User activity and audit logs
Learn about the user activity and audit log endpoints
💡 8 min read
The Activity Log and Audit Log endpoints are service level endpoints in Onna that return logs of activity in the platform.
Both endpoints have the container as their context and will include all user activities that took place in the platform.
Both endpoints can be filtered by date, but require different parameters.
To filter @activityLog by date, provide epoch_from and epoch_to query parameters, as below:
https://enterprise.onna.com/account/container/@activityLog?epoch_from=1562684703&epoch_to=1562857503
1
When filtering @auditLog, the request body should include the following JSON:
--data-binary '{"size":50,"sort":{"field":"@timestamp","direction":"desc"},"advanced":{"and":[{">":[{"var":"@timestamp"},1586031963641]},{"<":[{"var":"@timestamp"},1588623963641]}]}}'
1
Please substitute appropriate values for the two @timestamp values in the and clause.
Without either epoch_from and epoch_to or @timestamp values, the endpoints will pull all existing records for all users in the account.
The logs for both endpoints are returned in JSON format.
# Endpoints
@activityLog
@auditLog
# Permissions
Both endpoints require a service account and will return unauthorized if accessed by a non-service account.
To request a service account, a customer must be an Admin in their Onna account. The Admin must create a new user to the platform or choose an existing account to add the service account permission to.
Once the invited user has verified their email address and gained access to the platform, please contact support[at]onna.com requesting for the specific user account in Onna to be converted into a service account.
# Differences between the logging endpoints
The audit log captures activity taken by users on content that is stored in the platform.
In the example output below, a user has created a Slack source. Among other values, the user, URL, action, IP addresses are logged.
The activity log captures actions taken by the user in the UI.
In the example below, the user clicked on the left navigation bar. Interaction with many elements in the platform UI are logged. See below for a list of logged items
# Logging examples
@activityLog Example
An example curl command looks something like this:
curl -X POST \
https://enterprise.onna.com/api/container/account/@activityLog \
-H 'Connection: keep-alive' \
-H 'accept: application/json' \
-H 'accept-encoding: gzip, deflate, br' \
-H 'accept-language: en-US,en;q=0.9' \
-H 'authority: <your-auth-provider>' \
-H 'authorization: Bearer <your-token-here>' \
-H 'cache-control: no-cache,no-cache' \
-H 'content-length: ' \
-H 'content-type: application/json' \
-H 'cookie: __cfduid=cookie_id' \
-H 'dnt: 1' \
-H 'pragma: no-cache' \
1
2
3
4
5
6
7
8
9
10
11
12
13
14
2
3
4
5
6
7
8
9
10
11
12
13
14
Adding in a date range would look like this:
https://enterprise.onna.com/api/container/account/@activityLog?epoch_from=1562684703&epoch_to=1562857503
1
❗️ Notice that the dates are in epoch format, this example is for July 09, 2019 through July 11, 2019.
Output from the above:
[
{
"_index": "user-activity-account-2019-07-11",
"_type": "doc",
"_id": "AWvhkN8cdgM3tma3FpC6",
"_score": null,
"_source": {
"type": "log",
"action": "nav-menu-opened",
"payload": {
"session-timestamp": 1562857496133,
"route": "/dashboard/workspace/list",
"element": "nav-menu-opened",
"x": 42,
"y": 42,
"width": 1280,
"height": 1024,
"user_hash": "[sha256]30b52a374c4a20b643114e69dca3901283647233fe91916e1dcdd2e1d76784a9",
"user": "robot.integration.test@gmail.com",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/76.0.3809.62 Safari/537.36",
"origin": "https://enterprise.onna.com/account",
"session-id": "78c2147335d64dc0b48e5667f684cd91",
"account": "account"
},
"date": "2019-07-11",
"@timestamp": "1562857496000"
},
"sort": [
1562857496000
]
},
{
"_index": "user-activity-account-2019-07-11",
"_type": "doc",
"_id": "AWvhkNsQdgM3tma3FpB8",
"_score": null,
"_source": {
"type": "log",
