Activity tracker events
Power Virtual Server Activity Tracker Events migrated to the CADF Event standard on 29 January, 2024. With the implementation of this change, some of the event fields are not sent or replaced by the new format.
As a security officer, auditor, or manager, you can use the Activity Tracker Event Routing service to track how users and applications interact with the IBM® Power® Virtual Server in IBM Cloud®.
Activity Tracker Event Routing records user-initiated activities that change the state of a service in IBM Cloud. You can use this service to investigate abnormal activity and critical actions and to comply with regulatory audit requirements. In addition, you can be alerted about actions as they happen. The events that are collected comply with the Cloud Auditing Data Federation (CADF) standard. For more information, see the Getting started tutorial for Activity Tracker Event Routing.
IBM® Power® Virtual Server automatically generates events so that you can track activity on your service.
Management events
Instance events
The following event is used to read the Power Virtual Server instance.
Action | Description |
---|---|
power-iaas.event.list | Lists all the Power Virtual Server instances |
power-iaas.event.read | Reads a Power Virtual Server instance |
Images events
The following events are to work with images in your Power Virtual Server instance.
Action | Description |
---|---|
power-iaas.image.list | Lists all the images |
power-iaas.image.read | Reads an image |
power-iaas.image.create | Creates an image |
power-iaas.image.update | Updates an image |
power-iaas.image.delete | Deletes an image |
power-iaas.image.capture | Exports an image |
Network events
The following events are to work with networks in your Power Virtual Server instance.
Action | Description |
---|---|
power-iaas.network.list | Lists all the networks |
power-iaas.network.read | Reads a network |
power-iaas.network.create | Creates a network (Public or Private) |
power-iaas.network.update | Updates a network |
power-iaas.network.delete | Deletes a network |
Power Virtual Server events
The following events are to work with each Power Virtual Server instance.
Action | Description |
---|---|
power-iaas.pvm-instance.list | Lists all the Power Virtual Server instances |
power-iaas.pvm-instance.read | Reads a Power Virtual Server instance |
power-iaas.pvm-instance.create | Creates a Power Virtual Server instance |
power-iaas.pvm-instance.update | Updates a Power Virtual Server instance |
power-iaas.pvm-instance.delete | Deletes a Power Virtual Server instance |
power-iaas.pvm-instance.start | Start a Power Virtual Server instance |
power-iaas.pvm-instance.stop | Stop a Power Virtual Server instance |
power-iaas.pvm-instance.renew | Restart a Power Virtual Server instance |
power-iaas.pvm-instance.unknown | Unknown action on a Power Virtual Server instance |
power-iaas.pvm-instance.monitor | Console access to a Power Virtual Server instance |
power-iaas.pvm-instance.capture | Capture a Power Virtual Server instance into an image |
power-iaas.pvm-instance.immediate-shutdown | Shut down a Power Virtual Server instance immediately |
power-iaas.pvm-instance.clone | Clone a Power Virtual Server instance |
power-iaas.pvm-instance.snapshot | Creates a Power Virtual Server instance snapshot |
power-iaas.pvm-instance-network.read | Reads a Power Virtual Server instance network |
power-iaas.pvm-instance-network.create | Creates a Power Virtual Server instance network |
power-iaas.pvm-instance-network.delete | Deletes a Power Virtual Server instance network |
SSH keys events
The following events are to work with your account and SSH keys in your Power Virtual Server instance.
Action | Description |
---|---|
power-iaas.ssh-key.list | Lists all the SSH keys |
power-iaas.ssh-key.read | Reads an SSH key |
power-iaas.ssh-key.create | Creates an SSH key |
power-iaas.ssh-key.update | Updates an SSH key |
power-iaas.ssh-key.delete | Deletes an SSH key |
Data volumes events
The following events are to work with data volumes in your Power Virtual Server instance.
Action | Description |
---|---|
power-iaas.volume.list | Lists all the volumes |
power-iaas.volume.read | Reads a volume |
power-iaas.volume.create | Creates a volume |
power-iaas.volume.update | Updates a volume |
power-iaas.volume.delete | Deletes a volume |
power-iaas.volume.configure | Attaches or Detaches a volume |
Storage capacity events
The following events are to work with storage capacity in your Power Virtual Server instance.
Action | Description |
---|---|
power-iaas.storage-capacity.list | Lists all the storage capacity |
power-iaas.storage-capacity.read | Reads a storage capacity |
power-iaas.pod-capacity.list On-premises | Lists system and storage capacity for a private cloud pod |
Storage pools events
The following events are to work with storage pools in your Power Virtual Server instance.
Action | Description |
---|---|
power-iaas.system-pools.list | Lists all the system pool information |
power-iaas.system-pools.read | Reads a system pool information |
Tenant events
The following events are to work with tenants in your Power Virtual Server instance.
