Activity tracker events
Power Virtual Server Activity Tracker Events will migrate to the CADF Event standard on January 29, 2024. Some of the event fields will not be sent or replaced by the new format. For the code snippets that shows the differences between the old and new format of the activity tracker response, see Activity tracker sample response format.
As a security officer, auditor, or manager, you can use the Activity Tracker Event Routing service to track how users and applications interact with the IBM® Power® Virtual Server in IBM Cloud®.
Activity Tracker Event Routing records user-initiated activities that change the state of a service in IBM Cloud. You can use this service to investigate abnormal activity and critical actions and to comply with regulatory audit requirements. In addition, you can be alerted about actions as they happen. The events that are collected comply with the Cloud Auditing Data Federation (CADF) standard. For more information, see the getting started tutorial for Activity Tracker Event Routing.
IBM® Power® Virtual Server automatically generates events so that you can track activity on your service.
Management events
Instance events
The following event is used to read the Power Virtual Server instance.
| Action | Description |
|---|---|
| power-iaas.event.read | Read a Power Virtual Server Instance |
Images events
The following events are for working with images in your Power Virtual Server instance.
| Action | Description |
|---|---|
| power-iaas.image.read | Read an Image or all Images |
| power-iaas.image.create | Create an Image |
| power-iaas.image.update | Update an Image |
| power-iaas.image.delete | Delete an Image |
| power-iaas.image.capture | Exports an Image |
Network events
The following events are for working with networks in your Power Virtual Server instance.
| Action | Description |
|---|---|
| power-iaas.network.read | Read a Network or all Networks |
| power-iaas.network.create | Create a Network (Public or Private) |
| power-iaas.network.update | Update a Network |
| power-iaas.network.delete | Delete a Network |
Power Virtual Server events
The following events are for working with each Power Virtual Server instance.
| Action | Description |
|---|---|
| power-iaas.pvm-instance.read | Read a Power virtual server instance |
| power-iaas.pvm-instance.create | Create a Power virtual server instance |
| power-iaas.pvm-instance.update | Update a Power virtual server instance |
| power-iaas.pvm-instance.delete | Delete a Power virtual server instance |
| power-iaas.pvm-instance.start | Start a Power virtual server instance |
| power-iaas.pvm-instance.stop | Stop a Power virtual server instance |
| power-iaas.pvm-instance.renew | Restart a Power virtual server instance |
| power-iaas.pvm-instance.unknown | Unknown action on a Power virtual server instance |
| power-iaas.pvm-instance.monitor | Console access to a Power virtual server instance |
| power-iaas.pvm-instance.capture | Capture a Power virtual server instance into an image |
| power-iaas.pvm-instance.immediate-shutdown | Shut down a Power virtual server instance immediately |
| power-iaas.pvm-instance.clone | Clone a Power virtual server instance |
| power-iaas.pvm-instance.snapshot | Create a Power virtual server instance Snapshot |
| power-iaas.pvm-instance-network.read | Read a Power virtual server instance Network |
| power-iaas.pvm-instance-network.create | Create a Power virtual server instance Network |
| power-iaas.pvm-instance-network.delete | Delete a Power virtual server instance Network |
SSH keys events
The following events are for working with your account and SSH keys in your Power Virtual Server instance.
| Action | Description |
|---|---|
| power-iaas.ssh-key.read | Read an SSH key or SSH keys |
| power-iaas.ssh-key.create | Create an SSH key |
| power-iaas.ssh-key.update | Update an SSH key |
| power-iaas.ssh-key.delete | Delete an SSH key |
Data volumes events
The following events are for working with data volumes in your Power Virtual Server instance.
| Action | Description |
|---|---|
| power-iaas.volume.read | Read a Volume or Volumes |
| power-iaas.volume.create | Create a Volume |
| power-iaas.volume.update | Update a Volume |
| power-iaas.volume.delete | Delete a Volume |
| power-iaas.volume.configure | Attach or Detach a Volume |
Storage capacity events
The following events are for working with storage capacity in your Power Virtual Server instance.
| Action | Description |
|---|---|
| power-iaas.storage-capacity.read | Read Storage Capacity |
Storage pools events
The following events are for working with storage pools in your Power Virtual Server instance.
| Action | Description |
|---|---|
| power-iaas.system-pools.read | Read System Pools Information |
Tenant events
The following events are for working with tenants in your Power Virtual Server instance.
| Action | Description |
|---|---|
| power-iaas.tenant.read | Read your Tenant Information |
| power-iaas.tenant-ssh.read | Read SSH Key or SSH Keys |
| power-iaas.tenant-ssh.create | Create an SSH Key |
| power-iaas.tenant-ssh.update | Update an SSH Key |
| power-iaas.tenant-ssh.delete | Delete an SSH Key |
List of events: Job
The following events are for working with jobs in your Power Virtual Server instance.