"action": "tracking-session",
"payload": {
"screen-width": 1440,
"screen-height": 900,
"os": "MacIntel",
"browser": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/76.0.3809.62 Safari/537.36",
"user_hash": "[sha256]30b52a374c4a20b643114e69dca3901283647233fe91916e1dcd34re1d5b784a9",
"user": "robot.integration.test@gmail.com",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/76.0.3809.62 Safari/537.36",
"origin": "https://enterprise.onna.com/account",
"session-id": "78c2147335d64dc0b48e5667f684cd91",
"account": "account"
},
"date": "2019-07-11",
"@timestamp": "1562857495000"
},
"sort": [
1562857495000
]
},
{
"_index": "user-activity-account-2019-07-11",
"_type": "doc",
"_id": "AWvhkMu-dgM3tma3Foru",
"_score": null,
"_source": {
"type": "log",
"action": "tracking-session",
"payload": {
"screen-width": 1440,
"screen-height": 900,
"os": "MacIntel",
"browser": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/76.0.3809.62 Safari/537.36",
"user_hash": "[sha256]30b52a374c4a20b643114e69dca39012836474r3fe91916e1dcdd2e1d5b784a9",
"user": "robot.integration.test@gmail.com",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/76.0.3809.62 Safari/537.36",
"origin": ""https://enterprise.onna.com/account",
"session-id": "37c8358bd3174e2da82f3341faa2bd60",
"account": "account"
},
"date": "2019-07-11",
"@timestamp": "1562857491000"
},
"sort": [
1562857491000
]
},
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
@auditLog Example
curl -X POST \
https://enterprise.onna.com/api/container/account/@auditLog \
-H 'Connection: keep-alive' \
-H 'accept: application/json' \
-H 'accept-encoding: gzip, deflate, br' \
-H 'accept-language: en-US,en;q=0.9' \
-H 'authority: <your-auth-provider>' \
-H 'authorization: Bearer <your-token-here>' \
-H 'cache-control: no-cache,no-cache' \
-H 'content-length: ' \
-H 'content-type: application/json' \
-H 'cookie: __cfduid=cookie_id' \
-H 'dnt: 1' \
-H 'pragma: no-cache' \
1
2
3
4
5
6
7
8
9
10
11
12
13
14
2
3
4
5
6
7
8
9
10
11
12
13
14
Return value:
{
"items": [
{
"_index": "user-activity-account-2019-07-11",
"_type": "doc",
"_id": "AWvhjIEJdgM3tma3FfkT",
"_score": null,
"_source": {
"type": "log",
"date": "2019-07-11",
"@timestamp": "2019-07-11T15:00:10.104770+00:00",
"action": "add",
"message": "Added SlackDatasource source: \"account\" (https://enterprise.onna.com/account/user/dashboard/datasource/details/user@account.com/0bc602cd5ef9440c97789c6a91f3db65)",
"payload": {
"account": "account",
"ip": "xx.xx.xx.xxx",
"method": "POST",
"request_url": "https://enterprsie.onna.com/api/container/account/user@account.com",
"user": "user@account.com",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36",
"user_name": "User account",
"code": "DS001",
"log_type": "success",
"category": "source",
"action": "add",
"message": "Added SlackDatasource source: \"account\" (https://enterprise.onna.com/account/user/dashboard/datasource/details/user@account.com/0bc602cd5ef9440c97789c6a91f9be95)"
}
},
"sort": [
1562857210104
]
},
{
"_index": "user-activity-account-2019-07-11",
"_type": "doc",
"_id": "AWvhjFmtdgM3tma3FfX9",
"_score": null,
"_source": {
"type": "log",
"date": "2019-07-11",
"@timestamp": "2019-07-11T15:00:00.010341+00:00",
"action": "delete",
"message": "Deleted SlackDatasource source: \"account\" (https://enterprise.onna.com/account/user/dashboard/datasource/details/user@account.com/797dbb405bf84141aee36ace6fffe58e)",
"payload": {
"account": "account1",
"ip": "xx.xx.xx.xxx",
"method": "DELETE",
"request_url": "https://enterprise.onna.com/account/user/dashboard/datasource/details/user@account.com/797dbb405bf84141aee36ace6fffe58e",
"user": "user@account.com",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36",
"user_name": "account User",
"code": "DS002",
"log_type": "success",
"category": "source",
"action": "delete",
"message": "Deleted SlackDatasource source: \"account\" https://enterprise.onna.com/account/user/dashboard/datasource/details/user@account.com/797dbb405bf84141aee36ace6fffe58e)"
}
},
"sort": [
1562857200010
]
},
...
