Monitor activity
Learn about the API endpoints that you can use to monitor the platform activity
In Onna you can keep track of the platform activity using two endpoints: @activityLog and @auditLog.
Both return data of the events tracked in JSON format
and have date filtering options for more granular tracking of activities.
With these endpoints you can retrieve logs and export them into a tool of your choice.
There is a difference in the type of activity these endpoints track and in how you interact with them to retrieve the events Read on to learn more about them.
Info
Access to both endpoints requires a service account. Contact support[at]onna.com to request one.
In this article, you'll find:
# The @activityLog endpoint
The @activityLog endpoint focuses on tracking user interactions with the Onna UI,
such as elements users click on, like the navigation bar. For this reason, this endpoint returns very verbose results.
You can retrieve the events recorded by making a GET request to the endpoint.
The name of an event is returned as a value of the action parameter.
Additional information about the event, along with some user login information,
is returned in the payload parameter in JSON format.
For further information, check the table with examples of what events are logged.
# Filtering the @activityLog endpoint's data
When queried, the endpoint will return all the records for every user in your account.
However, you can filter the period of the results by adding the epoch_from and epoch_to parameters to your query.
TIP
The @activityLog endpoint supports dates in Unix time (opens new window) format up to seconds.
You can use tools like Epoch Converter (opens new window) to convert them.
# @activityLog endpoint request examples
In this section you can find examples of common filtering use cases for the @activityLog endpoint.
Always remember to include your bearer token in the request.
# Filter the activity log by date
This example shows how to filter results by date when sending a request to the @activityLog endpoint.
For example, you can send a request like: [Remember to turn the below request into a CURL]
curl --request GET 'https://enterprise.onna.com/ACMECORP/ACMECORP/@activityLog?epoch_from=1562684703&epoch_to=1562857503' \
--header 'Authorization: Bearer dem0d3moOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2MDc2MDIwODAsImV4cCI6MTYwODIwNjg4MCwidG9rZW4iOiIxZjNmMjFhYTZkZDU0NWM1OGFjMjgzOTRmMmMyMGJmOSIsImxvZ2luIjoic3RlZmFub0Bvc2NpbGxhdG9yLmVzIiwibmFtZSI6IlN0ZWZhbm8iLCJzdXBlcnVzZXIiOmZhbHNlLCJhaWQiOm51bGwsInN1YiI6InN0ZWZhbm9Ab3NjaWxsYXRvci5lcyIsImF2IjoxLCJndCI6ImF1dGhvcml6YXRpb25fY29kZSJ9.gemyMZfMTmjoWG-bnfJ6ts0u4defsb59P2Pf4kefAke' \
2
You will obtain a response like:
Expand to see an example response
[
{
"_index": "user-activity-account-2019-07-11",
"_type": "doc",
"_id": "f4k3kN8cdf4k3ma3f4k3",
"_score": null,
"_source": {
"type": "log",
"action": "nav-menu-opened",
"payload": {
"session-timestamp": 1562857496133,
"route": "/dashboard/workspace/list",
"element": "nav-menu-opened",
"x": 42,
"y": 42,
"width": 1280,
"height": 1024,
"user_hash": "[sha256]f4k32a374c4f4k364311f4k3dcaf4k32836f4k33fe9f4k3e1f4k32ef4k37f4k3",
"user": "acmeuser@acmecorp.com",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/76.0.3809.62 Safari/537.36",
"origin": "https://enterprise.onna.com/ACMECORP",
"session-id": "f4k3147335df4k30b48ef4k3f684f4k3",
"account": "ACMECORP"
},
"date": "2019-07-11",
"@timestamp": "1562857496000"
},
"sort": [
1562857496000
]
},
{
"_index": "user-activity-account-2019-07-11",
"_type": "doc",
"_id": "AWvhkNsQdgM3tma3FpB8",
"_score": null,
"_source": {
"type": "log",
"action": "tracking-session",
"payload": {
"screen-width": 1440,
"screen-height": 900,
"os": "MacIntel",
"browser": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/76.0.3809.62 Safari/537.36",
"user_hash": "[sha256]3f4k32a374c4f4k364311f4k3dcaf4k32836f4k33fe9f4k3e1f4k32ef4k37f4k3",
"user": "acmeuser@acmecorp.com",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/76.0.3809.62 Safari/537.36",