| Action | Description |
|---|---|
| power-iaas.job.read | Read a Job or all Jobs |
| power-iaas.job.create | Create a Job |
| power-iaas.job.delete | Delete a Job |
List of events: Network ports
The following events are for working with network ports in your Power Virtual Server instance.
| Action | Description |
|---|---|
| power-iaas.port.read | Read a Network Port or all Network Ports |
| power-iaas.port.create | Create a Network Port |
| power-iaas.port.update | Update a Network Port |
| power-iaas.port.delete | Delete a Network Port |
List of events: SAP
The following events are for working with SAP in your Power Virtual Server instance.
| Action | Description |
|---|---|
| power-iaas.sap.read | Read SAP Information |
| power-iaas.sap.create | Create an SAP PVM Instance |
List of events: Cloud Connections
The following events are for working with Cloud connections in your Power Virtual Server instance.
| Action | Description |
|---|---|
| power-iaas.cloud-connection.read | Read a Cloud Connection or all Cloud Connections |
| power-iaas.cloud-connection.create | Create a Cloud Connection |
| power-iaas.cloud-connection.update | Update a Cloud Connection |
| power-iaas.cloud-connection.delete | Delete a Cloud Connection |
List of events: Placement Groups
The following events are for working with placement groups in your Power Virtual Server instance.
| Action | Description |
|---|---|
| power-iaas.placement-groups.read | Read a Placement Group or all Placement Groups |
| power-iaas.placement-groups.create | Create a Placement Group |
| power-iaas.placement-groups.update | Update a Placement Group |
| power-iaas.placement-groups.delete | Delete a Placement Group |
List of events: IKE Policy
The following events are for working with IKE Policy in your Power Virtual Server instance.
| Action | Description |
|---|---|
| power-iaas.ike-policy.read | Read an IKE Policy |
| power-iaas.ike-policy.create | Create an IKE Policy |
| power-iaas.ike-policy.update | Update an IKE Policy |
| power-iaas.ike-policy.delete | Delete an IKE Policy |
List of events: IPSec Policy
The following events are for working with IPsec Policy in your Power Virtual Server instance.
| Action | Description |
|---|---|
| power-iaas.ipsec-policy.read | Read an IPsec Policy |
| power-iaas.ipsec-policy.create | Create an IPsec Policy |
| power-iaas.ipsec-policy.update | Update an IPsec Policy |
| power-iaas.ipsec-policy.delete | Delete an IPsec Policy |
List of events: VPN Connection
The following events are for working with VPN Connection in your Power Virtual Server instance.
| Action | Description |
|---|---|
| power-iaas.vpn-connection.read | Read a VPN Connection or all VPN Connections |
| power-iaas.vpn-connection.create | Create a VPN Connection |
| power-iaas.vpn-connection.update | Update a VPN Connection |
| power-iaas.vpn-connection.delete | Delete a VPN Connection |
Viewing events
Events are automatically forwarded to North America, Europe, Tokyo, or Sydney geographic locations. You can access the activity tracker logs for all North America and South America data centers from Dallas, all Europe data centers from Frankfurt, Sydney data center from Sydney, and all Japan data center from Tokyo. For a list of locations where Power Virtual Server services are enabled to send events to IBM Cloud Activity Tracker, see Activity Tracker events by location.
Activity Tracker can have only one instance per location. To view events, you must access the web UI of the Activity Tracker service in the same location where your service instance is available. For more information, see Launching the web UI through the IBM Cloud UI.
Activity tracker sample response format
The new response format used in activity tracking adheres to the CADF (Cloud Auditing Data Federation) standard. Hence, auditing events can be collected and routed in a standardized format, ensuring consistency and interoperability across different cloud platforms.
The CADF standard is significant in auditing security in cloud environments as it defines a comprehensive event model that includes the necessary information for certifying, managing, and auditing the security of applications and services in the cloud.
The following code snippets shows the differences between the old and new activity tracker response format.
