IBM Cloud Docs
Auditing events for VMware Solutions

Auditing events for VMware Solutions

Use the IBM Cloud® Activity Tracker service to track how users and applications interact with IBM Cloud for VMware® Solutions in IBM Cloud.

IBM Cloud Activity Tracker records user-initiated activities that change the state of a service in the IBM Cloud. You can use this service to investigate for abnormal activity and critical actions, and comply with regulatory audit requirements. In addition, you can be alerted on actions as they happen. The events that are collected comply with the Cloud Auditing Data Federation (CADF) standard. For more information, see Getting started with Activity Tracker.

Events for VMware Shared

When you use IBM Cloud for VMware Solutions Shared, an event is generated to track how users and applications interact with virtual data centers.

The following table lists the actions that generate and send an event to Activity Tracker.

Table 1. Description of actions that generate VMware Shared events
Action Description Outcome
vmware-solutions.vdc.create An event is generated when a virtual data center instance is created. pending
success
failure
vmware-solutions.vdc.delete An event is generated when a virtual data center instance is deleted. pending
success
failure
vmware-solutions.vdc.update An event is generated when capacity is added to a virtual data center instance.
An event is generated when capacity is removed from a virtual data center instance.		 pending
success
failure

Events for vCenter Server instance management

When you manage user accounts, instances, clusters, and services in IBM Cloud for VMware Solutions, an event is generated.

The following table provides the actions that generate and send management events to Activity Tracker.

Table 2. Description of actions that generate management events
Action Description
vmware-solutions.account-apikey.update The infrastructure API key for an account is updated.
vmware-solutions.account-notification.update The notification setting for an account is updated.
vmware-solutions.instance-secure-data.wipe The instance-secure data is wiped.
vmware-solutions.instance-bss-account.migrate An instance is migrated to a BSS account.
vmware-solutions.vcs.create A VMware vCenter Server® instance is created.
vmware-solutions.vcs.delete A vCenter Server instance is deleted.
vmware-solutions.vcs-host.add A host is added to a vCenter Server instance.
vmware-solutions.vcs-host.remove A host is removed from a vCenter Server instance.
vmware-solutions.vcs.update A vCenter Server instance is updated.
vmware-solutions.vcs-cluster.create A cluster is created for a vCenter Server instance.
vmware-solutions.vcs-cluster.delete A cluster is deleted for a vCenter Server instance.
vmware-solutions.vcs-nsx-license.update The VMware NSX® license is updated for a vCenter Server instance.
vmware-solutions.vcs-nfs-storage.add NFS storage is added to a vCenter Server instance.
vmware-solutions.vcs-nfs-storage.remove NFS storage is removed from a vCenter Server instance.
vmware-solutions.vcs-plan.update A vCenter Server instance's plan is updated.
vmware-solutions.vss.create A vSphere instance is created.
vmware-solutions.vss.update A vSphere instance is updated.
vmware-solutions.vss-template.remove A vSphere template is removed.
vmware-solutions.service.create A service is created.
vmware-solutions.service.delete A service is deleted.

Events for KMIP for VMware

When you manage keys for the KMIP™ for VMware® service, an event is generated.

The following table provides the actions that generate and send events for KMIP for VMware. The initiator completes these actions from vCenter Server and they do not include the initiator's IP address. The requests for these actions run from within the IBM Cloud private network.

The initiator ID is derived from the TLS (Transport Layer Security) certificate of the vCenter Server that is used to authenticate the connection to the KMIP server. The initiator ID is in the format CertificateID-<value>, where the value matches the fingerprint of the corresponding TLS certificate. Using the fingerprint, you can identify the vCenter Server that triggered the action.

Table 3. Description of actions that generate events for the KMIP for VMware service
Action Description
vmware-solutions.kmip-key.create A KMIP key is created.
vmware-solutions.kmip-key.read A KMIP key is retrieved.
vmware-solutions.kmip-key-attributes.retrieve A KMIP key's attributes are retrieved.
vmware-solutions.kmip-key.activate A KMIP key is activated.
vmware-solutions.kmip-key.revoke A KMIP key is revoked.
vmware-solutions.kmip-key.destroy A KMIP key is destroyed.

Viewing events

VMware Shared and vCenter Server events are global events. The KMIP for VMware events are location-based events that are automatically forwarded to the IBM Cloud Activity Tracker service instance that is available in the same location as the KMIP for VMware instance. For more information, see Monitoring global and location-based events.

IBM Cloud Activity Tracker can have only one instance per location. To view events, you must access the web UI of the IBM Cloud Activity Tracker service in the same location where your service instance is available. For more information, see Navigating to the UI.