"origin": "https://enterprise.onna.com/ACMECORP",
"session-id": "f4k3147335df4k30b48ef4k3f684f4k3",
"account": "ACMECORP"
},
"date": "2019-07-11",
"@timestamp": "1562857495000"
},
"sort": [
1562857495000
]
},
{
"_index": "user-activity-account-2019-07-11",
"_type": "doc",
"_id": "AWvhkMu-dgM3tma3Foru",
"_score": null,
"_source": {
"type": "log",
"action": "tracking-session",
"payload": {
"screen-width": 1440,
"screen-height": 900,
"os": "MacIntel",
"browser": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/76.0.3809.62 Safari/537.36",
"user_hash": "[sha256]30b52a374c4a20b643114e69dca39012836474r3fe91916e1dcdd2e1d5b784a9",
"user": "robot.integration.test@gmail.com",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/76.0.3809.62 Safari/537.36",
"origin": "https://enterprise.onna.com/ACMECORP",
"session-id": "37c8358bd3174e2da82f3341faa2bd60",
"account": "account"
},
"date": "2019-07-11",
"@timestamp": "1562857491000"
},
"sort": [
1562857491000
]
},
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
# What's logged by the @activityLog endpoint
This table contains the details of some events logged by the @activityLog endpoint.
| Event | Description |
|---|---|
| add-gdrive-datasource | A GDrive Datasource has been added |
| add-workplace-datasource | when a new Datasource is added to a workspace |
| advanced-search-edit | The advanced search form has been edited |
| advanced-search-submit-advSearchForm | Advanced search form was submitted |
| confirm-deletion | when an item is about to be deleted |
| confirm-label group-deletion | A group label has been deleted |
| confirm-label-deletion | A single label has been deleted |
| confirm-source-deletion | A source has been deleted |
| confirm-user-deletion | The confirmation for deleting a user has been shown |
| export-created | Export has been deleted |
| exports-IMetadata | Metadata selection screen has been shown when creating an Export |
| exports-IOrigin | When an export is being built, it needs to determine the Origin |
| exports-load-file-format | when an export is being built, it needs to determine the file format of its contents |
| group-added | when a user adds a group |
| login | A user has logged in |
| logout | A user has logged out |
| nav-menu-add-workspace | A user has clicked on the add workspace UI element |
| nav-menu-admin-users-management | the navigation menu that leads to the user management screens |
| nav-menu-advanced-search | A user has clicked on the advanced search menu item |
| nav-menu-closed | A user has clicked on the UI element to close the navigation menu |
| nav-menu-opened | A user has clicked on the UI element to open the navigation menu |
| nav-menu-shared-with-me | when a user clicks on the 'Shared with me' navigation button |
| nav-menu-sources | When a user clicks on the Sources navigation button |
| nav-menu-workspaces | When a user clicks on the Workspaces navigation button |
| right-toolbar-user-panel | When a user clicks on the Users navigation button |
| search | The search bar has been selected |
| search-bar-submit | A user has submitted a search query |
| sharing | A resource or source has been shared with a user |
| sharing-add-user | A previously shared resource or source has been shared with another user |
| sharing-update-sharing | A resource or source’s sharing has been updated |
# The @auditLog endpoint
The @auditLog focuses on tracking CRUD activities by users on files stored in Onna,
such as creating a new Slack collection.
Among other values, the endpoint logs the username, URL, action, and IP addresses.
For further information, check the table with examples of what events are logged.
You can retrieve the events recorded by making a POST request to the endpoint.
In the response, the action parameter describes the type of action performed on content.
More granular details about the action are provided in the message parameter.
The payload parameter contains user login information in JSON format.