New response format
{
"logSourceCRN": "crn:v1:bluemix:public:power-iaas:us-east:a/xxxxxxxxxxxxxxxxxxxx:yyyyyyyyyyyyyyyyyyyyyy::",
"saveServiceCopy": true,
"dataEvent": false,
"outcome": "success",
"eventTime": "2022-06-30T03:12:49.63+0000",
"action": "power-iaas.tenant.read",
"correlationId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"severity": "normal",
"initiator": {
"id": "IBMid-xxxxxxxxxx",
"name": "xxxxm@us.ibm.com",
"typeURI": "service/security/account/user",
"authnId": "",
"authnName": "",
"host": {
"agent": "PostmanRuntime/7.28.4",
"address": "127.0.0.1",
"addressType": "IPv4"
},
"credential": {
"type": "user"
}
},
"target": {
"id": "crn:v1:bluemix:public:power-iaas:us-east:a/xxxxxxxxxxxxxxxxxxxx:yyyyyyyyyyyyyyyyyyyyyy::",
"name": "testName",
"typeURI": "power-iaas/tenant",
"resourceGroupId": "crn:v1:bluemix:public:resource-controller::a/xxxxxxxxxxxxxxxxxxxx::resource-group:zzzzzzzzzzzzzzzzzzzzzzz"
},
"reason": {
"reasonCode": 200,
"reasonType": "OK"
},
"requestData": null,
"responseData": {
"cloudInstances": [
{
"capabilities": [],
"cloudInstanceID": "yyyyyyyyyyyyyyyyyyyyyy",
"enabled": true,
"href": "/pcloud/v1/cloud-instances/yyyyyyyyyyyyyyyyyyyyyy",
"initialized": false,
"name": "testName",
"region": "us-east"
}
],
"creationDate": "2019-05-21T21:32:00.746Z",
"enabled": true,
"sshKeys": [],
"tenantID": "xxxxxxxxxxxxxxxxxxxx"
},
"message": "Power Virtual Server: read tenant xxxxxxxxxxxxxxxxxxxx ",
"observer": {
"name": "ActivityTracker"
}
}
Old response format
{
"payload": {
"outcome": "success",
"eventTime": "2019-05-31T19:33:02.97+0000",
"action": "pcloud.tenant.read",
"severity": "normal",
"initiator": {
"id": "IBMid-xxxxxxxxxx",
"name": "xxxxm@us.ibm.com",
"typeURI": "service/security/account/user",
"host": {
"agent": "PostmanRuntime/7.13.0",
"address": "127.0.0.1"
},
"credential": {
"type": "user"
}
},
"target": {
"id": "crn:v1:bluemix:public:power-iaas:us-east:a/xxxxxxxxxxxxxxxxxxxx:yyyyyyyyyyyyyyyyyyyyyy::",
"name": "testName",
"typeURI": "pcloud/tenant/read",
"host": {
"address": "100.64.24.72"
}
},
"reason": {
"reasonCode": 200
},
"responseData": "{\"cloudInstances\":[{\"cloudInstanceID\":\"yyyyyyyyyyyyyyyyyyyyyy\",\"enabled\":true,\"href\":\"/pcloud/v1/cloud-instances/yyyyyyyyyyyyyyyyyyyyyy\",\"initialized\":false,\"name\":\"testName\",\"region\":\"us-east\"}],\"creationDate\":\"2019-05-21T21:32:00.746Z\",\"enabled\":true,\"sshKeys\":[{\"creationDate\":\"2019-05-21T22:13:49.806Z\",\"name\":\"Test\",\"sshKey\":\"Foo\"}],\"tenantID\":\"xxxxxxxxxxxxxxxxxxxx\"}",
"message": "pcloud: read tenant 9cdad2e857d442d49853e484e9b91d24 success"
},
"logSourceCRN": "crn:v1:bluemix:public:power-iaas:us-east:a/xxxxxxxxxxxxxxxxxxxx:yyyyyyyyyyyyyyyyyyyyyy::",
"saveServiceCopy": true,
"meta": {
"serviceProviderName": "power-iaas",
"serviceProviderRegion": "ng",
"serviceProviderProjectId": "power-iaas",
"userAccountIds": [
"a/xxxxxxxxxxxxxxxxxxxx"
],
"userSpaceRegion": "ng"
}
}
Activity tracker regions
You can create an activity tracker instance and provision it in the same region where your data center is located.
The Power Virtual Server workspaces running in various regions or data center will send events to activity tracker instances in their respective regions effective from 29 January 2024. You must create and provision instances of activity tracker in the respective regions where your workspaces reside for continued access to Power Virtual Server activity tracker events. If you want to export activity Tracker events, see Exporting Activity Tracker events.
The following table shows the data center and its corresponding regions where you can deploy an activity tracker instance:
| Datacenter | Current activity tracker region | New activity tracker region |
|---|---|---|
WDC04 |
us-south | us-east |
WDC06 |
us-south | us-east |
WDC07 |
us-south | us-east |
MON01 |
us-south | ca-tor |
TOR04 |
us-south | ca-tor |
SAO01 |
us-south | br-sao |
SAO04 |
us-south | br-sao |
LON04 |
eu-de | eu-gb |
LON06 |
eu-de | eu-gb |
OSA21 |
jp-tok | jp-osa |