Audit logs

The audit log provides audit records for actions that are performed in IBM Storage Insights. Audit logs are retained for 15 days from the date of action performed by the user and are downloaded in Cloud Auditing Data Federation (CADF) standard format. For privacy, the audit logs contain masked email addresses of the users who perform the actions.

Table 2 shows the user actions which are included in the logs. Users with administrator role can download and view the events that are captured in the audit log. Users with monitor role cannot download the audit logs.

Downloading audit logs from IBM Storage Insights GUI

You can download the audit logs in the modern UI by clicking the Settings icon at the upper-right in the menu bar and then click Export audit log in the modern UI. From classic UI, click Help > Download Audit Log to download the audit logs.

Downloading audit logs using IBM Storage Insights REST API

You can download audit logs by using the REST API. The API requires a token that is generated by using the REST API key. The audit logs API can be executed by admin user only. It gives audit log records for actions that the admin user performs.

For more information about auditlogs API, see Swagger documentation.

Security aspects

The following table describes which user can see which audit messages:

Table 1. User role access to audit logs
User role Access to download audit logs
Administrator role Yes
Monitor role No

Audit actions

The following table describes the user actions which are included in the logs:

Table 2. Audit actions
Feature Action Action String
Alert management
  • Create alert policy
  • Update alert policy
  • Delete alert policy
  • Acknowledge or unacknowledge alerts
  • CREATE_ALERT_POLICY
  • UPDATE_ALERT_POLICY
  • DELETE_ALERT_POLICY
  • ACKNOWLEDGE_ALERTS
  • UNACKNOWLEDGE_ALERTS
Alert definition management
  • Enable or disable alert definition for individual storage system
  • Update alert definition to forward it to webhook
  • UPDATE_RESOURCE_SPECIFIC_ALERT_DEFINITION
  • UPDATE_ALERT_POLICY
Hosts
  • Add vCenter
  • Remove vCenter
  • ADD_VCENTER
  • REMOVE_VCENTER
IBM Storage Defender integration When user tries to Approve/Deny device integration with IBM Storage Defender. DEFENDER_USER_DEVICE_ACTION
Resolve ransomware false positive alerts and submit feedback Resolve alert as false positive:
  • Alert status is acknowledged, if not already done.
  • Affected volume status is acknowledged, if not already done.
  • Survey feedback is submitted.
 FEEDBACK_ALERTS
Inline threat detection configuration
  • Enable inline threat detection
  • Disable inline threat detection
  • Update threat detection
  • ENABLE_INLINE_THREAT_DETECTION
  • DISABLE_INLINE_THREAT_DETECTION
  • UPDATE_INLINE_THREAT_DETECTION
Login or Logout
  • User login or screen refresh
  • User logout
  • USER_LOGIN
  • USER_LOGOUT
Permission management This action is logged when the administrator user updates partition management permission for any user. PARTITION_MANAGEMENT_PERMISSION
Report management
  • Create report
  • Update report
  • Remove report
  • CREATE_REPORT_MANAGEMENT
  • UPDATE_REPORT_MANAGEMENT
  • UPDATE_REPORT_MANAGEMENT
REST API token management
  • REST API key creation
  • Renew security token
  • REST_API_KEY_CREATION
  • DC_TOKEN_RENEW
Settings
  • Set permission status for support to collect and upload logs
  • Add email addresses for outage notifications
  • Add email addresses to notify for alerts
  • Remove all email addresses that override the global email addresses
  • SUPPORT_LOG_PERMISSIONS
  • TENANT_CONFIGURATION_SETTINGS
  • GLOBAL_NOTIFICATION_EMAIL_UPDATE
  • REMOVE_OVERRIDES_GLOBAL_ALERT_NOTIFICATION
Storage partition migration Any orchestration request or process or orchestration response from Call Home. Actions are logged as requests and responses
  • Requests from IBM Storage Insights to IBM Storage FlashSystem during partition migration:
    • initiate
    • abort
    • switch primary (host_rescan_fix)
    • rollback
    • commit
    • fix error
  • Responses from IBM Storage FlashSystem to IBM Storage Insights during partition migration:
    • ACCEPTED
    • REJECTED
 SI_AIOPS_ORCHESTRATION
Storage systems
  • Add a new storage system
  • Update a storage system
  • Remove a storage system
  • ADD_DEVICE
  • UPDATE_DEVICE
  • REMOVE_DEVICE
Switch or Fabric
  • Add a new switch
  • Remove the switch or fabric
  • ADD_SWITCH
  • REMOVE_SWITCH
Ticket management
  • Create a ticket
  • Upload snap log
  • Update ticket
  • CREATE_TICKET
  • UPLOAD_SNAPLOG
  • UPDATE_TICKET
User actions from IBM Storage Insights
  • Stop data collection
  • Update schedule
  • Modify connection
  • STOP_DATA_COLLECTION_STOP_FULLPROBE
  • STOP_DATA_COLLECTION_STOP_PERFORMANCE
  • UPDATE_SCHEDULE_PROBE
  • UPDATE_SCHEDULE_PERFORMANCE
  • MODIFY_CONNECTION_TEST_CONNECTION
Webhook management
  • Create webhook
  • Update webhook
  • Delete webhook
  • Resend failed alert notifications to webhooks
  • CREATE_WEBHOOK
  • UPDATE_WEBHOOK
  • DELETE_WEBHOOK
  • RESEND_WEBHOOK_ALERT
Carbon emission management
  • Edit Carbon Emission Factor (CEF)
  • Edit Power Usage Effectiveness (PUE)
 EDIT_CO2E_CONSTANTS
Marking the storage system for maintenance Starting and stopping the storage system maintenance UPDATE_DEVICE_MAINTENANCE
Note: All actions are for the devices that are monitored by either data collector or by Call Home with cloud services.