# Filtering the @auditLog endpoint's data
Due to its more verbose logging, filtering the @auditLog endpoint requires a more complex set of information
that you can refine in the request body in JSON format.
We recommend to always filter requests to the @auditLog endpoint to avoid verbose results,
which may also take long to retrieve.
TIP
The @auditLog endpoint supports dates in Unix time (opens new window) format up to milliseconds.
You can use tools like Epoch Converter (opens new window) to convert them.
# @auditLog endpoint request examples
Always remember to include your bearer token and declare application/json as the content type.
# Generic request
This example shows a generic request made to the @auditLog endpoint,
with the goal of showcasing the structure of the content returned in the response.
curl --request POST 'https://enterprise.onna.com/ACMECORP/ACMECORP/@auditLog' \
--header 'Authorization: Bearer dem0d3moOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2MDc2MDIwODAsImV4cCI6MTYwODIwNjg4MCwidG9rZW4iOiIxZjNmMjFhYTZkZDU0NWM1OGFjMjgzOTRmMmMyMGJmOSIsImxvZ2luIjoic3RlZmFub0Bvc2NpbGxhdG9yLmVzIiwibmFtZSI6IlN0ZWZhbm8iLCJzdXBlcnVzZXIiOmZhbHNlLCJhaWQiOm51bGwsInN1YiI6InN0ZWZhbm9Ab3NjaWxsYXRvci5lcyIsImF2IjoxLCJndCI6ImF1dGhvcml6YXRpb25fY29kZSJ9.gemyMZfMTmjoWG-bnfJ6ts0u4defsb59P2Pf4kefAke' \
--header 'Content-Type: application/json' \
2
3
Expand to see an example response
{
"items": [
{
"_index": "user-activity-account-2019-07-11",
"_type": "doc",
"_id": "AWvhjIEJdgM3tma3FfkT",
"_score": null,
"_source": {
"type": "log",
"date": "2019-07-11",
"@timestamp": "2019-07-11T15:00:10.104770+00:00",
"action": "add",
"message": "Added SlackDatasource source: \"DEMO DATASOURCE\" (https://enterprise.onna.com/ACMECORP/acmeuser@acmecorp.com/dashboard/datasource/details/acmeuser@acmecorp.com/0bc602cd5ef9440c97789c6a91f3db65)",
"payload": {
"account": "ACMECORP",
"ip": "12.34.56.789",
"method": "POST",
"request_url": "https://enterprsie.onna.com/api/ACMECORP/ACMECORP/acmeuser@acmecorp.com",
"user": "acmeuser@acmecorp.com",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36",
"user_name": "Acmeuser",
"code": "DS001",
"log_type": "success",
"category": "source",
"action": "add",
"message": "Added SlackDatasource source: \"DEMO DATASOURCE\" (https://enterprise.onna.com/ACMECORP/acmeuser@acmecorp.com/dashboard/datasource/details/acmeuser@acmecorp.com/0bc602cd5ef9440c97789c6a91f9be95)"
}
},
"sort": [
1562857210104
]
},
{
"_index": "user-activity-account-2019-07-11",
"_type": "doc",
"_id": "AWvhjFmtdgM3tma3FfX9",
"_score": null,
"_source": {
"type": "log",
"date": "2019-07-11",
"@timestamp": "2019-07-11T15:00:00.010341+00:00",
"action": "delete",
"message": "Deleted SlackDatasource source: \"ACMECORP\" (https://enterprise.onna.com/ACMECORP/acmeuser@acmecorp.com/dashboard/datasource/details/acmeuser@acmecorp.com/797dbb405bf84141aee36ace6fffe58e)",
"payload": {
"account": "Acmeuser",
"ip": "12.34.56.789",
"method": "DELETE",
"request_url": "https://enterprise.onna.com/ACMECORP/acmeuser@acmecorp.com/dashboard/datasource/details/acmeuser@acmecorp.com/797dbb405bf84141aee36ace6fffe58e",
"user": "acmeuser@acmecorp.com",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36",
"user_name": "account User",
"code": "DS002",
"log_type": "success",
"category": "source",
"action": "delete",
"message": "Deleted SlackDatasource source: \"ACMECORP\" https://enterprise.onna.com/ACMECORP/acmeuser@acmecorp.com/dashboard/datasource/details/acmeuser@acmecorp.com/797dbb405bf84141aee36ace6fffe58e)"
}
},
"sort": [
1562857200010
]
}
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
# Filter the audit log by date
This example shows how to filter requests to the @auditLog endpoint by date.
