IBM Cloud Docs
Auditing events

Auditing events

You can use IBM Cloud® Activity Tracker to track and audit how users and applications interact with IBM Cloud® Schematics.

Schematics events

IBM Cloud Activity Tracker records user-initiated activities that change the state of a service in IBM Cloud. You can use this service to investigate abnormal activity and critical actions and to comply with regulatory audit requirements. In addition, you can be alerted about actions as they happen. The events that are collected comply with the Cloud Auditing Data Federation (CADF) standard. For more information, see Getting started tutorial for IBM Cloud Activity Tracker.

The following lists of Schematics events are sent to IBM Cloud Activity Tracker.

Workspace events

Workspace events
Action Description
schematics.workspace.read An event is generated for a request to view a Schematics workspace by a user.
schematics.workspace.create An event is generated for a request to create a Schematics workspace.
schematics.workspace.update An event is generated for a request to update a Schematics workspace.
schematics.workspace.delete An event is generated for a request to delete a Schematics workspace.
schematics.workspace-resources.create An event is generated when a Terraform execution apply is created for a workspace.
schematics.workspace-resources.plan An event is generated when a Terraform execution plan is created for a workspace.
schematics.workspace-resources.delete An event is generated for a request to delete the IBM Cloud resources that are provisioned through a Terraform plan and the workspace.

Action events

Action events
Action Description
schematics.action.create A Schematics action is created or failed to create.
schematics.action.delete A Schematics action was deleted or failed to delete.
schematics.action.read A Schematics action is viewed by a user.
schematics.action.update A Schematics action is updated successfully or failed to update.

Job events

Job events
Action Description
schematics.job.create A Schematics job is created or failed to create.
schematics.job.delete A Schematics job was deleted or failed to delete.
schematics.job.read A Schematics job is viewed by a user.
schematics.job.update A Schematics job is updated successfully or failed to update.

Shareddata events

Action Description
schematics.shareddatas.create A Schematics shared data set was created or failed to create.
schematics.shareddatas.delete A Schematics shared data set was deleted or failed to delete.
schematics.shareddatas.update A Schematics shared data set was updated or failed to updated.
{: caption="Shareddata events" caption-side="bottom"}

Other events

Other events
Action Description
schematics.credentials.ready-to-use Credentials passed by a user as a workspace variable in the Schematics API request is being sent to IBM Cloud Object Storage to complete the user’s action.

Viewing events

You can monitor the Schematics through any of the following regions only:

  • Dallas (us-south)
  • Washington (us-east)
  • Frankfurt (eu-de)
  • London (eu-gb)

You must create an Activity Tracker instance in Frankfurt, Dallas, or both to monitor the Schematics service.

Location of events per region
Schematics region Activity Tracker region where events are available
us-south us-south
us-east us-south
eu-de eu-de
eu-gb eu-de

Events that are generated by Schematics are automatically forwarded to the Activity Tracker service.

To monitor the service, start the Activity Tracker UI to access your events.

Analyzing events

Creating a workspace

When you create your first workspace, the following events are created by a Schematics owned service ID and sent to IBM Cloud Activity Tracker.

When you manage a workspace, the following events are created by the Schematics service:

  • An event with an action schematics.instance.create, when a first workspace is created.
  • An event with an action schematics.instance.update, when a workspace is modified.
  • An event with an action schematics.instance.delete, when a workspace is deleted.

The initiatorId of the request for these actions is set to a service ID that is owned by the Schematics service.

In addition, when a workspace is created, more events are also generated:

  • Event with action schematics.tag.attach to report tagging of the workspace
  • Event with action schematics.instance.create to report the creation of the workspace instance in your account
  • Event with action schematics.instance.update to report updates to the workspace properties

You can search by target.id to identify all events that report actions on a workspace. For example, you can use a query such as, crn:v1:bluemix:public:schematics:eu-de:a/xxxxxx:xxxxxxx:workspace:eu-de.workspace.observability-workspace.xxxxxxxx.

Events that are generated by Schematics are automatically forwarded to your IBM Cloud Activity Tracker service instance based on the regions. Schematics sends events to the us-south or eu-de region only. You can create an instance of IBM Cloud Activity Tracker in the us-south/eu-de region to view event details.

  1. Create a service instance of IBM Cloud Activity Tracker in the us-south/eu-de region.
  2. Start the IBM Cloud Activity Tracker web console to access your events.