Audit logs

The audit log provides the audit records for actions that are performed on your tenant. Logs are retained for 15 days from the date of action performed by the user, and can be downloaded in CSV format or with the REST API. Audit logs are in Cloud Auditing Data Federation (CADF) standard format. For privacy, the audit logs contain the masked email addresses of the users who performed the action.

You can download the audit logs by navigating to Help > Download Audit Log menu option in IBM® Storage Insights GUI or by using IBM Storage Insights REST APIs.

Downloading audit logs from IBM Storage Insights menu

You can download the audit logs of the actions that were performed in your IBM Storage Insights tenant. The logs for various actions performed in the last 15 days are available to download in CSV format.

See Table 2 for the user actions which are included in the logs. Users with Tenant administrator role can download and view the events that are captured in the audit log for the tenant, but users with Monitor role cannot download the audit logs.

Downloading audit logs using IBM Storage Insights REST API

The API requires a token that is generated by using the REST API key.

GET: https://insights.ibm.com/restapi/v1/tenants/<tenant-id>/auditlogs

Header: x-api-token: <token_generated_using_rest_api_key>

For more information about generating the REST API key, see Generating a REST API key.

After the REST API key is generated, create the API token. For more information about generating the token, see Generate an API Token.

This audit logs API is executed by admin user only. It gives the audit log records for actions that the admin user performs.

For more information about audit log API, see Swagger documentation.

Security aspects

The following table describes which user can see which audit messages:

Table 1. User role access to audit logs
User role Access to audit logs and content
Administrator role User with Tenant administrator role can download and see all the audit events that are captured for the tenant.
Monitor role Do not have access to audit log functionality.

Audit Actions

The following table describes the user actions which are included in the logs:

Table 2. Audit actions
Feature Action
Login or Logout
  • User login
  • User logout
Switch or Fabric
  • Add a new switch
  • Remove the switch or fabric
Alert management
  • Create alert policy
  • Update alert policy
  • Delete alert policy
  • Acknowledged or unacknowledged alerts
REST API token management
  • REST API key creation
  • Renew security token
Inline threat detection configuration
  • Enable inline threat detection
  • Disable inline threat detection
  • Update threat detection
Hosts
  • Add VCenter (ESIX hosts)
  • Remove VCenter
Report management
  • Update
  • Remove
Storage systems (both DC and Call home with cloud services)
  • Add a new storage system (onboarding a new device)
  • Update a storage system (update storage system name, cap limit, and so on)
  • Remove a storage system
Ticket management
  • Create a ticket
  • Upload snap log
  • Update ticket
  • Upload data collector logs
User actions from GUI
  • Stop data collection
  • Update schedule
  • Modify connection