the IBM Cloud Activity Tracker service in the same location where your service instance is available. For more information, see Launching the UI through the IBM Cloud UI.

Analyzing events

Activity Tracker events only report success outcomes.

Activity Tracker events that report update actions do not include information about the delta of the change.