IBM Cloud Docs
Activity tracking events for IBM Cloud Shell

Activity tracking events for IBM Cloud Shell

IBM Cloud services, such as IBM Cloud Shell, generate activity tracking events.

Activity tracking events report on activities that change the state of a service in IBM Cloud. You can use the events to investigate abnormal activity and critical actions and to comply with regulatory audit requirements.

You can use IBM Cloud Activity Tracker Event Routing, a platform service, to route auditing events in your account to destinations of your choice by configuring targets and routes that define where activity tracking events are sent. For more information, see see About IBM Cloud Activity Tracker Event Routing.

You can use IBM Cloud Logs to visualize and alert on events that are generated in your account and routed by IBM Cloud Activity Tracker Event Routing to an IBM Cloud Logs instance.

As of 28 March 2024, the IBM Cloud Activity Tracker service is deprecated and will no longer be supported as of 30 March 2025. Customers will need to migrate to IBM Cloud Logs before 30 March 2025. During the migration period, customers can use IBM Cloud Activity Tracker along with IBM Cloud Logs. Activity tracking events are the same for both services. For information about migrating from IBM Cloud Activity Tracker to IBM Cloud Logs and running the services in parallel, see migration planning.

Locations where activity tracking events are generated

Locations where activity tracking events are sent to IBM Cloud Activity Tracker hosted event search

IBM Cloud Shell sends activity tracking events to IBM Cloud Activity Tracker hosted event search in the regions that are indicated in the following table.

Regions where activity tracking events are sent in Americas locations
Dallas (us-south) Washington (us-east) Toronto (ca-tor) Sao Paulo (br-sao)
Yes No No No
Regions where activity tracking events are sent in Asia Pacific locations
Tokyo (jp-tok) Sydney (au-syd) Osaka (jp-osa) Chennai (in-che)
No No No No
Regions where activity tracking events are sent in Europe locations
Frankfurt (eu-de) London (eu-gb) Madrid (eu-es)
Yes No No

Locations where activity tracking events are sent by IBM Cloud Activity Tracker Event Routing

IBM Cloud Shell sends activity tracking events by IBM Cloud Activity Tracker Event Routing in the regions that are indicated in the following table.

Regions where activity tracking events are sent in Americas locations
Dallas (us-south) Washington (us-east) Toronto (ca-tor) Sao Paulo (br-sao)
Yes No No No
Regions where activity tracking events are sent in Asia Pacific locations
Tokyo (jp-tok) Sydney (au-syd) Osaka (jp-osa) Chennai (in-che)
No No No No
Regions where activity tracking events are sent in Europe locations
Frankfurt (eu-de) London (eu-gb) Madrid (eu-es)
Yes No No

Viewing activity tracking events for IBM Cloud Shell

You can use IBM Cloud Logs to visualize and alert on events that are generated in your account and routed by IBM Cloud Activity Tracker Event Routing to an IBM Cloud Logs instance.

Events that Cloud Shell generates are automatically forwarded to the Activity Tracker service instance that is available in the same location.

Activity Tracker can have only one instance per location. To view events, you must access the web UI of the Activity Tracker service in the same location where your service instance is available. For more information, see Launching the web UI through the IBM Cloud UI.

Launching IBM Cloud Logs from the Observability page

For information on launching the IBM Cloud Logs UI, see Launching the UI in the IBM Cloud Logs documentation.

List of platform events

The following table lists the activity tracking event actions that the IBM Cloud platform generates Cloud Shell instances are processed.

Actions that generate platform events
Action Description
cloudshell.server.create An event is generated when a new session is created.
cloudshell.server.configure An event is generated when a session is configured. This event is generated for configuring new sessions and reconfiguring an existing session.
cloudshell.server.delete An event is generated when a session is deleted.
cloudshell.account-settings.update An event is generated when Cloud Shell settings are updated for an account.

Analyzing Cloud Shell activity tracking events

Activity Tracker events contain fields that describe the action that occurred. Values in the requestData and responseData fields are specific to IBM Cloud Shell, and the other fields are common to all Activity Tracker events. For a more information about common fields, see Event fields.

When a user opens, configures, or closes a Cloud Shell session, the event that is triggered has an action field set to cloudshell.server.create, cloudshell.server.configure, or cloudshell.server.delete. The event includes the following fields:

  • The initiator.name field includes information about the user who interacted with the session.
  • The initiator.id field shows the IBMid of the user who interacted with the session.
  • The target.id field includes the Cloud Resource Name (CRN) of the Cloud Shell account and server where the session was modified, in the format crn:v1:bluemix:public:cloudshell:<REGION>:a/<ACCOUNT_ID>:<CLOUD_SHELL_SERVER_ID>::

When a session is successfully opened, configured, or closed, the corresponding event that is generated has an outcome that is set to success with a 200 reason.reasonCode. Otherwise, the event has an outcome of failure with the appropriate HTTP status code in reason.reasonCode, and the responseData field contains details about the error.

When an account owner or Cloud Shell administrator updates the Cloud Shell settings, the event that is triggered has an action field set to cloudshell.account-settings.update.