User activity and audit logs

Learn about the user activity and audit log endpoints


💡 8 min read

The Activity Log and Audit Log endpoints are service level endpoints in Onna that return logs of activity in the platform.

Both endpoints have the container as their context and will include all user activities that took place in the platform.

Both endpoints can be filtered by date, but require different parameters.

To filter @activityLog by date, provide epoch_from and epoch_to query parameters, as below:

    https://enterprise.onna.com/account/container/@activityLog?epoch_from=1562684703&epoch_to=1562857503
1

When filtering @auditLog, the request body should include the following JSON:

    --data-binary '{"size":50,"sort":{"field":"@timestamp","direction":"desc"},"advanced":{"and":[{">":[{"var":"@timestamp"},1586031963641]},{"<":[{"var":"@timestamp"},1588623963641]}]}}'
1

Please substitute appropriate values for the two @timestamp values in the and clause.

Without either epoch_from and epoch_to or @timestamp values, the endpoints will pull all existing records for all users in the account.

The logs for both endpoints are returned in JSON format.

# Endpoints

@activityLog

@auditLog

# Permissions

Both endpoints require a service account and will return unauthorized if accessed by a non-service account.

To request a service account, a customer must be an Admin in their Onna account. The Admin must create a new user to the platform or choose an existing account to add the service account permission to.

Once the invited user has verified their email address and gained access to the platform, please contact support[at]onna.com requesting for the specific user account in Onna to be converted into a service account.

# Differences between the logging endpoints

The audit log captures activity taken by users on content that is stored in the platform.

In the example output below, a user has created a Slack source. Among other values, the user, URL, action, IP addresses are logged.

The activity log captures actions taken by the user in the UI.

In the example below, the user clicked on the left navigation bar. Interaction with many elements in the platform UI are logged. See below for a list of logged items

# Logging examples

@activityLog Example

An example curl command looks something like this:

curl -X POST \
  https://enterprise.onna.com/api/container/account/@activityLog \
  -H 'Connection: keep-alive' \
  -H 'accept: application/json' \
  -H 'accept-encoding: gzip, deflate, br' \
  -H 'accept-language: en-US,en;q=0.9' \
  -H 'authority: <your-auth-provider>' \
  -H 'authorization: Bearer <your-token-here>' \
  -H 'cache-control: no-cache,no-cache' \
  -H 'content-length: ' \
  -H 'content-type: application/json' \
  -H 'cookie: __cfduid=cookie_id' \
  -H 'dnt: 1' \
  -H 'pragma: no-cache' \
1
2
3
4
5
6
7
8
9
10
11
12
13
14

Adding in a date range would look like this:

https://enterprise.onna.com/api/container/account/@activityLog?epoch_from=1562684703&epoch_to=1562857503
1

❗️ Notice that the dates are in epoch format, this example is for July 09, 2019 through July 11, 2019.

Output from the above:

[
    {
        "_index": "user-activity-account-2019-07-11",
        "_type": "doc",
        "_id": "AWvhkN8cdgM3tma3FpC6",
        "_score": null,
        "_source": {
            "type": "log",
            "action": "nav-menu-opened",
            "payload": {
                "session-timestamp": 1562857496133,
                "route": "/dashboard/workspace/list",
                "element": "nav-menu-opened",
                "x": 42,
                "y": 42,
                "width": 1280,
                "height": 1024,
                "user_hash": "[sha256]30b52a374c4a20b643114e69dca3901283647233fe91916e1dcdd2e1d76784a9",
                "user": "robot.integration.test@gmail.com",
                "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/76.0.3809.62 Safari/537.36",
                "origin": "https://enterprise.onna.com/account",
                "session-id": "78c2147335d64dc0b48e5667f684cd91",
                "account": "account"
            },
            "date": "2019-07-11",
            "@timestamp": "1562857496000"
        },
        "sort": [
            1562857496000
        ]
    },
    {
        "_index": "user-activity-account-2019-07-11",
        "_type": "doc",
        "_id": "AWvhkNsQdgM3tma3FpB8",
        "_score": null,
        "_source": {
            "type": "log",
            "action": "tracking-session",
            "payload": {
                "screen-width": 1440,
                "screen-height": 900,
                "os": "MacIntel",
                "browser": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/76.0.3809.62 Safari/537.36",
                "user_hash": "[sha256]30b52a374c4a20b643114e69dca3901283647233fe91916e1dcd34re1d5b784a9",
                "user": "robot.integration.test@gmail.com",
                "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/76.0.3809.62 Safari/537.36",
                "origin": "https://enterprise.onna.com/account",
                "session-id": "78c2147335d64dc0b48e5667f684cd91",
                "account": "account"
            },
            "date": "2019-07-11",
            "@timestamp": "1562857495000"
        },
        "sort": [
            1562857495000
        ]
    },
    {
        "_index": "user-activity-account-2019-07-11",
        "_type": "doc",
        "_id": "AWvhkMu-dgM3tma3Foru",
        "_score": null,
        "_source": {
            "type": "log",
            "action": "tracking-session",
            "payload": {
                "screen-width": 1440,
                "screen-height": 900,
                "os": "MacIntel",
                "browser": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/76.0.3809.62 Safari/537.36",
                "user_hash": "[sha256]30b52a374c4a20b643114e69dca39012836474r3fe91916e1dcdd2e1d5b784a9",
                "user": "robot.integration.test@gmail.com",
                "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/76.0.3809.62 Safari/537.36",
                "origin": ""https://enterprise.onna.com/account",
                "session-id": "37c8358bd3174e2da82f3341faa2bd60",
                "account": "account"
            },
            "date": "2019-07-11",
            "@timestamp": "1562857491000"
        },
        "sort": [
            1562857491000
        ]
    },
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85