Action | Description |
---|---|
power-iaas.tenant.read | Reads a tenant |
power-iaas.tenant-sshkey.read | Reads a tenant SSH Key |
power-iaas.tenant-sshkey.create | Creates a tenant SSH Key |
power-iaas.tenant-sshkey.update | Updates a tenant SSH Key |
power-iaas.tenant-sshkey.delete | Deletes a tenant SSH Key |
List of events: Job
The following events are to work with jobs in your Power Virtual Server instance.
Action | Description |
---|---|
power-iaas.job.list | Lists all the jobs |
power-iaas.job.read | Reads a job |
power-iaas.job.create | Creates a job |
power-iaas.job.delete | Deletes a job |
List of events: Network ports
The following events are to work with network ports in your Power Virtual Server instance.
Action | Description |
---|---|
power-iaas.port.list | Lists all the network ports |
power-iaas.port.read | Reads a network port |
power-iaas.port.create | Creates a network port |
power-iaas.port.update | Updates a network port |
power-iaas.port.delete | Deletes a network port |
List of events: SAP
The following events are to work with SAP in your Power Virtual Server instance.
Action | Description |
---|---|
power-iaas.sap.list | Lists all the SAP information |
power-iaas.sap.read | Reads a SAP information |
power-iaas.sap.create | Creates a SAP PVM instance |
List of events: Cloud connections
The following events are to work with Cloud connections in your Power Virtual Server instance.
Action | Description |
---|---|
power-iaas.cloud-connection.list | Lists all the cloud connections |
power-iaas.cloud-connection.read | Reads a cloud connection |
power-iaas.cloud-connection.create | Creates a cloud connection |
power-iaas.cloud-connection.update | Updates a cloud connection |
power-iaas.cloud-connection.delete | Deletes a cloud connection |
List of events: Placement groups
The following events are to work with placement groups in your Power Virtual Server instance.
Action | Description |
---|---|
power-iaas.placement-groups.list | Lists all the placement groups |
power-iaas.placement-groups.read | Reads a placement group |
power-iaas.placement-groups.create | Creates a placement group |
power-iaas.placement-groups.update | Updates a placement group |
power-iaas.placement-groups.delete | Deletes a placement group |
List of events: IKE policy
The following events are to work with IKE policy in your Power Virtual Server instance.
Action | Description |
---|---|
power-iaas.ike-policy.list | Lists all the IKE policies |
power-iaas.ike-policy.read | Reads an IKE policy |
power-iaas.ike-policy.create | Creates an IKE policy |
power-iaas.ike-policy.update | Updates an IKE policy |
power-iaas.ike-policy.delete | Deletes an IKE policy |
List of events: IPsec policy
The following events are to work with IPsec policy in your Power Virtual Server instance.
Action | Description |
---|---|
power-iaas.ipsec-policy.list | Lists all the IPsec policies |
power-iaas.ipsec-policy.read | Reads an IPsec policy |
power-iaas.ipsec-policy.create | Creates an IPsec policy |
power-iaas.ipsec-policy.update | Updates an IPsec policy |
power-iaas.ipsec-policy.delete | Deletes an IPsec policy |
List of events: VPN connection
The following events are to work with VPN Connection in your Power Virtual Server instance.
Action | Description |
---|---|
power-iaas.vpn-connection.list | Lists all the VPN connections |
power-iaas.vpn-connection.read | Reads a VPN connection |
power-iaas.vpn-connection.create | Creates a VPN connection |
power-iaas.vpn-connection.update | Updates a VPN connection |
power-iaas.vpn-connection.delete | Deletes a VPN connection |
Viewing events
Events are automatically forwarded to North America, Europe, Tokyo, or Sydney geographic locations. You can access the activity tracker logs as follows:
- All North America and South America data centers from Dallas.
- All Europe data centers from Frankfurt.
- All Sydney data center from Sydney, and
- All Japan data center from Tokyo.
For a list of locations where Power Virtual Server services are enabled to send events to IBM Cloud Activity Tracker, see Activity Tracker events by location.
Activity Tracker can have only one instance per location. To view events, you must access the web UI of the Activity Tracker service in the same location where your service instance is available. For more information, see Launching the web UI through the IBM Cloud UI.
Activity tracker sample response format
The new response format that is used in activity tracking adheres to the CADF (Cloud Auditing Data Federation) standard. Hence, auditing events can be collected and routed in a standardized format, ensuring consistency and interoperability across different cloud platforms.
The CADF standard is significant in auditing security in cloud environments. It defines a comprehensive event model that includes the necessary information for certifying, managing, and auditing the security of applications and services in the cloud.
The following code snippets show the differences between the old and new activity tracker response format.
