Auditing events for VMware Solutions
As of 28 March 2024, the IBM Cloud Activity Tracker service is deprecated and will no longer be supported as of 30 March 2025. Customers will need to migrate to IBM Cloud Logs before 30 March 2025. During the migration period, customers can use IBM Cloud Activity Tracker along with IBM Cloud Logs. Activity tracking events are the same for both services. For information about migrating from IBM Cloud Activity Tracker to IBM Cloud Logs and running the services in parallel, see migration planning.
Use the IBM Cloud® Activity Tracker service to track how users and applications interact with IBM Cloud for VMware® Solutions in IBM Cloud.
IBM Cloud Activity Tracker records user-initiated activities that change the state of a service in the IBM Cloud. You can use this service to investigate for abnormal activity and critical actions, and comply with regulatory audit requirements. In addition, you can be alerted on actions as they happen. The events that are collected comply with the Cloud Auditing Data Federation (CADF) standard. For more information, see Getting started with Activity Tracker.
Events for VMware Shared
When you use VMware Shared, an event is generated to track how users and applications interact with virtual data centers.
The following table lists the actions that generate and send an event to Activity Tracker.
Action | Description | Outcome |
---|---|---|
vmware-solutions.vdc.create |
An event is generated when a virtual data center instance is created. | pending success failure |
vmware-solutions.vdc.delete |
An event is generated when a virtual data center instance is deleted. | pending success failure |
vmware-solutions.vdc.update |
An event is generated when capacity is added to a virtual data center instance. An event is generated when capacity is removed from a virtual data center instance. |
pending success failure |
Events for VCF for Classic instance management
When you manage user accounts, instances, clusters, and services in IBM Cloud for VMware Solutions, an event is generated.
The following table provides the actions that generate and send management events to Activity Tracker.
Action | Description |
---|---|
vmware-solutions.account-apikey.update |
The infrastructure API key for an account is updated. |
vmware-solutions.account-notification.update |
The notification setting for an account is updated. |
vmware-solutions.instance-secure-data.wipe |
The instance-secure data is wiped. |
vmware-solutions.instance-bss-account.migrate |
An instance is migrated to a BSS account. |
vmware-solutions.vcs.create |
A VMware Cloud Foundation for Classic instance is created. |
vmware-solutions.vcs.delete |
A VCF for Classic instance is deleted. |
vmware-solutions.vcs-host.add |
A host is added to a VCF for Classic instance. |
vmware-solutions.vcs-host.remove |
A host is removed from a VCF for Classic instance. |
vmware-solutions.vcs.update |
A VCF for Classic instance is updated. |
vmware-solutions.vcs-cluster.create |
A cluster is created for a VCF for Classic instance. |
vmware-solutions.vcs-cluster.delete |
A cluster is deleted for a VCF for Classic instance. |
vmware-solutions.vcs-nsx-license.update |
The VMware NSX® license is updated for a VCF for Classic instance. |
vmware-solutions.vcs-nfs-storage.add |
NFS storage is added to a VCF for Classic instance. |
vmware-solutions.vcs-nfs-storage.remove |
NFS storage is removed from a VCF for Classic instance. |
vmware-solutions.vcs-plan.update |
A VCF for Classic instance's plan is updated. |
vmware-solutions.vss.create |
A VMware Cloud Foundation for Classic - Flexible instance is created. |
vmware-solutions.vss.update |
A VCF for Classic - Flexible instance is updated. |
vmware-solutions.vss-template.remove |
A VCF for Classic - Flexible template is removed. |
vmware-solutions.service.create |
A service is created. |
vmware-solutions.service.delete |
A service is deleted. |
Events for KMIP for VMware
When you manage keys for the KMIP™ for VMware® service, an event is generated.
The following table provides the actions that generate and send events for KMIP for VMware. The initiator completes these actions from vCenter Server and they do not include the initiator's IP address. The requests for these actions run from within the IBM Cloud private network.
The initiator ID is derived from the TLS (Transport Layer Security) certificate of the vCenter Server that is used to authenticate the connection to the KMIP server. The initiator ID is in the format CertificateID-<value>
,
where the value matches the fingerprint of the corresponding TLS certificate. Using the fingerprint, you can identify the vCenter Server that triggered the action.
Action | Description |
---|---|
vmware-solutions.kmip-key.create |
A KMIP key is created. |
vmware-solutions.kmip-key.read |
A KMIP key is retrieved. |
vmware-solutions.kmip-key-attributes.retrieve |
A KMIP key's attributes are retrieved. |
vmware-solutions.kmip-key.activate |
A KMIP key is activated. |
vmware-solutions.kmip-key.revoke |
A KMIP key is revoked. |
vmware-solutions.kmip-key.destroy |
A KMIP key is destroyed. |
Viewing events
VCF for Classic and VMware Shared events are global events. The KMIP for VMware events are location-based events that are automatically forwarded to the Activity Tracker service instance that is available in the same location as the KMIP for VMware instance. For more information, see Monitoring global and location-based events.
Activity Tracker can have only one instance per location. To view events, you must access the web UI of the Activity Tracker service in the same location where your service instance is available. For more information, see Navigating to the UI.