@auditLog Example

curl -X POST \
  https://enterprise.onna.com/api/container/account/@auditLog \
  -H 'Connection: keep-alive' \
  -H 'accept: application/json' \
  -H 'accept-encoding: gzip, deflate, br' \
  -H 'accept-language: en-US,en;q=0.9' \
  -H 'authority: <your-auth-provider>' \
  -H 'authorization: Bearer <your-token-here>' \
  -H 'cache-control: no-cache,no-cache' \
  -H 'content-length: ' \
  -H 'content-type: application/json' \
  -H 'cookie: __cfduid=cookie_id' \
  -H 'dnt: 1' \
  -H 'pragma: no-cache' \
1
2
3
4
5
6
7
8
9
10
11
12
13
14

Return value:

{
    "items": [
        {
            "_index": "user-activity-account-2019-07-11",
            "_type": "doc",
            "_id": "AWvhjIEJdgM3tma3FfkT",
            "_score": null,
            "_source": {
                "type": "log",
                "date": "2019-07-11",
                "@timestamp": "2019-07-11T15:00:10.104770+00:00",
                "action": "add",
                "message": "Added SlackDatasource source: \"account\" (https://enterprise.onna.com/account/user/dashboard/datasource/details/user@account.com/0bc602cd5ef9440c97789c6a91f3db65)",
                "payload": {
                    "account": "account",
                    "ip": "xx.xx.xx.xxx",
                    "method": "POST",
                    "request_url": "https://enterprsie.onna.com/api/container/account/user@account.com",
                    "user": "user@account.com",
                    "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36",
                    "user_name": "User account",
                    "code": "DS001",
                    "log_type": "success",
                    "category": "source",
                    "action": "add",
                    "message": "Added SlackDatasource source: \"account\" (https://enterprise.onna.com/account/user/dashboard/datasource/details/user@account.com/0bc602cd5ef9440c97789c6a91f9be95)"
                }
            },
            "sort": [
                1562857210104
            ]
        },
        {
            "_index": "user-activity-account-2019-07-11",
            "_type": "doc",
            "_id": "AWvhjFmtdgM3tma3FfX9",
            "_score": null,
            "_source": {
                "type": "log",
                "date": "2019-07-11",
                "@timestamp": "2019-07-11T15:00:00.010341+00:00",
                "action": "delete",
                "message": "Deleted SlackDatasource source: \"account\" (https://enterprise.onna.com/account/user/dashboard/datasource/details/user@account.com/797dbb405bf84141aee36ace6fffe58e)",
                "payload": {
                    "account": "account1",
                    "ip": "xx.xx.xx.xxx",
                    "method": "DELETE",
                    "request_url": "https://enterprise.onna.com/account/user/dashboard/datasource/details/user@account.com/797dbb405bf84141aee36ace6fffe58e",
                    "user": "user@account.com",
                    "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36",
                    "user_name": "account User",
                    "code": "DS002",
                    "log_type": "success",
                    "category": "source",
                    "action": "delete",
                    "message": "Deleted SlackDatasource source: \"account\" https://enterprise.onna.com/account/user/dashboard/datasource/details/user@account.com/797dbb405bf84141aee36ace6fffe58e)"
                }
            },
            "sort": [
                1562857200010
            ]
        },
    ...
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63