The start date of the filter is indicated by the character >, while the end date by the character <.
You can provide the date values in Epoch format in the @timestamp parameters.
curl --request POST 'https://enterprise.onna.com/ACMECORP/ACMECORP/@auditLog' \
--header 'Authorization: Bearer dem0d3moOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2MDc2MDIwODAsImV4cCI6MTYwODIwNjg4MCwidG9rZW4iOiIxZjNmMjFhYTZkZDU0NWM1OGFjMjgzOTRmMmMyMGJmOSIsImxvZ2luIjoic3RlZmFub0Bvc2NpbGxhdG9yLmVzIiwibmFtZSI6IlN0ZWZhbm8iLCJzdXBlcnVzZXIiOmZhbHNlLCJhaWQiOm51bGwsInN1YiI6InN0ZWZhbm9Ab3NjaWxsYXRvci5lcyIsImF2IjoxLCJndCI6ImF1dGhvcml6YXRpb25fY29kZSJ9.gemyMZfMTmjoWG-bnfJ6ts0u4defsb59P2Pf4kefAke' \
--header 'Content-Type: application/json' \
--data-raw '{
"size": 50,
"sort": {
"field": "@timestamp",
"direction": "desc"
},
"advanced": {
"and": [
{
">": [
{
"var": "@timestamp"
},
1586031963641
]
},
{
"<": [
{
"var": "@timestamp"
},
1588623963641
]
}
]
}
}'
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# Filter by IP address
This example shows how to filter requests to the @auditLog endpoint by IP address.
You can provide the IP address in the payload.ip.keyword parameter.
curl --request POST 'https://enterprise.onna.com/ACMECORP/ACMECORP/@auditLog' \
--header 'Authorization: Bearer dem0d3moOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2MDc2MDIwODAsImV4cCI6MTYwODIwNjg4MCwidG9rZW4iOiIxZjNmMjFhYTZkZDU0NWM1OGFjMjgzOTRmMmMyMGJmOSIsImxvZ2luIjoic3RlZmFub0Bvc2NpbGxhdG9yLmVzIiwibmFtZSI6IlN0ZWZhbm8iLCJzdXBlcnVzZXIiOmZhbHNlLCJhaWQiOm51bGwsInN1YiI6InN0ZWZhbm9Ab3NjaWxsYXRvci5lcyIsImF2IjoxLCJndCI6ImF1dGhvcml6YXRpb25fY29kZSJ9.gemyMZfMTmjoWG-bnfJ6ts0u4defsb59P2Pf4kefAke' \
--header 'Content-Type: application/json' \
--data-raw '
"size": 50,
"sort": {
"field": "@timestamp",
"direction": "desc"
},
"advanced": {
"and": [
{
"in": [
{
"var": "payload.ip.keyword"
},
[
"10.9.4.29"
]
]
}
]
}
}'
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# What's logged by the @auditLog endpoint
This table contains the details of some events logged by the @auditLog endpoint.
| Event | Description |
|---|---|
| Created Workspace | A user has created a Workspace |
| Custom field change | A custom field has changed on a resource or workspace |
| Datasource Added | A new source has been added |
| Datasource Failed | Syncing a source failed |
| Datasource Removed | Source has been removed due to retention policy |
| Datasource Shared | Source has been shared |
| Deleted Workspace | Source has been deleted by user action |
| Resource removed | Resource has been deleted by a user |
| Resource removed by retention policy | Resource has been removed due to retention policy |
| Resource visited | Resource was navigated to by a user |
| Resource was shared with user | Resource has been shared with a user |
| Workspace was shared with user | Workspace shared with a user |