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
# Example @auditlog filtering
# Filter by date
Tip
Notice the --data-binary payload, date values are provided as timestamps
curl -X POST \
https://enterprise.onna.com/api/container/account/@auditLog \
-H 'pragma: no-cache' \
-H 'cache-control: no-cache' \
-H 'accept: application/json' \
-H 'dnt: 1' \
-H 'authorization: Bearer <your-token-here>' \
-H 'content-type: application/json' \
-H 'sec-fetch-site: same-origin' \
-H 'sec-fetch-mode: cors' \
-H 'sec-fetch-dest: empty' \
-H 'accept-language: en-US,en;q=0.9' \
--data-binary '{"size":50,"sort":{"field":"@timestamp","direction":"desc"},"advanced":{"and":[{">":[{"var":"@timestamp"},1586031963641]},{"<":[{"var":"@timestamp"},1588623963641]}]}}' \
--compressed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
2
3
4
5
6
7
8
9
10
11
12
13
14
# Filter by IP address
Tip
Notice the --data-binary payload, which has the format for filtering results on the specified IP address
curl 'https://enterprise.onna.com/api/container/account/@auditLog' \
-H 'pragma: no-cache' \
-H 'cache-control: no-cache' \
-H 'accept: application/json' \
-H 'dnt: 1' \
-H 'authorization: Bearer <your-token-here>' \
-H 'content-type: application/json' \
-H 'sec-fetch-site: same-origin' \
-H 'sec-fetch-mode: cors' \
-H 'sec-fetch-dest: empty' \
-H 'accept-language: en-US,en;q=0.9' \
--data-binary '{"size":50,"sort":{"field":"@timestamp","direction":"desc"},"advanced":{"and":[{"in":[{"var":"payload.ip.keyword"},["10.9.4.29"]]}]}}' \
--compressed
1
2
3
4
5
6
7
8
9
10
11
12
13
2
3
4
5
6
7
8
9
10
11
12
13
# Catalog of available entries
# Audit log
@auditLog
| Event | Description |
|---|---|
| Created Workspace | A user has created a Workspace |
| Custom field change | A custom field has changed on a resource or workspace |
| Datasource Added | A new source has been added |
| Datasource Failed | Syncing a source failed |
| Datasource Removed | Source has been removed due to retention policy |
| Datasource Shared | Source has been shared |
| Deleted Workspace | Source has been deleted by user action |
| Resource removed | Resource has been deleted by a user |
| Resource removed by retention policy | Resource has been removed due to retention policy |
| Resource visited | Resource was navigated to by a user |
| Resource was shared with user | Resource has been shared with a user |
| Workspace was shared with user | Workspace shared with a user |
# Activity log
@activityLog
| Event | Description |
|---|---|
| add-gdrive-datasource | A GDrive Datasource has been added |
| add-workplace-datasource | when a new Datasource is added to a workspace |
| advanced-search-edit | The advanced search form has been edited |
| advanced-search-submit-advSearchForm | Advanced search form was submitted |
| confirm-deletion | when an item is about to be deleted |
| confirm-label group-deletion | A group label has been deleted |
| confirm-label-deletion | A single label has been deleted |
| confirm-source-deletion | A source has been deleted |
| confirm-user-deletion | The confirmation for deleting a user has been shown |
| export-created | Export has been deleted |
| exports-IMetadata | Metadata selection screen has been shown when creating an Export |
| exports-IOrigin | When an export is being built, it needs to determine the Origin |
| exports-load-file-format | when an export is being built, it needs to determine the file format of its contents |
| group-added | when a user adds a group |
| login | A user has logged in |
| logout | A user has logged out |
| nav-menu-add-workspace | A user has clicked on the add workspace UI element |
| nav-menu-admin-users-management | the navigation menu that leads to the user management screens |
| nav-menu-advanced-search | A user has clicked on the advanced search menu item |
| nav-menu-closed | A user has clicked on the UI element to close the navigation menu |
| nav-menu-opened | A user has clicked on the UI element to open the navigation menu |
| nav-menu-shared-with-me | when a user clicks on the 'Shared with me' navigation button |
| nav-menu-sources | When a user clicks on the Sources navigation button |
| nav-menu-workspaces | When a user clicks on the Workspaces navigation button |
| right-toolbar-user-panel | When a user clicks on the Users navigation button |
| search | The search bar has been selected |
| search-bar-submit | A user has submitted a search query |
| sharing | A resource or source has been shared with a user |
| sharing-add-user | A previously shared resource or source has been shared with another user |
| sharing-update-sharing | A resource or source’s sharing has been updated |