New response format
{
"logSourceCRN": "crn:v1:bluemix:public:power-iaas:us-east:a/xxxxxxxxxxxxxxxxxxxx:yyyyyyyyyyyyyyyyyyyyyy::",
"saveServiceCopy": true,
"dataEvent": false,
"outcome": "success",
"eventTime": "2022-06-30T03:12:49.63+0000",
"action": "power-iaas.tenant.read",
"correlationId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"severity": "normal",
"initiator": {
"id": "IBMid-xxxxxxxxxx",
"name": "xxxxm@us.ibm.com",
"typeURI": "service/security/account/user",
"authnId": "",
"authnName": "",
"host": {
"agent": "PostmanRuntime/7.28.4",
"address": "127.0.0.1",
"addressType": "IPv4"
},
"credential": {
"type": "user"
}
},
"target": {
"id": "crn:v1:bluemix:public:power-iaas:us-east:a/xxxxxxxxxxxxxxxxxxxx:yyyyyyyyyyyyyyyyyyyyyy::",
"name": "testName",
"typeURI": "power-iaas/tenant",
"resourceGroupId": "crn:v1:bluemix:public:resource-controller::a/xxxxxxxxxxxxxxxxxxxx::resource-group:zzzzzzzzzzzzzzzzzzzzzzz"
},
"reason": {
"reasonCode": 200,
"reasonType": "OK"
},
"requestData": null,
"responseData": {
"cloudInstances": [
{
"capabilities": [],
"cloudInstanceID": "yyyyyyyyyyyyyyyyyyyyyy",
"enabled": true,
"href": "/pcloud/v1/cloud-instances/yyyyyyyyyyyyyyyyyyyyyy",
"initialized": false,
"name": "testName",
"region": "us-east"
}
],
"creationDate": "2019-05-21T21:32:00.746Z",
"enabled": true,
"sshKeys": [],
"tenantID": "xxxxxxxxxxxxxxxxxxxx"
},
"message": "{{site.data.keyword.powerSys_notm}}: read tenant xxxxxxxxxxxxxxxxxxxx ",
"observer": {
"name": "ActivityTracker"
}
}
Old response format
{
"payload": {
"outcome": "success",
"eventTime": "2019-05-31T19:33:02.97+0000",
"action": "pcloud.tenant.read",
"severity": "normal",
"initiator": {
"id": "IBMid-xxxxxxxxxx",
"name": "xxxxm@us.ibm.com",
"typeURI": "service/security/account/user",
"host": {
"agent": "PostmanRuntime/7.13.0",
"address": "127.0.0.1"
},
"credential": {
"type": "user"
}
},
"target": {
"id": "crn:v1:bluemix:public:power-iaas:us-east:a/xxxxxxxxxxxxxxxxxxxx:yyyyyyyyyyyyyyyyyyyyyy::",
"name": "testName",
"typeURI": "pcloud/tenant/read",
"host": {
"address": "100.64.24.72"
}
},
"reason": {
"reasonCode": 200
},
"responseData": "{\"cloudInstances\":[{\"cloudInstanceID\":\"yyyyyyyyyyyyyyyyyyyyyy\",\"enabled\":true,\"href\":\"/pcloud/v1/cloud-instances/yyyyyyyyyyyyyyyyyyyyyy\",\"initialized\":false,\"name\":\"testName\",\"region\":\"us-east\"}],\"creationDate\":\"2019-05-21T21:32:00.746Z\",\"enabled\":true,\"sshKeys\":[{\"creationDate\":\"2019-05-21T22:13:49.806Z\",\"name\":\"Test\",\"sshKey\":\"Foo\"}],\"tenantID\":\"xxxxxxxxxxxxxxxxxxxx\"}",
"message": "pcloud: read tenant 9cdad2e857d442d49853e484e9b91d24 success"
},
"logSourceCRN": "crn:v1:bluemix:public:power-iaas:us-east:a/xxxxxxxxxxxxxxxxxxxx:yyyyyyyyyyyyyyyyyyyyyy::",
"saveServiceCopy": true,
"meta": {
"serviceProviderName": "power-iaas",
"serviceProviderRegion": "ng",
"serviceProviderProjectId": "power-iaas",
"userAccountIds": [
"a/xxxxxxxxxxxxxxxxxxxx"
],
"userSpaceRegion": "ng"
}
}
Activity tracker regions
You can create an activity tracker instance and provision it in the same region where your data center is located.
The Power Virtual Server workspaces that runs in various regions or data centers will send events to activity tracker instances in their respective regions effective from 29 January 2024. You must create and provision instances of activity tracker in the respective regions where your workspaces reside for continued access to Power Virtual Server activity tracker events. If you want to export activity Tracker events, see Exporting Activity Tracker events.
The following table shows the data center and its corresponding regions where you can deploy an activity tracker instance:
Datacenter | Current activity tracker region | New activity tracker region |
---|---|---|
WDC04 |
us-south | us-east |
WDC06 |
us-south | us-east |
WDC07 |
us-south | us-east |
MON01 |
us-south | ca-tor |
TOR04 |
us-south | ca-tor |
SAO01 |
us-south | br-sao |
SAO04 |
us-south | br-sao |
LON04 |
eu-de | eu-gb |
LON06 |
eu-de | eu-gb |
OSA21 |
jp-tok | jp-osa |