# Example @auditlog filtering

# Filter by date

Tip

Notice the --data-binary payload, date values are provided as timestamps

curl  -X POST \
  https://enterprise.onna.com/api/container/account/@auditLog \
  -H 'pragma: no-cache' \
  -H 'cache-control: no-cache' \
  -H 'accept: application/json' \
  -H 'dnt: 1' \
  -H 'authorization: Bearer <your-token-here>' \
  -H 'content-type: application/json' \
  -H 'sec-fetch-site: same-origin' \
  -H 'sec-fetch-mode: cors' \
  -H 'sec-fetch-dest: empty' \
  -H 'accept-language: en-US,en;q=0.9' \
  --data-binary '{"size":50,"sort":{"field":"@timestamp","direction":"desc"},"advanced":{"and":[{">":[{"var":"@timestamp"},1586031963641]},{"<":[{"var":"@timestamp"},1588623963641]}]}}' \
  --compressed
1
2
3
4
5
6
7
8
9
10
11
12
13
14

# Filter by IP address

Tip

Notice the --data-binary payload, which has the format for filtering results on the specified IP address

curl 'https://enterprise.onna.com/api/container/account/@auditLog' \
  -H 'pragma: no-cache' \
  -H 'cache-control: no-cache' \
  -H 'accept: application/json' \
  -H 'dnt: 1' \
  -H 'authorization: Bearer <your-token-here>' \
  -H 'content-type: application/json' \
  -H 'sec-fetch-site: same-origin' \
  -H 'sec-fetch-mode: cors' \
  -H 'sec-fetch-dest: empty' \
  -H 'accept-language: en-US,en;q=0.9' \
  --data-binary '{"size":50,"sort":{"field":"@timestamp","direction":"desc"},"advanced":{"and":[{"in":[{"var":"payload.ip.keyword"},["10.9.4.29"]]}]}}' \
  --compressed
1
2
3
4
5
6
7
8
9
10
11
12
13

# Catalog of available entries

# Audit log

@auditLog

Event Description
Created Workspace A user has created a Workspace
Custom field change A custom field has changed on a resource or workspace
Datasource Added A new source has been added
Datasource Failed Syncing a source failed
Datasource Removed Source has been removed due to retention policy
Datasource Shared Source has been shared
Deleted Workspace Source has been deleted by user action
Resource removed Resource has been deleted by a user
Resource removed by retention policy Resource has been removed due to retention policy
Resource visited Resource was navigated to by a user
Resource was shared with user Resource has been shared with a user
Workspace was shared with user Workspace shared with a user

# Activity log

@activityLog

Event Description
add-gdrive-datasource A GDrive Datasource has been added
add-workplace-datasource when a new Datasource is added to a workspace
advanced-search-edit The advanced search form has been edited
advanced-search-submit-advSearchForm Advanced search form was submitted
confirm-deletion when an item is about to be deleted
confirm-label group-deletion A group label has been deleted
confirm-label-deletion A single label has been deleted
confirm-source-deletion A source has been deleted
confirm-user-deletion The confirmation for deleting a user has been shown
export-created Export has been deleted
exports-IMetadata Metadata selection screen has been shown when creating an Export
exports-IOrigin When an export is being built, it needs to determine the Origin
exports-load-file-format when an export is being built, it needs to determine the file format of its contents
group-added when a user adds a group
login A user has logged in
logout A user has logged out
nav-menu-add-workspace A user has clicked on the add workspace UI element
nav-menu-admin-users-management the navigation menu that leads to the user management screens
nav-menu-advanced-search A user has clicked on the advanced search menu item
nav-menu-closed A user has clicked on the UI element to close the navigation menu
nav-menu-opened A user has clicked on the UI element to open the navigation menu
nav-menu-shared-with-me when a user clicks on the 'Shared with me' navigation button
nav-menu-sources When a user clicks on the Sources navigation button
nav-menu-workspaces When a user clicks on the Workspaces navigation button
right-toolbar-user-panel When a user clicks on the Users navigation button
search The search bar has been selected
search-bar-submit A user has submitted a search query
sharing A resource or source has been shared with a user
sharing-add-user A previously shared resource or source has been shared with another user
sharing-update-sharing A resource or source’s sharing has been updated
Last Updated: 11/13/2020, 8:17:00 AM